merge: harden ephvm

lock /home/matej/.config to 0700 (was 0755). post-process qcow2
with parallel zstd on qcow2 v3 via qemu-img convert; smaller
image and faster decompress than the built-in qcow2-compressed.

features/bootloader.nix

@@ -3,23 +3,11 @@
     {
       config,
       lib,
-      pkgs,
       inputs,
       ...
     }:
     let
       cfg = config.features.bootloader;
-      keyDir = "/etc/secrets/initrd";
-
-      mkIpString =
-        {
-          address,
-          gateway,
-          netmask,
-          interface,
-          ...
-        }:
-        "${address}::${gateway}:${netmask}::${interface}:none";
     in
     {
       imports = [ inputs.lanzaboote.nixosModules.lanzaboote ];
@@ -35,88 +23,15 @@
           default = "systemd-boot";
         };
 
-        configurationLimit = lib.mkOption {
+        plymouth.enable = lib.mkEnableOption "plymouth boot splash";
-          type = lib.types.int;
-          default = 10;
-        };
-
-        consoleFont = lib.mkOption {
-          type = lib.types.str;
-          default = "ter-v32n";
-        };
-
-        resumeDevice = lib.mkOption {
-          type = lib.types.nullOr lib.types.str;
-          default = null;
-        };
-
-        initrdSsh = {
-          enable = lib.mkEnableOption "remote LUKS unlock via ssh in initrd";
-
-          networkModule = lib.mkOption {
-            type = lib.types.str;
-          };
-
-          ip = {
-            enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
-
-            address = lib.mkOption {
-              type = lib.types.str;
-            };
-
-            gateway = lib.mkOption {
-              type = lib.types.str;
-            };
-
-            netmask = lib.mkOption {
-              type = lib.types.str;
-              default = "255.255.255.0";
-            };
-
-            interface = lib.mkOption {
-              type = lib.types.str;
-            };
-          };
-
-          authorizedKeys = lib.mkOption {
-            type = lib.types.listOf lib.types.str;
-            default = [ ];
-          };
-        };
       };
 
       config = lib.mkIf cfg.enable (
         lib.mkMerge [
           {
             boot.loader.efi.canTouchEfiVariables = true;
-
+            # request the largest framebuffer uefi offers; plymouth inherits it
-            # lanzaboote inherits editor + configurationLimit from systemd-boot.*
+            boot.loader.systemd-boot.consoleMode = "max";
-            boot.loader.systemd-boot = {
-              editor = false;
-              inherit (cfg) configurationLimit;
-            };
-
-            boot.initrd.systemd.enable = true;
-
-            # block simpledrm so fbcon defers until the gpu driver binds; avoids
-            # the simpledrm -> real-driver fbcon transition that mangles console
-            # text and leaves the luks prompt typing offset from the visible
-            # surface. hosts must put the gpu driver in initrd (nixos-hardware
-            # does this for amd; manual hardware.amdgpu.initrd.enable on others)
-            boot.kernelParams = [ "initcall_blacklist=simpledrm_platform_driver_init" ];
-
-            # verbose boot: kernel messages and systemd unit lines visible end
-            # to end. trade-off: the luks prompt will be interleaved with the
-            # last few "Starting/Started ..." lines (no upstream fix exists
-            # without plymouth). boot.initrd.verbose is a no-op under
-            # systemd-initrd, so not set here.
-
-            # readable luks prompt at panel-native dpi
-            console = {
-              earlySetup = true;
-              font = cfg.consoleFont;
-              packages = [ pkgs.terminus_font ];
-            };
           }
 
           (lib.mkIf (cfg.mode == "systemd-boot") {
@@ -131,41 +46,26 @@
             };
           })
 
-          (lib.mkIf (cfg.resumeDevice != null) {
+          (lib.mkIf cfg.plymouth.enable {
-            boot.resumeDevice = cfg.resumeDevice;
+            # plymouth needs systemd-initrd to render the luks prompt cleanly
-          })
+            boot.initrd.systemd.enable = true;
 
-          (lib.mkIf cfg.initrdSsh.enable {
+            # host is responsible for early-KMS so plymouth lands on the gpu driver,
-            boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
+            # not simpledrm (e.g. hardware.amdgpu.initrd.enable on amd hosts)
+            boot.plymouth.enable = true;
+            stylix.targets.plymouth.logoAnimated = false;
 
-            boot.initrd.availableKernelModules = [ cfg.initrdSsh.networkModule ];
+            boot.kernelParams = [
-
+              "quiet"
-            boot.kernelParams = lib.mkIf cfg.initrdSsh.ip.enable [
+              "splash"
-              "ip=${mkIpString cfg.initrdSsh.ip}"
+              "loglevel=3"
+              "rd.systemd.show_status=false"
+              "rd.udev.log_level=3"
+              "udev.log_priority=3"
+              "plymouth.force-scale=1"
             ];
-
+            boot.consoleLogLevel = 0;
-            boot.initrd.network = {
+            boot.initrd.verbose = false;
-              enable = true;
-              ssh = {
-                enable = true;
-                port = 22;
-                hostKeys = [
-                  "${keyDir}/ssh_host_rsa_key"
-                  "${keyDir}/ssh_host_ed25519_key"
-                ];
-                inherit (cfg.initrdSsh) authorizedKeys;
-              };
-            };
-
-            # forward LUKS password prompt to the ssh session (systemd-initrd idiom)
-            boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
-
-            boot.initrd.systemd.network.networks = lib.mkIf (!cfg.initrdSsh.ip.enable) {
-              "10-initrd" = {
-                matchConfig.Driver = cfg.initrdSsh.networkModule;
-                networkConfig.DHCP = "yes";
-              };
-            };
           })
         ]
       );

features/desktop.nix

@@ -105,11 +105,7 @@
           # bluetooth
           (lib.mkIf cfg.bluetooth.enable {
             hardware.bluetooth.enable = true;
-            services.blueman = {
+            services.blueman.enable = true;
-              enable = true;
-              # TEMP:(@janezicmatej) workaround for nixpkgs#514705, fix in nixpkgs#517250
-              withApplet = false;
-            };
           })
 
           # apps

features/initrd-ssh.nix

@@ -0,0 +1,90 @@
+{
+  nixos =
+    { lib, config, ... }:
+    let
+      cfg = config.features.initrd-ssh;
+      keyDir = "/etc/secrets/initrd";
+
+      mkIpString =
+        {
+          address,
+          gateway,
+          netmask,
+          interface,
+          ...
+        }:
+        "${address}::${gateway}:${netmask}::${interface}:none";
+    in
+    {
+      options.features.initrd-ssh = {
+        enable = lib.mkEnableOption "initrd ssh";
+
+        ip = {
+          enable = lib.mkEnableOption "static IP for initrd (otherwise DHCP)";
+
+          address = lib.mkOption {
+            type = lib.types.str;
+          };
+
+          gateway = lib.mkOption {
+            type = lib.types.str;
+          };
+
+          netmask = lib.mkOption {
+            type = lib.types.str;
+            default = "255.255.255.0";
+          };
+
+          interface = lib.mkOption {
+            type = lib.types.str;
+          };
+        };
+
+        authorizedKeys = lib.mkOption {
+          type = lib.types.listOf lib.types.str;
+          default = [ ];
+        };
+
+        networkModule = lib.mkOption {
+          type = lib.types.str;
+        };
+      };
+
+      config = lib.mkIf cfg.enable {
+        boot.initrd.availableKernelModules = [ cfg.networkModule ];
+        boot.initrd.kernelModules = [ cfg.networkModule ];
+        boot.kernelParams = lib.mkIf cfg.ip.enable [
+          "ip=${mkIpString cfg.ip}"
+        ];
+
+        boot.initrd.systemd.enable = true;
+
+        # remote unlock may take a while; don't let device units give up
+        boot.initrd.systemd.settings.Manager.DefaultDeviceTimeoutSec = "infinity";
+
+        boot.initrd.network = {
+          enable = true;
+          ssh = {
+            enable = true;
+            port = 22;
+            hostKeys = [
+              "${keyDir}/ssh_host_rsa_key"
+              "${keyDir}/ssh_host_ed25519_key"
+            ];
+            inherit (cfg) authorizedKeys;
+          };
+        };
+
+        # systemd-networkd retries DHCP indefinitely, unlike udhcpc
+        boot.initrd.systemd.network.networks = lib.mkIf (!cfg.ip.enable) {
+          "10-initrd" = {
+            matchConfig.Driver = cfg.networkModule;
+            networkConfig.DHCP = "yes";
+          };
+        };
+
+        # forward LUKS password prompt to the SSH session
+        boot.initrd.systemd.users.root.shell = "/bin/systemd-tty-ask-password-agent";
+      };
+    };
+}

features/power.nix

@@ -8,6 +8,11 @@
       options.features.power = {
         enable = lib.mkEnableOption "laptop power management";
 
+        resumeDevice = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+
         lidSwitch = lib.mkOption {
           type = lib.types.str;
           default = "suspend-then-hibernate";
@@ -35,6 +40,8 @@
       };
 
       config = lib.mkIf cfg.enable {
+        boot.resumeDevice = lib.mkIf (cfg.resumeDevice != null) cfg.resumeDevice;
+
         services.logind.settings.Login = {
           HandleLidSwitch = cfg.lidSwitch;
           HandlePowerKey = cfg.powerKey;

flake.lock

@@ -54,11 +54,11 @@
     "base16-helix": {
       "flake": false,
       "locked": {
-        "lastModified": 1776754714,
+        "lastModified": 1760703920,
-        "narHash": "sha256-E3OAK27smtATTmX45uoTSRsVD+Y+ZiVVfgM/tjpbtYg=",
+        "narHash": "sha256-m82fGUYns4uHd+ZTdoLX2vlHikzwzdu2s2rYM2bNwzw=",
         "owner": "tinted-theming",
         "repo": "base16-helix",
-        "rev": "4d508123037e7851ad36ebf7d9c48b0e9e1eb581",
+        "rev": "d646af9b7d14bff08824538164af99d0c521b185",
         "type": "github"
       },
       "original": {
@@ -106,11 +106,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777713215,
+        "lastModified": 1776613567,
-        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
+        "narHash": "sha256-gC9Cp5ibBmGD5awCA9z7xy6MW6iJufhazTYJOiGlCUI=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
+        "rev": "32f4236bfc141ae930b5ba2fb604f561fed5219d",
         "type": "github"
       },
       "original": {
@@ -122,11 +122,11 @@
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1776136500,
+        "lastModified": 1775176642,
-        "narHash": "sha256-r0gN2brVWA351zwMV0Flmlcd6SGMvYqFbvC3DfKFM8Y=",
+        "narHash": "sha256-2veEED0Fg7Fsh81tvVDNYR6SzjqQxa7hbi18Jv4LWpM=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "0f8ba203d475587f477e7ae12661bd8459e225b7",
+        "rev": "179704030c5286c729b5b0522037d1d51341022c",
         "type": "github"
       },
       "original": {
@@ -156,11 +156,11 @@
         "nixpkgs-lib": "nixpkgs-lib"
       },
       "locked": {
-        "lastModified": 1777988971,
+        "lastModified": 1775087534,
-        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -177,11 +177,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777988971,
+        "lastModified": 1775087534,
-        "narHash": "sha256-qIoWPDs+0/8JecyYgE3gpKQxW/4bLW/gp45vow9ioCQ=",
+        "narHash": "sha256-91qqW8lhL7TLwgQWijoGBbiD4t7/q75KTi8NxjVmSmA=",
         "owner": "hercules-ci",
         "repo": "flake-parts",
-        "rev": "0678d8986be1661af6bb555f3489f2fdfc31f6ff",
+        "rev": "3107b77cd68437b9a76194f0f7f9c55f2329ca5b",
         "type": "github"
       },
       "original": {
@@ -273,11 +273,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778248595,
+        "lastModified": 1776777932,
-        "narHash": "sha256-dhFgEjoeJMYN/7OY6xfxS799YB4IjbbYXTjyGIJyLpc=",
+        "narHash": "sha256-0R3Yow/NzSeVGUke5tL7CCkqmss4Vmi6BbV6idHzq/8=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "fdb2ccba9d5e1238d32e0c4a3ec1a277efa80c1d",
+        "rev": "5d5640599a0050b994330328b9fd45709c909720",
         "type": "github"
       },
       "original": {
@@ -317,11 +317,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1778285091,
+        "lastModified": 1776729909,
-        "narHash": "sha256-4YwkGkjvLD0EB7rQGCRA9J/zgwrnTL20dJd7Wmnicj0=",
+        "narHash": "sha256-wGu/N42PJqrj8ju9GoXdppg4rwaKzZqdAjsgxJbCvfY=",
         "owner": "nix-community",
         "repo": "neovim-nightly-overlay",
-        "rev": "cca2a2d1c03f763fdcd7066791363d792313c641",
+        "rev": "ff21a18bde28b4c8ca0bc1f9a5b7186a1b89a3d1",
         "type": "github"
       },
       "original": {
@@ -333,11 +333,11 @@
     "neovim-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1778266020,
+        "lastModified": 1776727374,
-        "narHash": "sha256-qoydKalrn/QGsGYVRicz0Hzb7bfGmV7Z9CnVONXN/Lc=",
+        "narHash": "sha256-iP5SviNXW5W+ay4ZmwjDFsfQjfM+fYlUxRlLPHjpwWI=",
         "owner": "neovim",
         "repo": "neovim",
-        "rev": "b7d8a41d91dcfebe9a5f3d0cf2f0bb0b8d59e32e",
+        "rev": "901b3f0c394a53961781ebeee682e64ad690a242",
         "type": "github"
       },
       "original": {
@@ -348,11 +348,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1778143761,
+        "lastModified": 1775490113,
-        "narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
+        "narHash": "sha256-2ZBhDNZZwYkRmefK5XLOusCJHnoeKkoN95hoSGgMxWM=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
+        "rev": "c775c2772ba56e906cbeb4e0b2db19079ef11ff7",
         "type": "github"
       },
       "original": {
@@ -364,11 +364,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1778124196,
+        "lastModified": 1776329215,
-        "narHash": "sha256-pYEytCNic/czazbV9r3tbQ6BZzqRBg/41x2dIC5ymOo=",
+        "narHash": "sha256-a8BYi3mzoJ/AcJP8UldOx8emoPRLeWqALZWu4ZvjPXw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "68a8af93ff4297686cb68880845e61e5e2e41d92",
+        "rev": "b86751bc4085f48661017fa226dee99fab6c651b",
         "type": "github"
       },
       "original": {
@@ -380,11 +380,11 @@
     },
     "nixpkgs-lib": {
       "locked": {
-        "lastModified": 1777168982,
+        "lastModified": 1774748309,
-        "narHash": "sha256-GOkGPcboWE9BmGCRMLX3worL4EMnsnG8MyKmXNeYuhQ=",
+        "narHash": "sha256-+U7gF3qxzwD5TZuANzZPeJTZRHS29OFQgkQ2kiTJBIQ=",
         "owner": "nix-community",
         "repo": "nixpkgs.lib",
-        "rev": "f5901329dade4a6ea039af1433fb087bd9c1fe14",
+        "rev": "333c4e0545a6da976206c74db8773a1645b5870a",
         "type": "github"
       },
       "original": {
@@ -395,11 +395,11 @@
     },
     "nixpkgs-master": {
       "locked": {
-        "lastModified": 1778360830,
+        "lastModified": 1776807375,
-        "narHash": "sha256-tD44tgf123UcERx3cC91rwefFmGmlTd2M1QdL6d5iLc=",
+        "narHash": "sha256-LDnHG0T54OEHyRydmGUlAND8ham0KrRNWjgoS+6GUd4=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "82cbc979e10cf2b893566a0f259daf5e1f26c887",
+        "rev": "553ecb1686a2edb75dee44c9f72e1674e6adc26a",
         "type": "github"
       },
       "original": {
@@ -411,11 +411,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1778003029,
+        "lastModified": 1776560675,
-        "narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
+        "narHash": "sha256-p68udKWWh7+V4ZPpcMDq0gTHWNZJnr4JPI+kHPPE40o=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
+        "rev": "e07580dae39738e46609eaab8b154de2488133ce",
         "type": "github"
       },
       "original": {
@@ -427,11 +427,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1777954456,
+        "lastModified": 1776548001,
-        "narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
+        "narHash": "sha256-ZSK0NL4a1BwVbbTBoSnWgbJy9HeZFXLYQizjb2DPF24=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
+        "rev": "b12141ef619e0a9c1c84dc8c684040326f27cdcc",
         "type": "github"
       },
       "original": {
@@ -453,11 +453,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777598946,
+        "lastModified": 1775228139,
-        "narHash": "sha256-X239dAGaU1+gfDj8jKH8GzlqKMcxaVfXOio+uzBOkeE=",
+        "narHash": "sha256-ebbeHmg+V7w8050bwQOuhmQHoLOEOfqKzM1KgCTexK4=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "5d55af01c0f86be583931fe99207fc56c14134b3",
+        "rev": "601971b9c89e0304561977f2c28fa25e73aa7132",
         "type": "github"
       },
       "original": {
@@ -550,11 +550,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777944972,
+        "lastModified": 1776771786,
-        "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
+        "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
+        "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598",
         "type": "github"
       },
       "original": {
@@ -583,11 +583,11 @@
         "tinted-zed": "tinted-zed"
       },
       "locked": {
-        "lastModified": 1778104276,
+        "lastModified": 1776170745,
-        "narHash": "sha256-/DSSnU0LLmOTG/OCgGwYpxP6+5YvxRx2g/GhI4x6aCU=",
+        "narHash": "sha256-Tl1aZVP5EIlT+k0+iAKH018GLHJpLz3hhJ0LNQOWxCc=",
         "owner": "danth",
         "repo": "stylix",
-        "rev": "18ed8d270231e067fe2739998479ed5d7c659c2c",
+        "rev": "e3861617645a43c9bbefde1aa6ac54dd0a44bfa9",
         "type": "github"
       },
       "original": {
@@ -630,11 +630,11 @@
     "tinted-schemes": {
       "flake": false,
       "locked": {
-        "lastModified": 1777041405,
+        "lastModified": 1772661346,
-        "narHash": "sha256-BAGZ7ObFV/9Z61OJZun7ifPyhkuHqNuW1QIhQ8LuzCo=",
+        "narHash": "sha256-4eu3LqB9tPqe0Vaqxd4wkZiBbthLbpb7llcoE/p5HT0=",
         "owner": "tinted-theming",
         "repo": "schemes",
-        "rev": "5f868b3a338b6904c47f3833b9c411be641983a8",
+        "rev": "13b5b0c299982bb361039601e2d72587d6846294",
         "type": "github"
       },
       "original": {
@@ -646,11 +646,11 @@
     "tinted-tmux": {
       "flake": false,
       "locked": {
-        "lastModified": 1777169200,
+        "lastModified": 1772934010,
-        "narHash": "sha256-h7dDbIzP5hDr9v97w9PL6jdAgXawmj6krcH+959rqpU=",
+        "narHash": "sha256-x+6+4UvaG+RBRQ6UaX+o6DjEg28u4eqhVRM9kpgJGjQ=",
         "owner": "tinted-theming",
         "repo": "tinted-tmux",
-        "rev": "f798c2dce44ef815bb6b8f05a82135c7942d35ac",
+        "rev": "c3529673a5ab6e1b6830f618c45d9ce1bcdd829d",
         "type": "github"
       },
       "original": {
@@ -662,11 +662,11 @@
     "tinted-zed": {
       "flake": false,
       "locked": {
-        "lastModified": 1777463218,
+        "lastModified": 1772909925,
-        "narHash": "sha256-Bhkozqtq3BKLqWTlmKm8uAptfX4aRGI8QX3eEL54Vpc=",
+        "narHash": "sha256-jx/5+pgYR0noHa3hk2esin18VMbnPSvWPL5bBjfTIAU=",
         "owner": "tinted-theming",
         "repo": "base16-zed",
-        "rev": "5768d08ed2e7944a26a958868cdb073cb8856dae",
+        "rev": "b4d3a1b3bcbd090937ef609a0a3b37237af974df",
         "type": "github"
       },
       "original": {

flake/hosts.nix

@@ -55,6 +55,7 @@ in
         "git"
         "gnupg"
         "harmonia"
+        "initrd-ssh"
         "localisation"
         "neovim"
         "networkmanager"
@@ -123,7 +124,6 @@ in
         "localisation"
         "networkmanager"
         "nix-settings"
-        "onepassword"
         "sway"
         "udev"
         "zsh"

flake/overlays.nix

@@ -1,7 +1,5 @@
-{ inputs, ... }:
+_:
 
 {
-  flake.overlays.default = final: _prev: {
+  flake.overlays.default = _: _: { };
-    inherit (inputs.nixpkgs-stable.legacyPackages.${final.stdenv.hostPlatform.system}) mcp-nixos;
-  };
 }

hosts/fw16/configuration.nix

@@ -10,13 +10,16 @@
     inputs.nixos-hardware.nixosModules.framework-16-amd-ai-300-series
   ];
 
-  features.bootloader.resumeDevice = "/dev/mapper/vg0-swap";
+  features.bootloader.plymouth.enable = true;
   features.desktop.bluetooth.enable = true;
   features.gnupg.yubikey.enable = true;
   features.udev = {
     ledger.enable = true;
     keyboard-zsa.enable = true;
   };
+  features.power.resumeDevice = "/dev/disk/by-uuid/ff4750e7-3a9f-42c2-bb68-c458a6560540";
+
+  boot.kernelParams = [ "pcie_aspm.policy=powersupersave" ];
 
   programs.nix-ld.libraries = options.programs.nix-ld.libraries.default;
 

hosts/fw16/hardware-configuration.nix

@@ -37,7 +37,10 @@
   fileSystems."/boot" = {
     device = "/dev/disk/by-uuid/42D9-FAFD";
     fsType = "vfat";
-    options = [ "umask=0077" ];
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
   };
 
   swapDevices = [

hosts/tower/configuration.nix

@@ -8,11 +8,7 @@
   features.nix-settings.towerCache.enable = false;
   features.bootloader = {
     mode = "lanzaboote";
-    initrdSsh = {
+    plymouth.enable = true;
-      enable = true;
-      networkModule = "r8169";
-      authorizedKeys = userKeys.sshAuthorizedKeys;
-    };
   };
   features.desktop.bluetooth.enable = true;
   features.gnupg.yubikey.enable = true;
@@ -20,14 +16,17 @@
     ledger.enable = true;
     keyboard-zsa.enable = true;
   };
+  features.initrd-ssh = {
+    networkModule = "r8169";
+    authorizedKeys = userKeys.sshAuthorizedKeys;
+  };
 
   # nix store signing
   sops.secrets.nix-signing-key.sopsFile = ../../secrets/tower.yaml;
   nix.settings.secret-key-files = [ config.sops.secrets.nix-signing-key.path ];
 
   boot.kernelParams = [ "btusb.reset=1" ];
-  # pairs with bootloader's simpledrm initcall blacklist: amdgpu owns fbcon
+  # early kms so plymouth lands on amdgpu, not simpledrm
-  # from the start, no driver-swap mode-set
   hardware.amdgpu.initrd.enable = true;
 
   services.udisks2.enable = true;

justfile

@@ -2,20 +2,31 @@
 default:
     @just --list
 
-# rebuild the system
+# rebuild and switch
-rebuild op="switch" host=`hostname`:
+switch config="":
-    nixos-rebuild {{op}} --flake .#{{host}} --sudo
+    nixos-rebuild switch --flake .{{ if config != "" { "#" + config } else { "" } }} --sudo
+
+# fetch flake inputs
+sync:
+    nix flake prefetch-inputs
 
 # update flake inputs
 update:
     nix flake update
 
+# update flake inputs, rebuild and switch
+bump: update switch
+
+# update a package to latest version
+update-package pkg:
+    bash packages/{{pkg}}/update.sh
+
 # update all packages with update scripts
-update-package:
+update-package-all:
     @for script in packages/*/update.sh; do bash "$script"; done
 
 # build all packages and hosts
-check:
+build:
     nix flake check
 
 # build installation iso
@@ -26,6 +37,10 @@ iso:
 ephvm *ARGS:
     bash scripts/ephvm-run.sh {{ARGS}}
 
+# ssh into running ephemeral VM
+ephvm-ssh port="2222":
+    ssh -p {{port}} -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null matej@localhost
+
 # provision a host with nixos-anywhere
 provision host ip:
     #!/usr/bin/env bash
@@ -44,9 +59,9 @@ provision host ip:
     ssh root@{{ip}} reboot
 
 # deploy config to a remote host
-deploy op="switch" host=`hostname` remote=host:
+deploy host remote=host:
-    nixos-rebuild {{op}} --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
+    nixos-rebuild switch --flake .#{{host}} --target-host {{remote}} --sudo --ask-sudo-password
 
 # garbage collect old generations
-clean host=`hostname`:
+clean:
-    sudo nix-collect-garbage $(nix eval --raw .#nixosConfigurations.{{host}}.config.nix.gc.options)
+    sudo nix-collect-garbage $(nix eval --raw -f ./nix.nix nix.gc.options)

lib/mkHost.nix

@@ -87,17 +87,6 @@ nixpkgs.lib.nixosSystem {
     { nixpkgs.config.allowUnfree = true; }
     { networking.hostName = name; }
 
-    # TEMP:(@janezicmatej) temporary mitigation for dirty frag
-    # blocks esp4/esp6 (CVE-2026-43284) and rxrpc (CVE-2026-43500)
-    # remove once nixpkgs ships a kernel with f4c50a4034e6 and the rxrpc fix
-    {
-      boot.blacklistedKernelModules = [
-        "esp4"
-        "esp6"
-        "rxrpc"
-      ];
-    }
-
     featureEnableModule
     hostConfig
   ]

nix.nix

@@ -0,0 +1,33 @@
+{
+  nix = {
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+      download-buffer-size = 2 * 1024 * 1024 * 1024;
+      warn-dirty = false;
+      substituters = [
+        "https://cache.nixos.org"
+        "https://nix-community.cachix.org?priority=45"
+        "http://tower:5000?priority=50"
+      ];
+      trusted-public-keys = [
+        "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "matej.nix-1:TdbemLVYblvAxqJcwb3mVKmmr3cfzXbMcZHE5ILnZDE="
+      ];
+    };
+
+    gc = {
+      automatic = true;
+      dates = "monthly";
+      options = "--delete-older-than 30d";
+    };
+
+    optimise = {
+      automatic = true;
+      dates = [ "monthly" ];
+    };
+  };
+}

packages/claude-code/package.nix

@@ -2,7 +2,7 @@
 
 let
   inherit (pkgs) stdenv lib;
-  version = "2.1.138";
+  version = "2.1.116";
 
   # upstream ships platform-native binaries as separate npm packages under
   # @anthropic-ai/claude-code-<platform>; the wrapper package is just a
@@ -10,19 +10,19 @@ let
   sources = {
     "x86_64-linux" = {
       slug = "linux-x64";
-      hash = "sha256-MGYEPPO4O84Egb5Ym/9f56l+TzPqogpSabosvHTIJZg=";
+      hash = "sha256-QEjJ4CRk35TubDNW02Dzcu+EMRLLndJUXJeP3BFT3b8=";
     };
     "aarch64-linux" = {
       slug = "linux-arm64";
-      hash = "sha256-LWBtOAjPDFtLP93TNrsd8bPHJd7VKK6J90CRxUp1/XQ=";
+      hash = "sha256-/Hqp8GQx8Hub8K4w0Fnx/AksksY61vRC44XxrJVwF5w=";
     };
     "x86_64-darwin" = {
       slug = "darwin-x64";
-      hash = "sha256-tkupKzb+XAPmdCRNoT90cfVLKUar3FCTRgufiMVuVPc=";
+      hash = "sha256-O3J/ew2fWbUQePs6tHEhK0Q9E3Mx/BDSL7b7NL3FRc8=";
     };
     "aarch64-darwin" = {
       slug = "darwin-arm64";
-      hash = "sha256-jmB4t11BI1LKanuuXRJv5IBe8a9gSrFvTMP3KarsioU=";
+      hash = "sha256-O41sf7b05SJfXVjszMeTp838mja+PgZ+aEKykLsHeNo=";
     };
   };