update nix

2025-09-01 15:10:31 -04:00 · 2025-09-01 15:10:31 -04:00 · 93b7c6ee25
commit 93b7c6ee25
parent cc045f225b
22 changed files with 303 additions and 20 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,6 +3,8 @@ keys:
  - &admin_reichard age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
  # lin-va-mbp-personal@evanreichard - SSH Derived
  - &user_lin-va-mbp-personal age17ayje4uv2mhwehhp9jr3u9l0ds07396kt7ef40sufx89vm7cgfjq6d5d4y
  # mac-va-mbp-personal@evanreichard - SSH Derived
  - &user_mac-va-mbp-personal age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
@ -13,3 +15,8 @@ creation_rules:
      - age:
          - *admin_reichard
          - *user_lin-va-mbp-personal
  - path_regex: secrets/mac-va-mbp-personal/evanreichard/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
          - *admin_reichard
          - *user_mac-va-mbp-personal
--- a/README.md
+++ b/README.md
@ -11,7 +11,7 @@ sudo nixos-rebuild switch --flake .#lin-va-mbp-personal
 ### NixOS Generators
 ```bash
-nix build .#vmwareConfigurations.rke2-node
+nix build .#qcowConfigurations.lin-va-rke2
 ```
 ### Home Manager
@ -71,11 +71,11 @@ sudo nixos-rebuild switch
 ```bash
 # Update System Channels
-sudo nix-channel --add https://nixos.org/channels/nixpkgs-24.11-darwin nixpkgs
+sudo nix-channel --add https://nixos.org/channels/nixpkgs-25.05-darwin nixpkgs
 sudo nix-channel --update
 # Update Home Manager
-nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.11.tar.gz home-manager
+nix-channel --add https://github.com/nix-community/home-manager/archive/release-25.05.tar.gz home-manager
 nix-channel --update
 # Link Repo
@ -105,3 +105,14 @@ if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
 fi
 # End Nix
 ```
 # Nix Darwin
 ```bash
 # Install Nix Without Determinate
 curl --proto '=https' --tlsv1.2 -sSf -L https://install.determinate.systems/nix | sh -s -- install
 # Switch Nix Darwin
 sudo nix run nix-darwin#darwin-rebuild -- switch --flake .#mac-va-mbp-personal
 sudo darwin-rebuild switch --flake .#mac-va-mbp-personal
 ```
--- a/flake.lock
+++ b/flake.lock
@ -23,6 +23,27 @@
        "type": "github"
      }
    },
    "darwin": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1749744770,
        "narHash": "sha256-MEM9XXHgBF/Cyv1RES1t6gqAX7/tvayBC1r/KPyK1ls=",
        "owner": "nix-darwin",
        "repo": "nix-darwin",
        "rev": "536f951efb1ccda9b968e3c9dee39fbeb6d3fdeb",
        "type": "github"
      },
      "original": {
        "owner": "nix-darwin",
        "ref": "nix-darwin-25.05",
        "repo": "nix-darwin",
        "type": "github"
      }
    },
    "disko": {
      "inputs": {
        "nixpkgs": "nixpkgs"
@ -239,6 +260,7 @@
    "root": {
      "inputs": {
        "apple-silicon": "apple-silicon",
        "darwin": "darwin",
        "disko": "disko",
        "firefox-addons": "firefox-addons",
        "home-manager": "home-manager",
--- a/flake.nix
+++ b/flake.nix
@ -29,6 +29,10 @@
      url = "github:Mic92/sops-nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    darwin = {
      url = "github:nix-darwin/nix-darwin/nix-darwin-25.05";
      inputs.nixpkgs.follows = "nixpkgs";
    };
  };
  outputs = inputs:
@ -60,6 +64,10 @@
          disko.nixosModules.disko
          sops-nix.nixosModules.sops
        ];
        darwin = with inputs; [
          home-manager.darwinModules.home-manager
          sops-nix.darwinModules.sops
        ];
      };
    };
 }
--- a/homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix
+++ b/homes/aarch64-darwin/evanreichard@mac-va-mbp-personal/default.nix
@ -1,9 +1,9 @@
-{ lib, config, namespace, ... }:
+{ lib, pkgs, config, namespace, ... }:
 let
  inherit (lib.${namespace}) enabled;
 in
 {
-  home.stateVersion = "24.11";
+  home.stateVersion = "25.05";
  reichard = {
    user = {
@ -49,6 +49,8 @@ in
  #   tldr
  # ];
  home.packages = with pkgs; [ fastfetch ];
  # SQLite Configuration
  home.file.".sqliterc".text = ''
    .headers on
--- a/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix
+++ b/homes/aarch64-darwin/evanreichard@mac-va-mbp-work/default.nix
@ -3,7 +3,7 @@ let
  inherit (lib.${namespace}) enabled;
 in
 {
-  home.stateVersion = "24.11";
+  home.stateVersion = "25.05";
  reichard = {
    user = {
--- a/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix
+++ b/homes/aarch64-linux/evanreichard@lin-va-mbp-personal/default.nix
@ -3,7 +3,7 @@ let
  inherit (lib.${namespace}) enabled;
 in
 {
-  home.stateVersion = "24.11";
+  home.stateVersion = "25.05";
  reichard = {
    user = {
--- a/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix
+++ b/homes/x86_64-linux/evanreichard@lin-va-thinkpad/default.nix
@ -3,7 +3,7 @@ let
  inherit (lib.${namespace}) enabled;
 in
 {
-  home.stateVersion = "24.11";
+  home.stateVersion = "25.05";
  reichard = {
    user = {
--- a/modules/darwin/default.nix
+++ b/modules/darwin/default.nix
@ -0,0 +1,8 @@
 {
  config = {
    home-manager = {
      useGlobalPkgs = true;
      useUserPackages = true;
    };
  };
 }
--- a/modules/darwin/nix/default.nix
+++ b/modules/darwin/nix/default.nix
@ -0,0 +1,102 @@
 { config, lib, pkgs, inputs, namespace, host, ... }:
 let
  inherit (lib) types mkIf;
  inherit (lib.${namespace}) mkBoolOpt mkOpt;
  cfg = config.${namespace}.nix;
 in
 {
  options.${namespace}.nix = {
    enable = mkBoolOpt true "Whether or not to manage nix configuration.";
    package = mkOpt types.package pkgs.nixVersions.latest "Which nix package to use.";
  };
  config = mkIf cfg.enable {
    nix =
      let
        mappedRegistry = lib.pipe inputs [
          (lib.filterAttrs (_: lib.isType "flake"))
          (lib.mapAttrs (_: flake: { inherit flake; }))
          (x: x // {
            nixpkgs.flake = if pkgs.stdenv.hostPlatform.isLinux then inputs.nixpkgs else inputs.nixpkgs-unstable;
          })
          (x: if pkgs.stdenv.hostPlatform.isDarwin then lib.removeAttrs x [ "nixpkgs-unstable" ] else x)
        ];
        users = [
          "root"
          "@wheel"
          "nix-builder"
          "evanreichard"
        ];
      in
      {
        inherit (cfg) package;
        buildMachines = lib.optional (config.${namespace}.security.sops.enable && host != "nixos-builder") {
          hostName = "10.0.50.130";
          systems = [ "x86_64-linux" ];
          sshUser = "evanreichard";
          protocol = "ssh";
          sshKey = config.sops.secrets.builder_ssh_key.path;
          supportedFeatures = [
            "benchmark"
            "big-parallel"
            "nixos-test"
            "kvm"
          ];
        };
        checkConfig = true;
        distributedBuilds = true;
        optimise.automatic = true;
        registry = lib.mkForce mappedRegistry;
        gc = {
          automatic = true;
          options = "--delete-older-than 7d";
        };
        settings = {
          connect-timeout = 5;
          allowed-users = users;
          max-jobs = "auto";
          auto-optimise-store = pkgs.stdenv.hostPlatform.isLinux;
          builders-use-substitutes = true;
          experimental-features = [
            "nix-command"
            "flakes "
          ];
          flake-registry = "/etc/nix/registry.json";
          http-connections = 50;
          keep-derivations = true;
          keep-going = true;
          keep-outputs = true;
          log-lines = 50;
          sandbox = true;
          trusted-users = users;
          warn-dirty = false;
          use-xdg-base-directories = true;
          substituters = [
            "https://anyrun.cachix.org"
            "https://cache.nixos.org"
            "https://hyprland.cachix.org"
            "https://nix-community.cachix.org"
            "https://nixpkgs-unfree.cachix.org"
            "https://nixpkgs-wayland.cachix.org"
            "https://numtide.cachix.org"
          ];
          trusted-public-keys = [
            "anyrun.cachix.org-1:pqBobmOjI7nKlsUMV25u9QHa9btJK65/C8vnO3p346s="
            "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
            "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
            "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
            "nixpkgs-unfree.cachix.org-1:hqvoInulhbV4nJ9yJOEr+4wxhDV4xq2d1DK7S6Nj6rs="
            "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA="
            "numtide.cachix.org-1:2ps1kLBUWjxIneOy1Ik6cQjb41X0iXVXeHigGmycPPE="
          ];
        };
      };
  };
 }
--- a/modules/darwin/security/sops/default.nix
+++ b/modules/darwin/security/sops/default.nix
@ -0,0 +1,31 @@
 { config, lib, namespace, ... }:
 let
  inherit (lib.${namespace}) mkOpt;
  cfg = config.${namespace}.security.sops;
 in
 {
  options.${namespace}.security.sops = {
    enable = lib.mkEnableOption "sops";
    defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
    sshKeyPaths = mkOpt (with lib.types; listOf path) [
      "/etc/ssh/ssh_host_ed25519_key"
    ] "SSH Key paths to use.";
  };
  config = lib.mkIf cfg.enable {
    sops = {
      inherit (cfg) defaultSopsFile;
      age = {
        inherit (cfg) sshKeyPaths;
        keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
      };
    };
    sops.secrets.builder_ssh_key = {
      sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
    };
  };
 }
--- a/modules/darwin/services/openssh/default.nix
+++ b/modules/darwin/services/openssh/default.nix
@ -0,0 +1,20 @@
 { config, namespace, lib, ... }:
 let
  inherit (lib.${namespace}) mkOpt;
  cfg = config.${namespace}.security.sops;
 in
 {
  options.${namespace}.services.openssh = with lib.types; {
    enable = lib.mkEnableOption "OpenSSH support";
    authorizedKeys = mkOpt (listOf str) [ ] "The public keys to apply.";
    extraConfig = mkOpt str "" "Extra configuration to apply.";
    port = mkOpt port 2222 "The port to listen on (in addition to 22).";
  };
  config = lib.mkIf cfg.enable {
    services.openssh = {
      enable = true;
    };
  };
 }
--- a/modules/darwin/user/default.nix
+++ b/modules/darwin/user/default.nix
@ -0,0 +1,23 @@
 { config, lib, namespace, pkgs, ... }:
 let
  inherit (lib) types mkIf;
  inherit (lib.${namespace}) mkOpt;
  cfg = config.${namespace}.user;
 in
 {
  options.${namespace}.user = with types; {
    name = mkOpt str "evanreichard" "The name to use for the user account.";
    email = mkOpt str "evan@reichard.io" "The email of the user.";
    fullName = mkOpt str "Evan Reichard" "The full name of the user.";
    uid = mkOpt (types.nullOr types.int) 501 "The uid for the user account.";
  };
  config = {
    users.users.${cfg.name} = {
      uid = mkIf (cfg.uid != null) cfg.uid;
      shell = pkgs.bashInteractive;
      home = "/Users/${cfg.name}";
    };
  };
 }
--- a/modules/home/programs/graphical/ghostty/default.nix
+++ b/modules/home/programs/graphical/ghostty/default.nix
@ -18,6 +18,11 @@ in
        flush_dns = "sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder";
      };
      profileExtra = ''
        # Source Nix daemon
        # if [ -e '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh' ]; then
        #   . '/nix/var/nix/profiles/default/etc/profile.d/nix-daemon.sh'
        # fi
        SHELL="$BASH"
        PATH=~/.bin:$PATH
        bind "set show-mode-in-prompt on"
--- a/modules/home/services/sops/default.nix
+++ b/modules/home/services/sops/default.nix
@ -28,14 +28,6 @@ in
        keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
      };
      # TODO
      # secrets = {
      #   nix = {
      #     sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
      #     path = "${config.home.homeDirectory}/.config/nix/nix.conf";
      #   };
      # };
    };
  };
 }
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@ -12,6 +12,8 @@ let
  authorizedKeys = [
    # evanreichard@lin-va-mbp-personal
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
    # evanreichard@mac-va-mbp-personal
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV"
    # evanreichard@lin-va-thinkpad
    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
  ];
--- a/secrets/mac-va-mbp-personal/evanreichard/default.yaml
+++ b/secrets/mac-va-mbp-personal/evanreichard/default.yaml
@ -0,0 +1,26 @@
 builder_ssh_key: ENC[AES256_GCM,data:1cYuaFJke/8GyqxPKp2zH/uARvW6Bqx6AsB16U8f3WkDpnxO6kym19MpDyQUBEjJ9Bj3RiBkSSL96jBv4YZfq+1cN8D6E14faKoYF5FZy5o1C+aTl+4L9zbrQIl/QDFh42qcJ6cYsOSjbEJv8kvZQBV7l+LNo8ZX07f76Kld3boouJJMMZWa9oaZgEifTxN4yDOPXTXNjCO3blGnsm+V3FPkba+EUASL9WH6+XLU2oW1Bc/sydOTiKGRJcs5eyqYvKi3evtxUUyqgdPVtUHNTsh6/B5kDLWFavfEfchPHT0LHIuqGJwGBglTp/NJThAoo5vNFAFIAUw9QWlY4alHhsi2L5g49r3s6i+3fGeyGCTP61uffY9HgF7nOdkTVMsRXacKh9fwgdsZAepcU+kJ3LJSdOaa4hUtCsZpFHUe4jA0kTHI1/V+7ak+iw92gNZTLKsCjIOzWFvEBVSXLctPdxQ8ezvF9ekvw5mkAwO7QYonlrQ3MUY/8b1DDOdjmfSwEyrLruew2KajFhm8/NM/2BOwcO/y+DbX2MSe5x0sx4HN79E=,iv:V25Tc7bOxc4wl5lf6gZOstN1InaCb3sfpCHMl65iwn8=,tag:mBFZcX2G3vpAOMw7V12d6w==,type:str]
 rke2_kubeconfig: ENC[AES256_GCM,data:oTOBktUE71QNJXqy8l5hhYKF3mSQlLxXE7rjsctyJi4nIk4bhKACGdYkB8B37Ws9QHm5h9tAn9J/ehbWyBwsOFQIhX7S0kov8/HPlatbY3aJ+PiHO5GWRkJjbq+GZrJgdGeOCSRlA5C4lOy9cYbCqbsgfp42cNxOPhOQUyqFNCmsWJvBiJDuQX3Sqk2QoDtfTayho/v5IiJ9Xjms6m1ng98uXmANHK2wFAv4IZ2+7j14jy5RRKylTtjooJxTalSzdODV4wufHOLqFRCeGs9U4A/SEbRWacssdTWOp/wkaumruEpbuRaX33EwFzAxnawD0T/PBA1w9MfrXoz7bYaQ8S0fpWQHTr7xj79yrlJslBvTp/SzC+7LlpdsOtJr/2LpbzwFowMFPOGg0XJUWlkevIIObBuEYyAnlytxlys+2UNx+szOuUsUDTdZlEtTyJT+Xp8WjFlXkHsi66s+rDxDvUcMG6oLy3IYiYA4D7Q65aDgiy87kDmdfItf5koEEpHU2wV20EtAP2mRZ8UNYnDHd3ZV1L2gLXHGMA/sa0Tn0l4fhfr+6K0niQ9RaZxrVfqyChCw4bSCyZZFajZXcEDXsQB5UKsnMmZ3p5ZtRe/mqKydAz/xQc8mZPYFWwXN3uWgOWLRraRib0thg/PQzsbGNrKxoqc0sY3JbUSBcyhtz2x7b0Sj+g8ibtySmSEM1DrcYFdLG/QHbg8MaSOIIlZDDan2SJ0vAd432hI9BBIxj3L0EOfVBkbzEdtuuW7SSCG650X2u4Rd0Kkjc7HoB6pafJTWx2QZ/CMKIZFiHfMJ1zRyxco7SwZzsTRZ1Y0W7qgnssKpqtRNwCfRTdDM/6aZ1HorNP2NombuyGmfvD/EZSt4xxsOZIgioqfghbcsTCFZQPUvfBSZvJ5KBXS8qacBmsUxMLRMyzSbq0mM/S9Rz8oUxN587K7pLTNNiwFsQ9mXlGgh//rzhdAfzQZF/uuMrjqYgxt3iOAT3Nd34RbZ8YK31SRf6lFy7b+hafS1FFVUnW8jnC57eo2wNpHFBNA1y60dokx9P1dzZUVVYK5iCK+QFkUweD9WSo0al09E3By2pQxZ1OS9UOcTxFbpP/WakD57/tkOvmGIirqrexVecDcODelGXhCVeXb8zJQDz2PdXz3M4G0zIV2JcgJDjJy91Rx56vxRQv0/mvPfjexm9gQcTWOpIeUOBGRCfMXMh0g0AANHxDheRa9WzYQ10uDE3DsyMT53+FGW73PyPBk5MzRY/RQXjTEVbhO/e8Km7KOuhRxpohcLHCugEFMqjsW/c5b6GU24s3n69XPxMWtdtMmnf1FaGGufuOXyYd2s1vQqi+542x41HYnXiT6OQwsFttnlbwfrosl9qgSSgsfwXNv7qHQUBDg1KczwlPBZ3cMA/rQUqHL2N4vEp00JoJFjBTbWrin2FCOBafQmpKPv9j/nqiJROr3I93bSaodk0rFOUDWV3Sp/YepeuYb6wY+lMgysg4jDuJxEYQytFfNI2SBd7g4Xh6vBW/GS1/JdaHhh/Ub5/Cqa0Pxl5fBjV1HQIaM8mXi+V90zRVqzKm9vl9wXjXzAk8QvWRiW5ruP3IsMl5myL1KBuFIgZNPkbv8Nap3XDgmO2IvM6gWI3LHW81cgS6dDcsuC2C9zr291MAlYQiaotqQ33u0ga/y8DTXB3mcLTPLpkWWRY+Cc+qVAuD3LwCvd2StUhxUNwDbwVaxtuSk+uWMx1PCPPwHDVB3sm93wbnKrvj0TMHdkh0im+KzSplaMAsCgKJj1YO3Yhjg+E9CwIaYEDKcCE8FNqioSzzaXABQgpa4zUWkWC+D4iD/kSS3Z+BgB0VCytB705SMbmHmAlWnNayFgQLx3xo/TkgF51jEghj2w2gPyTM8gLqq8kvpXnDx95nhfStRu3KZCuCZKadrv0V5mSCCSzw0STDKZjfwYHHMWOnf41UDG7M9+vWHdtZdnJjLvw8gIqmLl0fkw75jFXYXQaNj4vh6MNSp7ABA8wY5Ala/EckHjx9R88czgyvHTLfVOiFgIiOLvldSYmDlaMcyPTVH7JSTiSoZ7aUwNROQE0/C9GyvZH8MGN9Iy6YQAUQYf5jjesoe3dPJf66GmeCKKlAcO1aK91XXow+pWrYJBZilhXJgPNTKltP2ObDLeJ/30KYF7Gee9GvtJaKzBGjYFZZz9nj8ixIBymS+M7N65U8Sw+/37qCnkSDe6VgkMoXXijaPgfToR4yb6FdZOqRlvynbyC+lSO44l2S1CkKbUxrqzZX2pQ6iB1eJdaHmIBYawVg7tJOO3snPXYMiMAgmojrH1BUUpbQRRvG4BTrUOES4N+2etytiZ7N4GEDzshosVaf9NeFBWRGC58siec/BtKwo7HGcsc0zDvcq8MFJ6rEUDbuZuWn3+CvxC9fi4+CzDP3j3K9lOUiXJ6vxv+1eImFMVgQUiV4g2M/JMTv6+Ix8U9dHoaNVjQlnL1NZRo92C/T2WRx42V97hJOe81CXqRLY8mW30MXat7KK+n92bNsWTKZrNsKnzVb+i1YwMAiwG1bw0OCcmfVojozZ4wjUNkFJI2K0v0CCvwVIl9yUKMkCvo+I1m2ZInOXRme2HK82YFg6JxitlQvovdlUndN1Lo4PhaxbW3BNwJSn81FxJ4yh+d34eawZlsQ4l+er2CyWrXSOvQnK1F8UwDB5xgPb8TBj5FD4IZM+op2LPQiaPQZ7bShzpN20W413lBvauirbD8EaZqt2QExmDnYHs1EMcj10bvu7IyKwZTlBqOa/LpyUH/imY4DTB0aYHby+xnLX7760S0sJfKuJ7omQ4QBgz+NSZ/aFfPicugkPsCZI0lS9WCcczvHgbFRzB6YQ5uJEoK5o5SdVTpYWUBvuLbJ6IOKNKWxlBcrsj4aPm+AAsxRc9cHPbrCns6y01K2wCYCL5nzK7jnneQiR4edtfnwMlUoo3c6/vzwiof4EVVrN29QxVsIA/9yqk375mKlI/l7/eOf083Kbad215wvZ+0U7cgI0oaaVvapj3Ni3e3Es8XUIQCua5HRE6d4M6A7P+Ye1Wkt+8oTpKJzd9Hn/ITwCYVssdpMSwF2ARHgmTtq+sacvkR9gojG/LAJMUwA48Sc4M5rn+5vTCRTvuKXDFphLSUwNzqd58YENC/HJjZS8+co+BN7AaafrybfA0QQrXkY7f+elsAFmNfho+taMpkfQZCmmgfoHPVPYR0pxkV1czCymm5lTjgkC7e4ydngcyJSrUzrXrWREkEcEdXoSRt1/JHABKRbvRuTbuUlah1xS1pvffosnA7KJL+aTLErkWwww3WUPMRrvmhVlWZqHGqE8lCRyMUPny7li3I2IB+aHFXepYwZSMMQPIOIiE19Oz7MsaIrMknqfTtdc58McEPGUPKiVO8x+nfRQPY45jFF60XtiK+yemYDicUGMSkWdtVLXgDCD+KAJz5YzBl5YbnPD9L1X9pB8P0vEpnKC6X+GGiaPflVGiNAKRTUyVv8CJ+Yh+KEfJw8og/P6d/7dSKheBeAdaliigZ9qG8xfyY0jE++xedaxIcOBObBu6j70j+Tpp5bUPN25FyVR2GqG4xz5YbuhnrRjhA6lAh0nppPlP+Oz/j9pPvPaDGESLZ/WM6MWru7R8DrHePBtulRvhvwUsmrjosPXuCNGU4sd1MFh6kNyyJH3W1quy3IopUij0Amu40mmd8XEzsN2nmT2Eh3NCd/r/2yj/t+xwxNcQZ+bfxeMFOiEfX5RU2paKNrRIDUEbgR1rS8A3PEUPTxwTP10IuY+IMToCSgZkVIq7UjXg0Bx9QdwvXcN74ADwkD0Un5+jLf4mo43QacwnBLpm24XqDzO09vKOzA9XU5fdC6AJ4mqAJ5J/XU8bC1RWiSCul6NekoJAPVgMlpWTPCAdSrWeYoE0d7lVkl+g+nEIS4sb,iv:mC5XSWReVzjwheF1IzCzp34JRvL/vJipyaKhptkH+cU=,tag:SDoNiaWaPKzruj+HPv5jbw==,type:str]
 sops:
    age:
        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuVWFObG51K2lTYlZidXBU
            aW55RnpkVDExbVBkNDl4NkV3MFNkNThjbWdZCklhWkVSaWpPSE1VY09iWGlPVE9Q
            bW1SY05jK3BwcDIwSHdMZjJHdWQyQkkKLS0tIHZYS2c2U2xtQ1QxajlKeWpmNXZW
            bmdpcTl2NjRWM3F3Q2RHbk1rTEFvZEkKWag1nmqFZMRjwFtIo6oqs+9UI/Mer5bK
            Ax7P7uwoZdiMN2g84W1pNTjj6GktFn3jrBaE+MxY6NUBr02apkRYZw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1dccte7xtwswgef089nd80dutp96xnezx5lrqnneh9cusegsnda8sj3dj6c
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cURST1FTbVk4RGZTaitF
            MEt3Z2U0a004Zmo0VG1BN29DUnBLNGxPMEJFCkcyL1JrMkZsSTM5WCtZSldSeGZw
            SmdpV3AxRDJyVW1WMXBuclhBSDkvTXcKLS0tIDZsU2pBbEFHNkdqWW1CZW1hdVN3
            eW9OdlJmS21IVDNVNk9OMjZBT21PUTAK+lpsdEp2uvg8nFWu/hPtK0+Ahi5J//5d
            NB6JJ7lwRWKy2NppFf9sy20Y1Z0Z5Ui40nbnURRzYgtsqbKBveUDcA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-07-29T23:30:28Z"
    mac: ENC[AES256_GCM,data:x3dnanNbIX0fippbbFqOSR9ptZGdAwWuyn7hf3z6i43rk8Nk9p9EVqmE4/Guz2QY2tG/cph/5/nwX4UCO4ixAdB7pAWZa6lI1JdFzMBfW1IGeXOLyprDt6xdFnCVXjy64HgNWiVOPUS4+olxNZ0LPmCof7odqn+Axj+icFK3N34=,iv:OyFac4TxnKXwJ0l7LcJTqVyl11gIpw8fvEAEQTrEBc0=,tag:zMOGwIwAZmel+4EIqy9/tQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/systems/aarch64-darwin/mac-va-mbp-personal/default.nix
+++ b/systems/aarch64-darwin/mac-va-mbp-personal/default.nix
@ -0,0 +1,20 @@
 { namespace, lib, ... }:
 let
  inherit (lib.${namespace}) enabled;
 in
 {
  system.stateVersion = 6;
  # System Config
  reichard = {
    nix = enabled;
    security = {
      sops = {
        enable = true;
        sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
        defaultSopsFile = lib.snowfall.fs.get-file "secrets/mac-va-mbp-personal/default.yaml";
      };
    };
  };
 }
--- a/systems/aarch64-linux/lin-va-mbp-personal/default.nix
+++ b/systems/aarch64-linux/lin-va-mbp-personal/default.nix
@ -7,7 +7,7 @@ in
    ./hardware-configuration.nix
  ];
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.05";
  time.timeZone = "America/New_York";
  # System Config
--- a/systems/x86_64-linux/lin-va-nix-builder/default.nix
+++ b/systems/x86_64-linux/lin-va-nix-builder/default.nix
@ -4,7 +4,7 @@ let
 in
 {
  time.timeZone = "America/New_York";
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.05";
  reichard = {
    system = {
@ -33,6 +33,8 @@ in
        authorizedKeys = [
          # evanreichard@lin-va-mbp-personal
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
          # evanreichard@mac-va-mbp-personal
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV"
          # evanreichard@lin-va-thinkpad
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
          # NixOS Builder
@ -47,6 +49,8 @@ in
      authorizedKeys.keys = [
        # evanreichard@lin-va-mbp-personal
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILJJoyXQOv9cAjGUHrUcvsW7vY9W0PmuPMQSI9AMZvNY"
        # evanreichard@mac-va-mbp-personal
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMWj6rd6uDtHj/gGozgIEgxho/vBKebgN5Kce/N6vQWV"
        # evanreichard@lin-va-thinkpad
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAq5JQr/6WJMIHhR434nK95FrDmf2ApW2Ahd2+cBKwDz"
        # NixOS Builder
--- a/systems/x86_64-linux/lin-va-thinkpad/default.nix
+++ b/systems/x86_64-linux/lin-va-thinkpad/default.nix
@ -3,7 +3,7 @@ let
  inherit (lib.${namespace}) enabled;
 in
 {
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.05";
  time.timeZone = "America/New_York";
  hardware.enableRedistributableFirmware = true;
  hardware.bluetooth.enable = true;
--- a/systems/x86_64-qcow/lin-va-rke2/default.nix
+++ b/systems/x86_64-qcow/lin-va-rke2/default.nix
@ -9,7 +9,7 @@ in
  config = {
    # Basic System
-    system.stateVersion = "24.11";
+    system.stateVersion = "25.05";
    time.timeZone = "UTC";
    reichard = {