again

2025-03-31 18:24:49 -04:00 · 2025-03-31 18:24:49 -04:00 · dccbb234f2
commit dccbb234f2
parent 6cfbc68c8b
70 changed files with 1276 additions and 206 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
+keys:
+  - &admin_reichard age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+          - *admin_reichard
--- a/TODO.md
+++ b/TODO.md
@ -0,0 +1,8 @@
+- Nix Builder
+
+  - Keys
+  - User
+  - Etc
+
+- SSH
+  - Known Hosts
--- a/flake.lock
+++ b/flake.lock
@ -244,7 +244,8 @@
        "home-manager": "home-manager",
        "nixos-generators": "nixos-generators",
        "nixpkgs": "nixpkgs_2",
-        "snowfall-lib": "snowfall-lib"
+        "snowfall-lib": "snowfall-lib",
+        "sops-nix": "sops-nix"
      }
    },
    "rust-overlay": {
@ -285,6 +286,26 @@
        "type": "github"
      }
    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1743305778,
+        "narHash": "sha256-Ux/UohNtnM5mn9SFjaHp6IZe2aAnUCzklMluNtV6zFo=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "8e873886bbfc32163fe027b8676c75637b7da114",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
+      }
+    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
--- a/flake.nix
+++ b/flake.nix
@ -14,7 +14,6 @@
    };
    apple-silicon = {
      url = "github:tpwrules/nixos-apple-silicon/releasep2-2024-12-25";
-      # ref = "releasep2-2024-12-25";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixos-generators = {
@ -25,6 +24,10 @@
      url = "gitlab:rycee/nur-expressions?dir=pkgs/firefox-addons";
      inputs.nixpkgs.follows = "nixpkgs";
    };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
  };

  outputs = inputs:
@ -33,12 +36,53 @@
      src = ./.;

      snowfall = {
+        namespace = "reichard";
        meta = {
-          name = "reichardnix";
-          title = "ReichardNix";
+          title = "Reichard";
+          name = "reichard";
        };
+      };

-        namespace = "reichardnix";
+      homes.modules = with inputs; [
+        sops-nix.homeManagerModules.sops
+      ];
+
+      systems.modules = {
+        nixos = with inputs; [
+          sops-nix.nixosModules.sops
+        ];
+      };
+
+      outputs-builder = channels: {
+        # Define packages using nixos-generators
+        packages.x86_64-linux = {
+          # VMware image
+          vmware-image = inputs.nixos-generators.nixosGenerate {
+            system = "x86_64-linux";
+            format = "vmware";
+            modules = [
+              # Your VMware configuration
+              ./hosts/vmware-image.nix
+            ];
+          };
+
+          # Keep your other images
+          rke2-image = inputs.nixos-generators.nixosGenerate {
+            system = "x86_64-linux";
+            format = "vmware";
+            modules = [
+              ./hosts/rke2-image.nix
+            ];
+          };
+
+          usb-image = inputs.nixos-generators.nixosGenerate {
+            system = "x86_64-linux";
+            format = "raw-efi";
+            modules = [
+              ./hosts/usb-image.nix
+            ];
+          };
+        };
      };
    };
 }
--- a/homes/aarch64-darwin/evanreichard@MBP-Personal/default.nix
+++ b/homes/aarch64-darwin/evanreichard@MBP-Personal/default.nix
@ -1,20 +1,36 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, namespace, ... }:
+let
+  inherit (lib.${namespace}) enabled;
+in
 {
-  reichardnix = {
-    programs.btop.enable = true;
-    programs.direnv.enable = true;
-    programs.ghostty.enable = true;
-    programs.git.enable = true;
-    programs.k9s.enable = true;
-    programs.nvim.enable = true;
+  reichard = {
+    user = {
+      enable = true;
+      inherit (config.snowfallorg.user) name;
+    };

-    programs.hyprland.enable = false;
-    programs.aws.enable = false;
+    services = {
+      ssh-agent = enabled;
+    };
+
+    programs = {
+      graphical = {
+        ghostty = enabled;
+      };
+
+      terminal = {
+        btop = enabled;
+        direnv = enabled;
+        git = enabled;
+        k9s = enabled;
+        nvim = enabled;
+      };
+    };
  };

  # Global Packages
-  programs.jq.enable = true;
-  programs.pandoc.enable = true;
+  programs.jq = enabled;
+  programs.pandoc = enabled;
  home.packages = with pkgs; [
    android-tools
    imagemagick
@ -31,7 +47,5 @@
    .mode column
  '';

-  # Enable Home Manager & Self Manage
  home.stateVersion = "24.11";
-  programs.home-manager.enable = true;
 }
--- a/homes/aarch64-darwin/evanreichard@MBP-Work/default.nix
+++ b/homes/aarch64-darwin/evanreichard@MBP-Work/default.nix
@ -1,75 +1,52 @@
-{ pkgs, ... }:
+{ pkgs, lib, config, namespace, ... }:
 let
-  inherit (pkgs.lib) mkForce;
-  inherit (pkgs.stdenv) isLinux;
+  inherit (lib.${namespace}) enabled;
 in
 {
-  reichardnix = {
-    programs.nvim.enable = true;
+  reichard = {
+    user = {
+      enable = true;
+      inherit (config.snowfallorg.user) name;
+    };
+
+    services = {
+      ssh-agent = enabled;
+    };
+
+    programs = {
+      graphical = {
+        ghostty = enabled;
+      };
+
+      terminal = {
+        btop = enabled;
+        direnv = enabled;
+        git = enabled;
+        k9s = enabled;
+        nvim = enabled;
+        aws = enabled;
+      };
+    };
  };

-  # Home Manager Config
-  home.stateVersion = "24.11";
-  home.username = "evanreichard";
-  home.homeDirectory = mkForce (if isLinux then "/home/evanreichard" else "/Users/evanreichard");
-  programs.home-manager.enable = true;
-
  # Global Packages
-  # home.packages = with pkgs; [
-  #   (nerdfonts.override { fonts = [ "Meslo" ]; })
-  #   # ghostty - Pending Darwin @ https://github.com/NixOS/nixpkgs/pull/369788
-  #   android-tools
-  #   awscli2
-  #   bashInteractive
-  #   cw
-  #   fastfetch
-  #   gitAndTools.gh
-  #   google-cloud-sdk
-  #   imagemagick
-  #   kubectl
-  #   kubernetes-helm
-  #   mosh
-  #   pre-commit
-  #   python311
-  #   ssm-session-manager-plugin
-  #   texliveSmall # Pandoc PDF Dep
-  #   thefuck
-  #   tldr
-  # ]
-  # ++ optionals isLinux [
-  #   ghostty
-  #   hyprpaper
-  #   firefox
-  # ]
-  # ++ optionals isDarwin [ ];
+  programs.jq = enabled;
+  programs.pandoc = enabled;
+  home.packages = with pkgs; [
+    android-tools
+    imagemagick
+    mosh
+    python311
+    texliveSmall # Pandoc PDF Dep
+    google-cloud-sdk
+    tldr
+  ];

-  # # GitHub CLI
-  # programs.gh = {
-  #   enable = true;
-  #   settings = {
-  #     git_protocol = "ssh";
-  #   };
-  # };
+  # SQLite Configuration
+  home.file.".sqliterc".text = ''
+    .headers on
+    .mode column
+  '';

-  # # Misc Programs
-  # programs.jq.enable = true;
-  # programs.k9s.enable = true;
-  # programs.pandoc.enable = true;
-
-  # # Enable Flakes & Commands
-  # nix = {
-  #   package = mkForce pkgs.nix;
-  #   settings = {
-  #     experimental-features = "nix-command flakes";
-  #   };
-  # };
-
-  # # SQLite Configuration
-  # home.file.".sqliterc".text = ''
-  #   .headers on
-  #   .mode column
-  # '';
-
-  # # Darwin Spotlight Indexing Hack
-  # disabledModules = [ "targets/darwin/linkapps.nix" ];
+  home.stateVersion = "24.11";
 }
--- a/homes/aarch64-linux/evanreichard@mbp-nixos/default.nix
+++ b/homes/aarch64-linux/evanreichard@mbp-nixos/default.nix
@ -1,31 +1,47 @@
-{ pkgs, config, ... }:
+{ pkgs, lib, config, namespace, ... }:
+let
+  inherit (lib.${namespace}) enabled;
+in
 {
-  reichardnix = {
+  reichard = {
    user = {
      enable = true;
      inherit (config.snowfallorg.user) name;
    };

-    programs = {
-      browsers.firefox = {
+    services = {
+      ssh-agent = enabled;
+      sops = {
        enable = true;
-        gpuAcceleration = true;
-        hardwareDecoding = true;
+        defaultSopsFile = lib.snowfall.fs.get-file "secrets/mbp-nixos/default.yaml";
+        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ];
+      };
+    };
+
+    programs = {
+      graphical = {
+        wms.hyprland = enabled;
+        ghostty = enabled;
+        browsers.firefox = {
+          enable = true;
+          gpuAcceleration = true;
+          hardwareDecoding = true;
+        };
      };

-      btop.enable = true;
-      direnv.enable = true;
-      ghostty.enable = true;
-      git.enable = true;
-      hyprland.enable = true;
-      k9s.enable = true;
-      nvim.enable = true;
+      terminal = {
+        btop = enabled;
+        direnv = enabled;
+        git = enabled;
+        k9s = enabled;
+        nvim = enabled;
+      };
    };
  };

  # Global Packages
-  programs.jq.enable = true;
-  programs.pandoc.enable = true;
+  programs.jq = enabled;
+  programs.pandoc = enabled;
  home.packages = with pkgs; [
    android-tools
    imagemagick
--- a/hosts/rke2-image.nix
+++ b/hosts/rke2-image.nix
@ -0,0 +1,189 @@
+{ pkgs, lib, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  config = {
+    # Basic System
+    system.stateVersion = "24.11";
+    nix.settings.experimental-features = [ "nix-command" "flakes" ];
+    time.timeZone = "UTC";
+
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+      autoResize = true;
+    };
+
+    boot = {
+      initrd = {
+        availableKernelModules = [
+          # Xen
+          "xen_blkfront"
+          "xen_netfront"
+        ];
+        kernelModules = [ "xen_netfront" "xen_blkfront" ];
+        supportedFilesystems = [ "ext4" "xenfs" ];
+      };
+      kernelModules = [
+        # Xen VM Requirements
+        "xen_netfront"
+        "xen_blkfront"
+        "xenfs"
+
+        # iSCSI
+        "iscsi_tcp"
+      ];
+    };
+
+    # Add Intel Arc A310 GPU Drivers
+    nixpkgs.config.allowUnfree = true;
+    hardware.enableRedistributableFirmware = true;
+    hardware.graphics = {
+      enable = true;
+      extraPackages = with pkgs; [
+        libvdpau-va-gl
+        intel-vaapi-driver
+        intel-media-driver
+        intel-compute-runtime
+        intel-ocl
+      ];
+    };
+
+    # Network Configuration
+    networking = {
+      hostName = lib.mkForce "";
+      useNetworkd = true;
+      useDHCP = false;
+
+      firewall = {
+        enable = true;
+
+        allowedTCPPorts = [
+          # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+          6443 # Kubernetes API
+          9345 # RKE2 supervisor API
+          2379 # etcd Client Port
+          2380 # etcd Peer Port
+          2381 # etcd Metrics Port
+          10250 # kubelet metrics
+          9099 # Canal CNI health checks
+        ];
+
+        allowedUDPPorts = [
+          # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+          8472 # Canal CNI with VXLAN
+          # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
+          # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
+        ];
+
+        # Allow Multicast
+        extraCommands = ''
+          iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
+        '';
+      };
+    };
+
+    services = {
+      # Enable Xen Guest Utilities
+      xe-guest-utilities.enable = true;
+
+      # Enable iSCSI
+      openiscsi = {
+        enable = true;
+        name = "iqn.2025.placeholder:initiator"; # Overridden @ Runtime
+      };
+
+      # Cloud Init
+      cloud-init = {
+        enable = true;
+        network.enable = true;
+        settings = {
+          datasource_list = [ "NoCloud" ];
+          preserve_hostname = false;
+          system_info.distro = "nixos";
+          system_info.network.renderers = [ "networkd" ];
+        };
+      };
+
+      # Enable SSH
+      openssh = {
+        enable = true;
+        settings = {
+          PasswordAuthentication = false;
+          PermitRootLogin = "prohibit-password";
+        };
+      };
+
+      # Enable RKE2
+      rke2 = {
+        enable = true;
+        disable = [ "rke2-ingress-nginx" ];
+      };
+    };
+
+    systemd.services = {
+      # RKE2 - Wait Cloud Init
+      rke2-server = {
+        after = [ "cloud-final.service" ];
+        requires = [ "cloud-final.service" ];
+      };
+
+      # Runtime iSCSI Initiator Setup
+      iscsi-initiator-setup = {
+        description = "Setup iSCSI Initiator Name";
+        requires = [ "cloud-final.service" ];
+        before = [ "iscsid.service" ];
+        after = [ "cloud-final.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+
+        path = [ pkgs.hostname pkgs.util-linux ];
+        script = ''
+          mkdir -p /run/iscsi
+          echo "InitiatorName=iqn.2025.org.nixos:$(hostname)" > /run/iscsi/initiatorname.iscsi
+          mount --bind /run/iscsi/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
+        '';
+      };
+    };
+
+    # User Authorized Keys
+    users.users.root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr evan@reichard"
+      ];
+      hashedPassword = null;
+    };
+
+    # Add Symlinks Expected by Democratic
+    system.activationScripts = {
+      iscsi-initiator = ''
+        mkdir -p /usr/bin
+        ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
+        ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
+      '';
+    };
+
+    # System Packages
+    environment = {
+      systemPackages = with pkgs; [
+        htop
+        intel-gpu-tools
+        k9s
+        kubectl
+        kubernetes-helm
+        nfs-utils
+        openiscsi
+        tmux
+        vim
+      ];
+
+      # Don't Manage - Runtime Generation
+      etc."iscsi/initiatorname.iscsi".enable = false;
+    };
+  };
+}
--- a/lib/module/default.nix
+++ b/lib/module/default.nix
@ -7,6 +7,13 @@ rec {
    type: default: description:
    mkOption { inherit type default description; };

-
  mkBoolOpt = mkOpt types.bool;
+
+  enabled = {
+    enable = true;
+  };
+
+  disabled = {
+    enable = false;
+  };
 }
--- a/modules/home/programs/graphical/browsers/firefox/default.nix
+++ b/modules/home/programs/graphical/browsers/firefox/default.nix
@ -8,12 +8,12 @@ let
    ;
  inherit (lib.${namespace}) mkBoolOpt mkOpt;

-  cfg = config.${namespace}.programs.browsers.firefox;
+  cfg = config.${namespace}.programs.graphical.browsers.firefox;
 in
 {
  imports = lib.snowfall.fs.get-non-default-nix-files ./.;

-  options.${namespace}.programs.browsers.firefox = with types; {
+  options.${namespace}.programs.graphical.browsers.firefox = with types; {
    enable = lib.mkEnableOption "Firefox";

    extraConfig = mkOpt str "" "Extra configuration for the user profile JS file.";
--- a/modules/home/programs/graphical/ghostty/config/fastfetch.jsonc
+++ b/modules/home/programs/graphical/ghostty/config/fastfetch.jsonc
--- a/modules/home/programs/graphical/ghostty/config/ghostty.conf
+++ b/modules/home/programs/graphical/ghostty/config/ghostty.conf
--- a/modules/home/programs/graphical/ghostty/default.nix
+++ b/modules/home/programs/graphical/ghostty/default.nix
@ -1,11 +1,12 @@
 { pkgs, lib, config, namespace, ... }:
 let
-  inherit (lib) mkIf;
-  cfg = config.${namespace}.programs.ghostty;
+  inherit (pkgs.stdenv) isLinux;
+  inherit (lib) mkIf mkEnableOption optionals;
+  cfg = config.${namespace}.programs.graphical.ghostty;
 in
 {
-  options.${namespace}.programs.ghostty = {
-    enable = lib.mkEnableOption "Ghostty";
+  options.${namespace}.programs.graphical.ghostty = {
+    enable = mkEnableOption "Ghostty";
  };

  config = mkIf cfg.enable {
@ -53,12 +54,13 @@ in
    };

    home.packages = with pkgs; [
-      # Pending Darwin @ https://github.com/NixOS/nixpkgs/pull/369788
-      # ghostty
      thefuck
      fastfetch
      bashInteractive
      (nerdfonts.override { fonts = [ "Meslo" ]; })
+    ] ++ optionals isLinux [
+      # Pending Darwin @ https://github.com/NixOS/nixpkgs/pull/369788
+      ghostty
    ];

    home.file.".config/fastfetch/config.jsonc".text = builtins.readFile ./config/fastfetch.jsonc;
--- a/modules/home/programs/graphical/wms/hyprland/config/hyprland.conf
+++ b/modules/home/programs/graphical/wms/hyprland/config/hyprland.conf
@ -49,7 +49,7 @@ env = HYPRCURSOR_SIZE,24
 # https://wiki.hyprland.org/Configuring/Variables/#general
 general {
    gaps_in = 5
-    gaps_out = 20
+    gaps_out = 12

    border_size = 2

--- a/modules/home/programs/graphical/wms/hyprland/config/waybar-style.css
+++ b/modules/home/programs/graphical/wms/hyprland/config/waybar-style.css
@ -38,32 +38,31 @@
  color: @text;
 }

+/* Icon Only Sizes */
+#network,
+#backlight,
+#battery {
+  font-size: 18px;
+}
+
 /* Node Styles */
 #workspaces,
 #window,
 #cpu,
 #memory,
-#battery,
-#backlight,
 #pulseaudio,
 #network,
+#backlight,
+#battery,
 #clock {
-  margin-top: 0.75rem;
-  padding: 0px 0.5rem;
+  margin-top: 1rem;
+  padding: 0.2px 1rem;
  background-color: @surface0;
 }

 #workspaces {
-  margin-left: 1rem;
-  border-radius: 1rem;
  padding: 0px;
-  background-color: @surface0;
-}
-
-#window {
-  background: transparent;
-  margin-left: 0.5rem;
-  margin-right: 8rem; /* Notch */
+  margin-left: 1rem;
 }

 #workspaces button {
@ -74,30 +73,38 @@
 #workspaces button.active {
  color: @sky;
  background-color: @surface2;
-  border-radius: 1rem;
 }

 #workspaces button:hover {
  color: @sapphire;
-  border-radius: 1rem;
 }

-#clock {
-  color: @blue;
-  border-radius: 0px 1rem 1rem 0px;
-  margin-right: 1rem;
+#window {
+  background: transparent;
+  margin-left: 0.5rem;
+  margin-right: 8rem; /* Notch */
 }

 #memory {
  color: @blue;
-  border-radius: 0px 1rem 1rem 0px;
-  margin-right: 0.5rem;
+}
+
+#pulseaudio {
+  color: @maroon;
 }

 #network {
  color: @mauve;
 }

+#cpu {
+  color: @peach;
+}
+
+#backlight {
+  color: @yellow;
+}
+
 #battery {
  color: @green;
 }
@ -110,13 +117,25 @@
  color: @red;
 }

-#backlight {
-  color: @yellow;
+#clock {
+  color: @blue;
+  margin-right: 1rem;
 }

-#pulseaudio,
-#cpu {
-  color: @maroon;
-  border-radius: 1rem 0px 0px 1rem;
-  margin-left: 0.5rem;
+/* Left Border Radius */
+#clock,
+#network,
+#cpu,
+#workspaces {
+  border-top-left-radius: 1rem;
+  border-bottom-left-radius: 1rem;
+}
+
+/* Right Border Radius */
+#pulseaudio,
+#clock,
+#battery,
+#workspaces {
+  border-top-right-radius: 1rem;
+  border-bottom-right-radius: 1rem;
 }
--- a/modules/home/programs/graphical/wms/hyprland/config/wofi-style.css
+++ b/modules/home/programs/graphical/wms/hyprland/config/wofi-style.css
--- a/modules/home/programs/graphical/wms/hyprland/config/wofi.conf
+++ b/modules/home/programs/graphical/wms/hyprland/config/wofi.conf
--- a/modules/home/programs/graphical/wms/hyprland/default.nix
+++ b/modules/home/programs/graphical/wms/hyprland/default.nix
@ -1,17 +1,16 @@
 { lib, pkgs, config, namespace, ... }:
 let
  inherit (lib) mkIf;
-  cfg = config.${namespace}.programs.hyprland;
+  cfg = config.${namespace}.programs.graphical.wms.hyprland;
 in
 {
-  options.${namespace}.programs.hyprland = {
+  options.${namespace}.programs.graphical.wms.hyprland = {
    enable = lib.mkEnableOption "Hyprland";
  };

  config = mkIf cfg.enable {
    wayland.windowManager.hyprland = {
      enable = true;
-      # systemd.enable = false;
      extraConfig = builtins.readFile ./config/hyprland.conf;
    };

@ -36,9 +35,9 @@ in
          "memory"
          "tray"
          "pulseaudio"
+          "network"
          "backlight"
          "battery"
-          "network"
          "clock"
        ];
        "hyprland/window" = { format = "{}"; };
@ -48,10 +47,33 @@ in
          all-outputs = true;
          on-click = "activate";
        };
-        battery = { format = "󰁹 {}%"; };
+        battery = {
+          states = {
+            warning = 30;
+            critical = 15;
+          };
+          format = "{icon}";
+          format-charging = "󰂄";
+          format-plugged = "󰂄";
+          format-alt = "{icon}";
+          format-icons = [
+            "󰂃"
+            "󰁺"
+            "󰁻"
+            "󰁼"
+            "󰁽"
+            "󰁾"
+            "󰁾"
+            "󰁿"
+            "󰂀"
+            "󰂁"
+            "󰂂"
+            "󰁹"
+          ];
+        };
        cpu = {
          interval = 10;
-          format = "󰻠  {}%";
+          format = "  {}%";
          max-length = 10;
          on-click = "";
        };
@ -61,9 +83,24 @@ in
          format-alt = "  {used:0.1f}G";
          max-length = 10;
        };
+        # backlight = {
+        #   format = "󰖨  {}%";
+        #   device = "acpi_video0";
+        # };
+
        backlight = {
-          format = "󰖨  {}%";
-          device = "acpi_video0";
+          format = "{icon}";
+          format-icons = [
+            "󰋙"
+            "󰫃"
+            "󰫄"
+            "󰫅"
+            "󰫆"
+            "󰫇"
+            "󰫈"
+          ];
+          on-scroll-up = "brightnessctl s 1%-";
+          on-scroll-down = "brightnessctl s +1%";
        };
        tray = {
          icon-size = 13;
@ -71,8 +108,29 @@ in
          spacing = 10;
        };
        network = {
-          format = "󰖩  {essid}";
-          format-disconnected = "󰖪  disconnected";
+          interval = 1;
+          format-wifi = "󰖩";
+          format-ethernet = "󰈀";
+          format-linked = "󰈁";
+          format-disconnected = "";
+          on-click-right = "${pkgs.networkmanagerapplet}/bin/nm-connection-editor";
+          # tooltip-format = ''
+          #   <big>Network Details</big>
+          #   <tt><small>Interface: {ifname}</small></tt>
+          #   <tt><small>IP: {ipaddr}/{cidr}</small></tt>
+          #   <tt><small>Gateway: {gwaddr}</small></tt>
+          #   <tt><small>󰜷 {bandwidthUpBytes}\n󰜮 {bandwidthDownBytes}</small></tt>'';
+          tooltip-format = ''
+            <big>Network Details</big>
+            <small>
+            Interface: {ifname}
+            SSID: {essid}
+            IP Address: {ipaddr}/{cidr}
+            Gateway: {gwaddr}
+
+            󰜷 {bandwidthUpBytes} / 󰜮 {bandwidthDownBytes}
+            </small>'';
+
        };
        clock = {
          format = "   {:%Y-%m-%d %H:%M:%S}";
--- a/modules/home/programs/terminal/aws/default.nix
+++ b/modules/home/programs/terminal/aws/default.nix
@ -1,10 +1,10 @@
 { lib, pkgs, config, namespace, ... }:
 let
  inherit (lib) mkIf;
-  cfg = config.${namespace}.programs.aws;
+  cfg = config.${namespace}.programs.terminal.aws;
 in
 {
-  options.${namespace}.programs.aws = {
+  options.${namespace}.programs.terminal.aws = {
    enable = lib.mkEnableOption "AWS";
  };

--- a/modules/home/programs/terminal/btop/config/btop.conf
+++ b/modules/home/programs/terminal/btop/config/btop.conf
--- a/modules/home/programs/terminal/btop/config/catppuccin_mocha.theme
+++ b/modules/home/programs/terminal/btop/config/catppuccin_mocha.theme
--- a/modules/home/programs/terminal/btop/default.nix
+++ b/modules/home/programs/terminal/btop/default.nix
@ -1,10 +1,10 @@
 { lib, config, namespace, ... }:
 let
  inherit (lib) mkIf;
-  cfg = config.${namespace}.programs.btop;
+  cfg = config.${namespace}.programs.terminal.btop;
 in
 {
-  options.${namespace}.programs.btop = {
+  options.${namespace}.programs.terminal.btop = {
    enable = lib.mkEnableOption "btop";
  };

--- a/modules/home/programs/terminal/direnv/default.nix
+++ b/modules/home/programs/terminal/direnv/default.nix
@ -1,10 +1,10 @@
 { lib, config, namespace, ... }:
 let
  inherit (lib) mkIf;
-  cfg = config.${namespace}.programs.direnv;
+  cfg = config.${namespace}.programs.terminal.direnv;
 in
 {
-  options.${namespace}.programs.direnv = {
+  options.${namespace}.programs.terminal.direnv = {
    enable = lib.mkEnableOption "direnv";
  };

--- a/modules/home/programs/terminal/git/config/.gitignore
+++ b/modules/home/programs/terminal/git/config/.gitignore
--- a/modules/home/programs/terminal/git/config/personal
+++ b/modules/home/programs/terminal/git/config/personal
--- a/modules/home/programs/terminal/git/config/work
+++ b/modules/home/programs/terminal/git/config/work
--- a/modules/home/programs/terminal/git/default.nix
+++ b/modules/home/programs/terminal/git/default.nix
@ -1,10 +1,10 @@
 { pkgs, lib, config, namespace, ... }:
 let
  inherit (lib) mkIf;
-  cfg = config.${namespace}.programs.git;
+  cfg = config.${namespace}.programs.terminal.git;
 in
 {
-  options.${namespace}.programs.git = {
+  options.${namespace}.programs.terminal.git = {
    enable = lib.mkEnableOption "Git";
  };

--- a/modules/home/programs/terminal/k9s/default.nix
+++ b/modules/home/programs/terminal/k9s/default.nix
@ -1,10 +1,10 @@
 { lib, pkgs, config, namespace, ... }:
 let
  inherit (lib) mkIf;
-  cfg = config.${namespace}.programs.k9s;
+  cfg = config.${namespace}.programs.terminal.k9s;
 in
 {
-  options.${namespace}.programs.k9s = {
+  options.${namespace}.programs.terminal.k9s = {
    enable = lib.mkEnableOption "k9s";
  };

--- a/modules/home/programs/terminal/nvim/config/lua/.luarc.json
+++ b/modules/home/programs/terminal/nvim/config/lua/.luarc.json
--- a/modules/home/programs/terminal/nvim/config/lua/aerial-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/aerial-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/autopairs-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/autopairs-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/base.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/base.lua
--- a/modules/home/programs/terminal/nvim/config/lua/cmp-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/cmp-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/comment-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/comment-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/dap-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/dap-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/diffview-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/diffview-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/git-ref.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/git-ref.lua
--- a/modules/home/programs/terminal/nvim/config/lua/git-signs.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/git-signs.lua
--- a/modules/home/programs/terminal/nvim/config/lua/init.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/init.lua
--- a/modules/home/programs/terminal/nvim/config/lua/leap-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/leap-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/llm.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/llm.lua
--- a/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/lsp-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/lsp-lines-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/lsp-lines-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/lualine-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/lualine-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/neotree-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/neotree-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/noice-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/noice-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/numb-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/numb-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/silicon-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/silicon-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/telescope-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/telescope-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/toggleterm-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/toggleterm-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/ts-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/ts-config.lua
--- a/modules/home/programs/terminal/nvim/config/lua/weird-chars.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/weird-chars.lua
--- a/modules/home/programs/terminal/nvim/config/lua/which-key-config.lua
+++ b/modules/home/programs/terminal/nvim/config/lua/which-key-config.lua
--- a/modules/home/programs/terminal/nvim/default.nix
+++ b/modules/home/programs/terminal/nvim/default.nix
@ -1,10 +1,10 @@
 { pkgs, lib, config, namespace, ... }:
 let
  inherit (lib) mkIf;
-  cfg = config.${namespace}.programs.nvim;
+  cfg = config.${namespace}.programs.terminal.nvim;
 in
 {
-  options.${namespace}.programs.nvim = {
+  options.${namespace}.programs.terminal.nvim = {
    enable = lib.mkEnableOption "NeoVim";
  };

--- a/modules/home/services/sops/default.nix
+++ b/modules/home/services/sops/default.nix
@ -0,0 +1,41 @@
+{ config, lib, namespace, pkgs, ... }:
+let
+  inherit (lib) mkIf types;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.services.sops;
+in
+{
+  options.${namespace}.services.sops = with types; {
+    enable = lib.mkEnableOption "sops";
+    defaultSopsFile = mkOpt path null "Default sops file.";
+    sshKeyPaths = mkOpt (listOf path) [ ] "SSH Key paths to use.";
+  };
+
+  config = mkIf cfg.enable {
+    home.packages = with pkgs; [
+      age
+      sops
+      ssh-to-age
+    ];
+
+    sops = {
+      inherit (cfg) defaultSopsFile;
+      defaultSopsFormat = "yaml";
+
+      age = {
+        generateKey = true;
+        keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
+        sshKeyPaths = [ "${config.home.homeDirectory}/.ssh/id_ed25519" ] ++ cfg.sshKeyPaths;
+      };
+
+      # TODO
+      # secrets = {
+      #   nix = {
+      #     sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+      #     path = "${config.home.homeDirectory}/.config/nix/nix.conf";
+      #   };
+      # };
+    };
+  };
+}
--- a/modules/home/services/ssh-agent/default.nix
+++ b/modules/home/services/ssh-agent/default.nix
@ -0,0 +1,15 @@
+{ config, lib, namespace, ... }:
+let
+  cfg = config.${namespace}.services.ssh-agent;
+in
+{
+  options.${namespace}.services.ssh-agent = {
+    enable = lib.mkEnableOption "ssh-agent service";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.ssh-agent = {
+      enable = true;
+    };
+  };
+}
--- a/modules/nixos/hardware/asahi/default.nix
+++ b/modules/nixos/hardware/asahi/default.nix
@ -0,0 +1,27 @@
+{ config, lib, inputs, namespace, ... }:
+let
+  inherit (lib) mkIf types;
+  inherit (lib.${namespace}) mkOpt mkBoolOpt;
+
+  cfg = config.${namespace}.hardware.asahi;
+in
+{
+  imports = [
+    inputs.apple-silicon.nixosModules.default
+  ];
+
+  options.${namespace}.hardware.asahi = {
+    enable = lib.mkEnableOption "support for asahi linux";
+    enableGPU = mkBoolOpt false "enable gpu driver";
+    firmwareDirectory = mkOpt types.path null "firmware directory";
+  };
+
+  config = mkIf cfg.enable {
+    hardware = {
+      asahi = {
+        peripheralFirmwareDirectory = cfg.firmwareDirectory;
+        useExperimentalGPUDriver = cfg.enableGPU;
+      };
+    };
+  };
+}
--- a/modules/nixos/hardware/opengl/default.nix
+++ b/modules/nixos/hardware/opengl/default.nix
@ -0,0 +1,40 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf;
+  inherit (lib.${namespace}) mkBoolOpt;
+
+  cfg = config.${namespace}.hardware.opengl;
+in
+{
+  options.${namespace}.hardware.opengl = {
+    enable = lib.mkEnableOption "support for opengl";
+    enable32Bit = mkBoolOpt false "enabel 32-bit";
+    enableIntel = mkBoolOpt false "support for intel";
+    enableNvidia = mkBoolOpt false "support for nvidia";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      libva-utils
+      vdpauinfo
+    ] ++ lib.optionals cfg.enableNvidia [
+      nvtopPackages.full
+    ];
+
+    hardware.graphics = {
+      enable = true;
+      enable32Bit = cfg.enable32Bit;
+
+      extraPackages = with pkgs;
+        lib.optionals cfg.enableIntel [
+          libvdpau-va-gl
+          intel-vaapi-driver
+          intel-media-driver
+          intel-compute-runtime
+          intel-ocl
+        ] ++ lib.optionals cfg.enableNvidia [
+          cudatoolkit
+        ];
+    };
+  };
+}
--- a/modules/nixos/nix/default.nix
+++ b/modules/nixos/nix/default.nix
@ -0,0 +1,76 @@
+{ config, lib, pkgs, namespace, host, ... }:
+let
+  inherit (lib.${namespace}) mkBoolOpt mkOpt;
+
+  cfg = config.${namespace}.nix;
+in
+{
+  options.${namespace}.nix = {
+    enable = mkBoolOpt true "Whether or not to manage nix configuration.";
+    package = mkOpt lib.types.package pkgs.nixVersions.latest "Which nix package to use.";
+  };
+
+  config = lib.mkIf cfg.enable {
+    nix =
+      let
+        users = [
+          "root"
+          "@wheel"
+          "nix-builder"
+          "evanreichard"
+        ];
+      in
+      {
+        inherit (cfg) package;
+
+        buildMachines = lib.optional (host != "nixos-builder") {
+          hostName = "10.0.50.130";
+          systems = [ "x86_64-linux" ];
+          sshUser = "root";
+          speedFactor = 1;
+          protocol = "ssh";
+          sshKey = config.sops.secrets.reichard_ssh_key.path;
+          supportedFeatures = [
+            "benchmark"
+            "big-parallel"
+            "nixos-test"
+            "kvm"
+          ];
+        };
+
+        checkConfig = true;
+        distributedBuilds = true;
+
+        gc = {
+          automatic = true;
+          options = "--delete-older-than 7d";
+        };
+
+        # This will additionally add your inputs to the system's legacy channels
+        # # Making legacy nix commands consistent as well
+        nixPath = lib.mapAttrsToList (key: _: "${key}=flake:${key}") config.nix.registry;
+
+        optimise.automatic = true;
+
+        settings = {
+          allowed-users = users;
+          auto-optimise-store = pkgs.stdenv.hostPlatform.isLinux;
+          builders-use-substitutes = true;
+          experimental-features = [
+            "nix-command"
+            "flakes "
+          ];
+          flake-registry = "/etc/nix/registry.json";
+          http-connections = 50;
+          keep-derivations = true;
+          keep-going = true;
+          keep-outputs = true;
+          log-lines = 50;
+          sandbox = true;
+          trusted-users = users;
+          warn-dirty = false;
+          use-xdg-base-directories = true;
+        };
+      };
+  };
+}
--- a/modules/nixos/programs/graphical/wms/hyprland/default.nix
+++ b/modules/nixos/programs/graphical/wms/hyprland/default.nix
@ -0,0 +1,28 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.programs.graphical.wms.hyprland;
+in
+{
+  options.${namespace}.programs.graphical.wms.hyprland = {
+    enable = lib.mkEnableOption "Hyprland";
+  };
+
+  config = mkIf cfg.enable {
+    programs = {
+      hyprland = {
+        enable = true;
+        withUWSM = true;
+      };
+    };
+
+    reichard = {
+      display-managers = {
+        sddm = {
+          enable = true;
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/security/sops/default.nix
+++ b/modules/nixos/security/sops/default.nix
@ -0,0 +1,33 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.security.sops;
+in
+{
+  options.${namespace}.security.sops = {
+    enable = lib.mkEnableOption "sops";
+    defaultSopsFile = mkOpt lib.types.path null "Default sops file.";
+    sshKeyPaths = mkOpt (with lib.types; listOf path) [
+      "/etc/ssh/ssh_host_ed25519_key"
+    ] "SSH Key paths to use.";
+  };
+
+  config = lib.mkIf cfg.enable {
+    sops = {
+      inherit (cfg) defaultSopsFile;
+
+      age = {
+        inherit (cfg) sshKeyPaths;
+
+        keyFile = "${config.users.users.${config.${namespace}.user.name}.home}/.config/sops/age/keys.txt";
+      };
+    };
+
+    sops.secrets = {
+      "reichard_ssh_key" = {
+        sopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+      };
+    };
+  };
+}
--- a/modules/nixos/services/openssh/default.nix
+++ b/modules/nixos/services/openssh/default.nix
@ -0,0 +1,78 @@
+{ config, format, lib, namespace, ... }:
+let
+  inherit (lib)
+    types
+    mkDefault
+    mkIf
+    ;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.services.openssh;
+
+  authorizedKeys = [
+    # MBP-Personal NixOS
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr"
+  ];
+in
+{
+  options.${namespace}.services.openssh = with types; {
+    enable = lib.mkEnableOption "OpenSSH support";
+    authorizedKeys = mkOpt (listOf str) authorizedKeys "The public keys to apply.";
+    extraConfig = mkOpt str "" "Extra configuration to apply.";
+  };
+
+  config = mkIf cfg.enable {
+    services.openssh = {
+      enable = true;
+
+      hostKeys = mkDefault [
+        {
+          bits = 4096;
+          path = "/etc/ssh/ssh_host_ed25519_key";
+          type = "ed25519";
+        }
+      ];
+
+      openFirewall = true;
+      ports = [ 22 ];
+
+      settings = {
+        AuthenticationMethods = "publickey";
+        ChallengeResponseAuthentication = "no";
+        PasswordAuthentication = false;
+        PermitRootLogin = if format == "install-iso" then "yes" else "no";
+        PubkeyAuthentication = "yes";
+        StreamLocalBindUnlink = "yes";
+        UseDns = false;
+        UsePAM = true;
+        X11Forwarding = false;
+
+        KexAlgorithms = [
+          "curve25519-sha256"
+          "curve25519-sha256@libssh.org"
+          "diffie-hellman-group16-sha512"
+          "diffie-hellman-group18-sha512"
+          "diffie-hellman-group-exchange-sha256"
+          "sntrup761x25519-sha512@openssh.com"
+        ];
+
+        Macs = [
+          "hmac-sha2-512-etm@openssh.com"
+          "hmac-sha2-256-etm@openssh.com"
+          "umac-128-etm@openssh.com"
+        ];
+      };
+
+      startWhenNeeded = true;
+    };
+
+    programs.ssh = {
+      startAgent = lib.mkDefault true;
+      inherit (cfg) extraConfig;
+    };
+
+    reichard = {
+      user.extraOptions.openssh.authorizedKeys.keys = cfg.authorizedKeys;
+    };
+  };
+}
--- a/modules/nixos/system/boot/default.nix
+++ b/modules/nixos/system/boot/default.nix
@ -0,0 +1,43 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.system.boot;
+in
+{
+  options.${namespace}.system.boot = {
+    enable = lib.mkEnableOption "booting";
+    silentBoot = lib.mkEnableOption "silent boot";
+    showNotch = lib.mkEnableOption "show macOS notch";
+  };
+
+  config = mkIf cfg.enable {
+    boot = {
+      kernelParams = lib.optionals cfg.silentBoot [
+        "quiet"
+        "loglevel=3"
+        "udev.log_level=3"
+        "rd.udev.log_level=3"
+        "systemd.show_status=auto"
+        "rd.systemd.show_status=auto"
+        "vt.global_cursor_default=0"
+      ] ++ lib.optionals cfg.showNotch [
+        "apple_dcp.show_notch=1"
+      ];
+
+      loader = {
+        efi = {
+          canTouchEfiVariables = false;
+        };
+
+        systemd-boot = {
+          enable = true;
+          configurationLimit = 20;
+          editor = false;
+        };
+
+        timeout = 1;
+      };
+    };
+  };
+}
--- a/modules/nixos/system/networking/default.nix
+++ b/modules/nixos/system/networking/default.nix
@ -0,0 +1,33 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf mkForce;
+  inherit (lib.${namespace}) mkBoolOpt;
+
+  cfg = config.${namespace}.system.networking;
+in
+{
+  options.${namespace}.system.networking = {
+    enable = lib.mkEnableOption "networking support";
+    enableIWD = mkBoolOpt false "enable iwd";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      mtr
+      tcpdump
+      traceroute
+    ];
+
+    reichard.user.extraGroups = [ "network" ];
+
+    networking = {
+      firewall.enable = true;
+      usePredictableInterfaceNames = mkForce true;
+    } // (lib.optionalAttrs cfg.enableIWD) {
+      wireless.iwd = {
+        enable = true;
+        settings.General.EnableNetworkConfiguration = true;
+      };
+    };
+  };
+}
--- a/modules/nixos/system/networking/networkmanager/default.nix
+++ b/modules/nixos/system/networking/networkmanager/default.nix
@ -0,0 +1,26 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.system.networking;
+in
+{
+  config = mkIf cfg.enable {
+    reichard.user.extraGroups = [ "networkmanager" ];
+
+    networking.networkmanager = {
+      enable = true;
+
+      connectionConfig = {
+        "connection.mdns" = "2";
+      };
+
+      # unmanaged = [
+      #   "interface-name:br-*"
+      #   "interface-name:rndis*"
+      # ]
+      # ++ lib.optionals config.${namespace}.virtualisation.podman.enable [ "interface-name:docker*" ]
+      # ++ lib.optionals config.${namespace}.virtualisation.kvm.enable [ "interface-name:virbr*" ];
+    };
+  };
+}
--- a/modules/nixos/system/time/default.nix
+++ b/modules/nixos/system/time/default.nix
@ -0,0 +1,32 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) mkIf;
+
+  cfg = config.${namespace}.system.time;
+in
+{
+  options.${namespace}.system.time = {
+    enable = lib.mkEnableOption "time related settings";
+  };
+
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ pkgs.openntpd ];
+
+    networking.timeServers = [
+      "0.nixos.pool.ntp.org"
+      "1.nixos.pool.ntp.org"
+      "2.nixos.pool.ntp.org"
+      "3.nixos.pool.ntp.org"
+    ];
+
+    services.openntpd = {
+      enable = true;
+      extraConfig = ''
+        listen on 127.0.0.1
+        listen on ::1
+      '';
+    };
+
+    time.timeZone = "America/New_York";
+  };
+}
--- a/modules/nixos/user/default.nix
+++ b/modules/nixos/user/default.nix
@ -0,0 +1,35 @@
+{ config, lib, pkgs, namespace, ... }:
+let
+  inherit (lib) types;
+  inherit (lib.${namespace}) mkOpt;
+
+  cfg = config.${namespace}.user;
+in
+{
+  options.${namespace}.user = with types; {
+    email = mkOpt str "evan@reichard.io" "The email of the user.";
+    extraGroups = mkOpt (listOf str) [ ] "Groups for the user to be assigned.";
+    extraOptions = mkOpt attrs { } "Extra options passed to <option>users.users.<name></option>.";
+    fullName = mkOpt str "Evan Reichard" "The full name of the user.";
+    initialPassword =
+      mkOpt str "password"
+        "The initial password to use when the user is first created.";
+    name = mkOpt str "evanreichard" "The name to use for the user account.";
+  };
+
+  config = {
+    users.users.${cfg.name} = {
+      inherit (cfg) name initialPassword;
+
+      extraGroups = [
+        "wheel"
+      ] ++ cfg.extraGroups;
+
+      group = "users";
+      home = "/home/${cfg.name}";
+      isNormalUser = true;
+      shell = pkgs.bashInteractive;
+      uid = 1000;
+    } // cfg.extraOptions;
+  };
+}
--- a/secrets/default.yaml
+++ b/secrets/default.yaml
@ -0,0 +1,21 @@
+reichard_ssh_key: ENC[AES256_GCM,data:IS2/bjFWiqLKDxmg0ucKOMzJWqlMbrUw72qLy7hZaJ5O9pPmEFDtQY7gMV1jZZhmlTr6Ay5LthLNe+38/5lttVOQ/B4EtZHSPlPyFKgvUkVtAjTSSjpxI+Md5lsUHgjP3uL+C6qHPzPeBrm0xtdsUo4GBCwhSuKQCNlUAmX6xy4i5/NI2RD6DGRKF17fKpsKj/6XZlbrKQXcDDmnXQdsMw9f1grBQpacCJ/qwUVM3zojuGd0Ei3mGvMq26ralmDUKwu5dsI3PDJWDNF4+B6Wk7NlBRJDna2lRQDNEA8x7wOV3EpaTFpluKmABTxgEmxx8ZbB+9zlLiG6m09iSU86QQLRLQGP7VuejBYLmvxlydrLaxzlZaVDWrYtFEBWSlaC+jkbanOpcVp0QQVBdJRGg3XEP4NidIAbGVv+Ejz9i3o2ayTuMUKShLKv2NoxUE5lCNX2TDp/pZw4UYW/J2d3WXqpQ2KaWdahqBai2JcYk1Otn3ia0X+T1i1dXDitT45AEI/n4z/gKeGWSDiLJ62uJejSuNXBk879SLQf,iv:wziTYwyTQXKRFrUP4HohZtXnp7sk+vLbJiQd0PLKg1o=,tag:irpzHqh3kocNGKQIeo+kRA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1sac93wpnjcv62s7583jv6a4yspndh6k0r25g3qx3k7gq748uvafst6nz4w
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0SnA3M2F0cXZjOGlFSTJw
+            aE9BNGJsQ1JzelFoQk4yMGlpN2dkVUR4ZUNvCmljSDhsVU4rUnowV2dIdlhZYnMy
+            aXo2OGZRd21PYk81ZE9pV05XSmpVOEEKLS0tIGhGNkVmTnVYRENEYlBxZXJTaExt
+            SC91WFNocEN2K1NFK2dBUHYwZTQrVFkKKb3AlaRX96vJwEmxNNAThTlO9ZwtD1tv
+            c6aBELEbmJFdHOcIJITzmS3YOssDOgTL2TbcSFu8mdAQYsRvxC96HA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-03-30T15:06:18Z"
+    mac: ENC[AES256_GCM,data:ZqN6MbVcPst/zvr4KNl5AygtC8Icb1BELHg5o6rDOOb6qmB2d75Vk59ve8EiBosMhPdYAXaTCViRLxeWoG3WzEWK0bYAUBI27UBgYqaUTLXTDhohihtAwwWD37S2wFslHWddl5PngbTho8n+uMwyaeBdj53h4GbvQPC2Ji95D5A=,iv:boTLI3IXdQoBfPEqkay9jkm85AFahcNOmBBPwWbJaEw=,tag:Hic4+9Uuh8I2KokfdsZIsg==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.4
--- a/systems/aarch64-linux/mbp-nixos/default.nix
+++ b/systems/aarch64-linux/mbp-nixos/default.nix
@ -1,66 +1,57 @@
-{ inputs, lib, pkgs, ... }:
+{ namespace, lib, ... }:
+let
+  inherit (lib.${namespace}) enabled;
+in
 {
  imports = [
-    inputs.apple-silicon.nixosModules.default
    ./hardware-configuration.nix
  ];

-  # Generic Config
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
-  time.timeZone = "America/New_York";
+  # System Config
+  reichard = {
+    nix = enabled;

-  # Enable SSDM
-  reichardnix = {
-    display-managers.sddm = {
-      enable = true;
+    system = {
+      time = enabled;
+      boot = {
+        enable = true;
+        showNotch = true;
+      };
+      networking = {
+        enable = true;
+        enableIWD = true;
+      };
    };
-  };

-  # Boot Loader Config
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = false;
+    hardware = {
+      opengl = enabled;
+      asahi = {
+        enable = true;
+        enableGPU = true;
+        firmwareDirectory = ./firmware;
+      };
    };
-    kernelParams = [ "apple_dcp.show_notch=1" ];
-  };

-  # Networking Config
-  networking = {
-    firewall.enable = true;
-    networkmanager.enable = true;
-    networkmanager.wifi.backend = "iwd";
-    useDHCP = lib.mkDefault true;
-    wireless.iwd.enable = true;
+    security = {
+      sops = {
+        enable = true;
+        sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+        defaultSopsFile = lib.snowfall.fs.get-file "secrets/default.yaml";
+      };
+    };
+
+    programs = {
+      graphical = {
+        wms.hyprland = enabled;
+      };
+    };
  };

  # Hardware Config
  hardware = {
-    asahi = {
-      peripheralFirmwareDirectory = ./firmware;
-      useExperimentalGPUDriver = true;
-    };
-
-    graphics.enable = true;
    bluetooth.enable = true;
    bluetooth.powerOnBoot = true;
  };

-  # HyprLand Config
-  programs.hyprland = {
-    enable = true;
-    withUWSM = true;
-  };
-
-  # System Packages
-  environment.systemPackages = with pkgs; [
-    ghostty
-    htop
-    tmux
-    vim
-    wget
-  ];
-
  system.stateVersion = "24.11";
 }
--- a/systems/x86_64-linux/rke2-server/default.nix
+++ b/systems/x86_64-linux/rke2-server/default.nix
@ -0,0 +1,189 @@
+{ pkgs, lib, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+  config = {
+    # Basic System
+    system.stateVersion = "24.11";
+    nix.settings.experimental-features = [ "nix-command" "flakes" ];
+    time.timeZone = "UTC";
+
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+      autoResize = true;
+    };
+
+    boot = {
+      initrd = {
+        availableKernelModules = [
+          # Xen
+          "xen_blkfront"
+          "xen_netfront"
+        ];
+        kernelModules = [ "xen_netfront" "xen_blkfront" ];
+        supportedFilesystems = [ "ext4" "xenfs" ];
+      };
+      kernelModules = [
+        # Xen VM Requirements
+        "xen_netfront"
+        "xen_blkfront"
+        "xenfs"
+
+        # iSCSI
+        "iscsi_tcp"
+      ];
+    };
+
+    # Add Intel Arc A310 GPU Drivers
+    nixpkgs.config.allowUnfree = true;
+    hardware.enableRedistributableFirmware = true;
+    hardware.graphics = {
+      enable = true;
+      extraPackages = with pkgs; [
+        libvdpau-va-gl
+        intel-vaapi-driver
+        intel-media-driver
+        intel-compute-runtime
+        intel-ocl
+      ];
+    };
+
+    # Network Configuration
+    networking = {
+      hostName = lib.mkForce "";
+      useNetworkd = true;
+      useDHCP = false;
+
+      firewall = {
+        enable = true;
+
+        allowedTCPPorts = [
+          # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+          6443 # Kubernetes API
+          9345 # RKE2 supervisor API
+          2379 # etcd Client Port
+          2380 # etcd Peer Port
+          2381 # etcd Metrics Port
+          10250 # kubelet metrics
+          9099 # Canal CNI health checks
+        ];
+
+        allowedUDPPorts = [
+          # RKE2 Ports - https://docs.rke2.io/install/requirements#networking
+          8472 # Canal CNI with VXLAN
+          # 51820 # Canal CNI with WireGuard IPv4 (if using encryption)
+          # 51821 # Canal CNI with WireGuard IPv6 (if using encryption)
+        ];
+
+        # Allow Multicast
+        extraCommands = ''
+          iptables -A INPUT -m pkttype --pkt-type multicast -j ACCEPT
+        '';
+      };
+    };
+
+    services = {
+      # Enable Xen Guest Utilities
+      xe-guest-utilities.enable = true;
+
+      # Enable iSCSI
+      openiscsi = {
+        enable = true;
+        name = "iqn.2025.placeholder:initiator"; # Overridden @ Runtime
+      };
+
+      # Cloud Init
+      cloud-init = {
+        enable = true;
+        network.enable = true;
+        settings = {
+          datasource_list = [ "NoCloud" ];
+          preserve_hostname = false;
+          system_info.distro = "nixos";
+          system_info.network.renderers = [ "networkd" ];
+        };
+      };
+
+      # Enable SSH
+      openssh = {
+        enable = true;
+        settings = {
+          PasswordAuthentication = false;
+          PermitRootLogin = "prohibit-password";
+        };
+      };
+
+      # Enable RKE2
+      rke2 = {
+        enable = true;
+        disable = [ "rke2-ingress-nginx" ];
+      };
+    };
+
+    systemd.services = {
+      # RKE2 - Wait Cloud Init
+      rke2-server = {
+        after = [ "cloud-final.service" ];
+        requires = [ "cloud-final.service" ];
+      };
+
+      # Runtime iSCSI Initiator Setup
+      iscsi-initiator-setup = {
+        description = "Setup iSCSI Initiator Name";
+        requires = [ "cloud-final.service" ];
+        before = [ "iscsid.service" ];
+        after = [ "cloud-final.service" ];
+        wantedBy = [ "multi-user.target" ];
+
+        serviceConfig = {
+          Type = "oneshot";
+          RemainAfterExit = true;
+        };
+
+        path = [ pkgs.hostname pkgs.util-linux ];
+        script = ''
+          mkdir -p /run/iscsi
+          echo "InitiatorName=iqn.2025.org.nixos:$(hostname)" > /run/iscsi/initiatorname.iscsi
+          mount --bind /run/iscsi/initiatorname.iscsi /etc/iscsi/initiatorname.iscsi
+        '';
+      };
+    };
+
+    # User Authorized Keys
+    users.users.root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIe1n9l9pVF5+kjWJCOt3AvBVf1HOSZkEDZxCWVPSIkr evan@reichard"
+      ];
+      hashedPassword = null;
+    };
+
+    # Add Symlinks Expected by Democratic
+    system.activationScripts = {
+      iscsi-initiator = ''
+        mkdir -p /usr/bin
+        ln -sf ${pkgs.openiscsi}/bin/iscsiadm /usr/bin/iscsiadm
+        ln -sf ${pkgs.openiscsi}/bin/iscsid /usr/bin/iscsid
+      '';
+    };
+
+    # System Packages
+    environment = {
+      systemPackages = with pkgs; [
+        htop
+        intel-gpu-tools
+        k9s
+        kubectl
+        kubernetes-helm
+        nfs-utils
+        openiscsi
+        tmux
+        vim
+      ];
+
+      # Don't Manage - Runtime Generation
+      etc."iscsi/initiatorname.iscsi".enable = false;
+    };
+  };
+}