pinchflat vpn, testbed random, virt-manager

common/_home_manager/mods/ssh.nix

@@ -1,6 +1,16 @@
-{ osConfig, ... }:
+{
+  osConfig,
+  lib,
+  ...
+}:
 let
   inherit (osConfig) age;
+  hasSecret =
+    secret:
+    let
+      secrets = age.secrets or { };
+    in
+    secrets ? secret && secrets.${secret} != null;
 in
 {
   # TODO can I put all IP's in the flake.nix top level settings and pull them in here instead?
@@ -12,43 +22,43 @@ in
     '';
     matchBlocks = {
       # EXTERNAL
-      "github.com" = {
+      "github.com" = lib.mkIf (hasSecret "nix2github") {
         identityFile = age.secrets.nix2github.path;
       };
-      "bitbucket.org" = {
+      "bitbucket.org" = lib.mkIf (hasSecret "nix2bitbucket") {
         identityFile = age.secrets.nix2bitbucket.path;
       };
-      # "git.joshuabell.xyz" = {
+      # "git.joshuabell.xyz" =  lib.mkIf (hasSecret "nix2gitjosh") { # TODO remove old
       #   identityFile = age.secrets.nix2gitjosh.path;
       #   user = "git";
       # };
-      "git.joshuabell.xyz" = {
+      "git.joshuabell.xyz" = lib.mkIf (hasSecret "nix2gitforgejo") {
         identityFile = age.secrets.nix2gitforgejo.path;
         user = "git";
       };
       # PERSONAL DEVICES
-      "lio" = {
+      "lio" = lib.mkIf (hasSecret "nix2lio") {
         identityFile = age.secrets.nix2lio.path;
         user = "josh";
       };
-      "lio_" = {
+      "lio_" = lib.mkIf (hasSecret "nix2lio") {
         identityFile = age.secrets.nix2lio.path;
         hostname = "10.12.14.116";
         user = "josh";
       };
-      "oren" = {
+      "oren" = lib.mkIf (hasSecret "nix2oren") {
         identityFile = age.secrets.nix2oren.path;
         user = "josh";
       };
-      "joe" = {
+      "joe" = lib.mkIf (hasSecret "nix2joe") {
         identityFile = age.secrets.nix2joe.path;
         user = "ringo";
       };
-      "gp3" = {
+      "gp3" = lib.mkIf (hasSecret "nix2gpdPocket3") {
         identityFile = age.secrets.nix2gpdPocket3.path;
         user = "josh";
       };
-      "t" = {
+      "t" = lib.mkIf (hasSecret "nix2t") {
         identityFile = age.secrets.nix2t.path;
         user = "joshua.bell";
         localForwards = [
@@ -67,7 +77,7 @@ in
           TERM = "vt100";
         };
       };
-      "t_" = {
+      "t_" = lib.mkIf (hasSecret "nix2t") {
         identityFile = age.secrets.nix2t.path;
         hostname = "10.12.14.103";
         user = "joshua.bell";
@@ -75,14 +85,14 @@ in
           TERM = "vt100";
         };
       };
-      "mbptv" = {
+      "mbptv" = lib.mkIf (hasSecret "nix2gpdPocket3") {
         identityFile = age.secrets.nix2gpdPocket3.path;
         user = "waka";
         setEnv = {
           TERM = "vt100";
         };
       };
-      "mbptv_" = {
+      "mbptv_" = lib.mkIf (hasSecret "nix2gpdPocket3") {
         identityFile = age.secrets.nix2gpdPocket3.path;
         hostname = "10.12.14.101";
         user = "waka";
@@ -90,57 +100,57 @@ in
           TERM = "vt100";
         };
       };
-      "nothing1" = {
+      "nothing1" = lib.mkIf (hasSecret "nix2gpdPocket3") {
         identityFile = age.secrets.nix2gpdPocket3.path;
         user = "TODO";
       };
-      "tab1" = {
+      "tab1" = lib.mkIf (hasSecret "nix2gpdPocket3") {
         identityFile = age.secrets.nix2gpdPocket3.path;
         user = "TODO";
       };
-      "pixel6" = {
+      "pixel6" = lib.mkIf (hasSecret "nix2gpdPocket3") {
         identityFile = age.secrets.nix2gpdPocket3.path;
         user = "TODO";
       };
       # HOME SERVERS
-      "h001" = {
+      "h001" = lib.mkIf (hasSecret "nix2h001") {
         identityFile = age.secrets.nix2h001.path;
         user = "luser";
       };
-      "h001_" = {
+      "h001_" = lib.mkIf (hasSecret "nix2h001") {
         identityFile = age.secrets.nix2h001.path;
         hostname = "10.12.14.2";
         user = "luser";
       };
-      "h002" = {
+      "h002" = lib.mkIf (hasSecret "nix2h002") {
         identityFile = age.secrets.nix2h002.path;
         user = "luser";
       };
-      "h003" = {
+      "h003" = lib.mkIf (hasSecret "nix2h003") {
         identityFile = age.secrets.nix2h003.path;
         user = "luser";
       };
       # LINODE SERVERS
-      "l001" = {
+      "l001" = lib.mkIf (hasSecret "nix2linode") {
         identityFile = age.secrets.nix2linode.path;
         hostname = "172.236.111.33"; # Not on the tailscale network it is the primary host
         user = "root";
       };
-      "l002_" = {
+      "l002_" = lib.mkIf (hasSecret "nix2linode") {
         identityFile = age.secrets.nix2linode.path;
         hostname = "172.234.26.141";
         user = "root";
       };
-      "l002" = {
+      "l002" = lib.mkIf (hasSecret "nix2linode") {
         identityFile = age.secrets.nix2linode.path;
         user = "root";
       };
       # ORACLE SERVERS
-      "o001" = {
+      "o001" = lib.mkIf (hasSecret "nix2oracle") {
         identityFile = age.secrets.nix2oracle.path;
         user = "root";
       };
-      "o001_" = {
+      "o001_" = lib.mkIf (hasSecret "nix2oracle") {
         identityFile = age.secrets.nix2oracle.path;
         hostname = "64.181.210.7";
         user = "root";

common/flake.nix

@@ -28,6 +28,7 @@
             lib,
             ...
           }:
+  
           {
             imports = [
               (
@@ -64,7 +65,6 @@
               ./secrets
             ];
             config = {
-
               _module.args = {
                 inherit ragenix;
               };

common/programs/default.nix

@@ -15,6 +15,7 @@ in
     ./incus.nix
     ./flatpaks.nix
     ./opencode.nix
+    ./virt-manager.nix
   ];
   config = {
     assertions = [

common/programs/virt-manager.nix

@@ -0,0 +1,42 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  ccfg = import ../config.nix;
+  cfg_path = [
+    ccfg.custom_config_key
+    "programs"
+    "virt-manager"
+  ];
+  cfg = lib.attrsets.getAttrFromPath cfg_path config;
+  users_cfg = config.${ccfg.custom_config_key}.users;
+in
+{
+  options =
+    { }
+    // lib.attrsets.setAttrByPath cfg_path {
+      enable = lib.mkEnableOption "Enable virt manager/quemu";
+      users = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = builtins.attrNames users_cfg;
+        description = "Users to configure for virt-manager.";
+      };
+    };
+
+  config = lib.mkIf cfg.enable {
+    services.qemuGuest.enable = true;
+    services.spice-vdagentd.enable = true;
+    programs.virt-manager = {
+      enable = true;
+    };
+
+    virtualisation = {
+      libvirtd.enable = true;
+      spiceUSBRedirection.enable = true;
+    };
+
+    users.groups.libvirtd.members = cfg.users;
+  };
+}

hosts/h001/mods/pinchflat.nix

@@ -11,8 +11,6 @@
       mediaDir = "/drives/wd10/pinchflat/media";
     };
 
-
-
     users.users.pinchflat.isSystemUser = true;
     users.users.pinchflat.group = "pinchflat";
     users.groups.pinchflat = { };
@@ -22,6 +20,12 @@
       Group = "pinchflat";
     };
 
+    # Use Nixarr vpn
+    systemd.services.pinchflat.vpnconfinement = {
+      enable = true;
+      vpnnamespace = "wg";
+    };
+
     systemd.tmpfiles.rules = [
       "d '/drives/wd10/pinchflat/media' 0775 pinchflat pinchflat - -"
     ];

hosts/lio/flake.lock

@@ -29,24 +29,19 @@
       "inputs": {
         "home-manager": "home-manager",
         "nix-flatpak": "nix-flatpak",
-        "nixpkgs": "nixpkgs_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
         "opencode": "opencode",
         "ragenix": "ragenix"
       },
       "locked": {
-        "lastModified": 1754593666,
+        "path": "../../common",
-        "narHash": "sha256-FToZxXq2Ga/wsJRcwrVfsRIVXoCCy7KfuvBZ/dymQCM=",
+        "type": "path"
-        "ref": "refs/heads/master",
-        "rev": "f04bac6e4f061fc0daae99612a1cb895611a3829",
-        "revCount": 578,
-        "type": "git",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
       },
       "original": {
-        "type": "git",
+        "path": "../../common",
-        "url": "https://git.joshuabell.xyz/ringofstorms/dotfiles"
+        "type": "path"
-      }
+      },
+      "parent": []
     },
     "crane": {
       "locked": {
@@ -196,22 +191,6 @@
       }
     },
     "nixpkgs_2": {
-      "locked": {
-        "lastModified": 1753694789,
-        "narHash": "sha256-cKgvtz6fKuK1Xr5LQW/zOUiAC0oSQoA9nOISB0pJZqM=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "dc9637876d0dcc8c9e5e22986b857632effeb727",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
-    "nixpkgs_3": {
       "locked": {
         "lastModified": 1741379970,
         "narHash": "sha256-Wh7esNh7G24qYleLvgOSY/7HlDUzWaL/n4qzlBePpiw=",
@@ -227,7 +206,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_4": {
+    "nixpkgs_3": {
       "locked": {
         "lastModified": 1752866191,
         "narHash": "sha256-NV4S2Lf2hYmZQ3Qf4t/YyyBaJNuxLPyjzvDma0zPp/M=",
@@ -243,7 +222,7 @@
         "type": "github"
       }
     },
-    "nixpkgs_5": {
+    "nixpkgs_4": {
       "locked": {
         "lastModified": 1753848940,
         "narHash": "sha256-jH7fqN4HzsIlj2c/SAuVWmgUIjBwDdEKVnL97xlECHY=",
@@ -1160,7 +1139,7 @@
         "agenix": "agenix",
         "crane": "crane",
         "flake-utils": "flake-utils",
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_2",
         "rust-overlay": "rust-overlay"
       },
       "locked": {
@@ -1180,13 +1159,13 @@
     "root": {
       "inputs": {
         "common": "common",
-        "nixpkgs": "nixpkgs_4",
+        "nixpkgs": "nixpkgs_3",
         "ros_neovim": "ros_neovim"
       }
     },
     "ros_neovim": {
       "inputs": {
-        "nixpkgs": "nixpkgs_5",
+        "nixpkgs": "nixpkgs_4",
         "nvim_plugin-Almo7aya/openingh.nvim": "nvim_plugin-Almo7aya/openingh.nvim",
         "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim": "nvim_plugin-CopilotC-Nvim/CopilotChat.nvim",
         "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring": "nvim_plugin-JoosepAlviste/nvim-ts-context-commentstring",

hosts/lio/flake.nix

@@ -3,8 +3,8 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
 
     # Use relative to get current version for testing
-    # common.url = "path:../../common";
+    common.url = "path:../../common";
-    common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles";
+    # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles";
 
     ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
   };
@@ -77,6 +77,7 @@
                       ssh.enable = true;
                       docker.enable = true;
                       opencode.enable = true;
+                      virt-manager.enable = true;
                       flatpaks = {
                         enable = true;
                         packages = [
@@ -136,7 +137,6 @@
                       };
                     };
                   };
-
                 }
               )
             ];

hosts/testbed/configuration.nix

@@ -0,0 +1,6 @@
+{
+  ...
+}:
+{
+  system.stateVersion = "25.05"; # Did you read the comment?
+}

hosts/testbed/disko-config.nix

@@ -0,0 +1,95 @@
+{ lib, config, ... }:
+let
+  cfg = config.custom_disko;
+in
+{
+  options.custom_disko = {
+    withSwap = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+      description = "Whether to create a swap file.";
+    };
+  };
+  config = {
+    disko.devices = {
+      disk = {
+        main = {
+          device = "/dev/vda";
+          type = "disk";
+          content = {
+            type = "gpt";
+            partitions = {
+              ESP = {
+                priority = 1;
+                name = "ESP";
+                start = "1M";
+                size = "512M";
+                type = "EF00";
+                content = {
+                  type = "filesystem";
+                  format = "vfat";
+                  mountpoint = "/boot";
+                  formatOptions = [
+                    "-n"
+                    "NIXBOOT"
+                  ];
+                  mountOptions = [ "umask=0077" ];
+                };
+              };
+              root = {
+                size = "100%";
+                content = {
+                  type = "btrfs";
+                  extraArgs = [
+                    "-f"
+                    "--label NIXROOT"
+                  ];
+                  subvolumes =
+                    let
+                      mountOptions = [
+                        "compress=zstd"
+                        "noatime"
+                      ];
+                    in
+                    {
+                      "@root" = {
+                        inherit mountOptions;
+                        mountpoint = "/";
+                      };
+                      "@nix" = {
+                        inherit mountOptions;
+                        mountpoint = "/nix";
+                      };
+                      "@persist" = {
+                        inherit mountOptions;
+                        mountpoint = "/persist";
+                      };
+                      "@snapshots" = {
+                        inherit mountOptions;
+                        mountpoint = "/.snapshots";
+                      };
+                      "@swap" = lib.mkIf cfg.withSwap {
+                        inherit mountOptions;
+                        mountpoint = "/.swapfile";
+                        swap.swapfile.size = 8 * 1024; # 8GB
+                      };
+                    };
+                };
+              };
+            };
+            postCreateHook = ''
+              MNTPOINT=$(mktemp -d)
+              mount -t btrfs "${config.disko.devices.disk.main.content.partitions.root.device}" "$MNTPOINT"
+              trap 'umount $MNTPOINT; rmdir $MNTPOINT' EXIT
+              # Ensure the snapshots directory exists
+              mkdir -p $MNTPOINT/@snapshots
+              # Place readonly empty root snapshot inside snapshots subvol
+              btrfs subvolume snapshot -r $MNTPOINT/@root $MNTPOINT/@snapshots/_root-empty
+            '';
+          };
+        };
+      };
+    };
+    fileSystems."/persist".neededForBoot = true;
+  };
+}

hosts/testbed/flake.nix

@@ -0,0 +1,109 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+
+    # Use relative to get current version for testing
+    common.url = "path:../../common";
+    # common.url = "git+https://git.joshuabell.xyz/ringofstorms/dotfiles";
+
+    inputs.disko.url = "github:nix-community/disko/latest";
+    inputs.disko.inputs.nixpkgs.follows = "nixpkgs";
+    # impermanence.url = "github:nix-community/impermanence";
+
+    ros_neovim.url = "git+https://git.joshuabell.xyz/ringofstorms/nvim";
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      common,
+      ros_neovim,
+      disko,
+      # impermanence,
+      ...
+    }:
+    let
+      configuration_name = "testbed";
+      lib = nixpkgs.lib;
+    in
+    {
+      packages = {
+        x86_64-linux.vm = self.nixosConfigurations.${configuration_name}.config.system.build.vm;
+      };
+      nixosConfigurations = {
+        "${configuration_name}" = (
+          lib.nixosSystem {
+            modules = [
+              disko.nixosModules.disko
+              # impermanence.nixosModules.impermanence
+              common.nixosModules.default
+              ros_neovim.nixosModules.default
+              ./configuration.nix
+              ./hardware-configuration.nix
+              (
+                { config, pkgs, ... }:
+                {
+                  environment.systemPackages = with pkgs; [
+                    cowsay
+                    lolcat
+                  ];
+
+                  ringofstorms_common = {
+                    systemName = configuration_name;
+                    boot.systemd.enable = true;
+                    programs = {
+                      ssh.enable = true;
+                      podman.enable = true;
+                    };
+                    users = {
+                      admins = [ "luser" ]; # First admin is also the primary user owning nix config
+                      users = {
+                        root = {
+                          openssh.authorizedKeys.keys = [
+                            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2KFSRkViT+asBTjCgA7LNP3SHnfNCW+jHbV08VUuIi nix2nix"
+                          ];
+                          shell = pkgs.zsh;
+                        };
+                        luser = {
+                          openssh.authorizedKeys.keys = [
+                            "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2KFSRkViT+asBTjCgA7LNP3SHnfNCW+jHbV08VUuIi nix2nix"
+                          ];
+                          extraGroups = [
+                            "networkmanager"
+                            "video"
+                            "input"
+                          ];
+                          shell = pkgs.zsh;
+                        };
+                      };
+                    };
+                    homeManager = {
+                      users = {
+                        luser = {
+                          imports = with common.homeManagerModules; [
+                            kitty
+                            tmux
+                            atuin
+                            direnv
+                            git
+                            nix_deprecations
+                            postgres
+                            ssh
+                            starship
+                            zoxide
+                            zsh
+                          ];
+                        };
+                      };
+                    };
+                  };
+                }
+              )
+            ];
+          }
+        );
+      };
+    };
+}

hosts/testbed/hardware-configuration.nix

@@ -0,0 +1,19 @@
+{
+  lib,
+  ...
+}:
+{
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.initrd.postMountCommands = lib.mkAfter ''
+    # Mount Btrfs volume (the device containing your root subvolumes)
+    mkdir -p /btrfs_tmp
+    mount -o subvol=/ /dev/disk/by-label/NIXROOT /btrfs_tmp
+
+    # Delete current @root, then restore from snapshot
+    btrfs subvolume delete /btrfs_tmp/@root || true
+    btrfs subvolume snapshot /btrfs_tmp/@snapshots/root-empty /btrfs_tmp/@root
+
+    umount /btrfs_tmp
+  '';
+}