Merge branch 'tmp/nixos-machines' into simkir/coffee-kai

2025-11-28 16:01:44 +01:00
parent 710153d859 05767f1976
commit 50dbe5183f
20 changed files with 1794 additions and 0 deletions
--- a/.envrc
+++ b/.envrc
@@ -0,0 +1 @@
+use nix
--- a/modules/desktop.nix
+++ b/modules/desktop.nix
@@ -0,0 +1,215 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.features.desktop;
+
+  configuration = {
+    hardware.bluetooth.enable = true;
+    services.pulseaudio = {
+      enable = false;
+      extraModules = [ ];
+      extraConfig = ''
+        load-module module-bluetooth-policy
+        load-module module-bluetooth-discover
+      '';
+    };
+    security.rtkit.enable = true;
+    services.pipewire = {
+      enable = true;
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+      pulse.enable = true;
+      wireplumber = {
+        enable = true;
+        # Need to generate lua config for bluetooth codecs
+        configPackages = [
+          (pkgs.writeTextDir "share/wireplumber/bluetooth.lua.d/51-bluez-config.lua" ''
+            bluez_monitor.properties = {
+              ["bluez5.enable-sbc-xq"] = true,
+              ["bluez5.enable-msbc"] = true,
+              ["bluez5.enable-hw-volume"] = true,
+              ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
+            }
+          '')
+        ];
+      };
+      # TODO: Is this needed?
+      jack.enable = true;
+    };
+
+    environment.systemPackages = with pkgs; [
+      pamixer # pulseaudio sound mixer
+      pavucontrol # pulseaudio volume control
+    ];
+
+    powerManagement = {
+      enable = false;
+      cpuFreqGovernor = "ondemand";
+    };
+
+    programs.dconf.enable = true;
+
+    security.pam.services.login.enableGnomeKeyring = true;
+
+    services.dbus.enable = true;
+    services.dbus.packages = [
+      pkgs.gnome-keyring
+      pkgs.gcr
+    ];
+
+    services.blueman.enable = true;
+
+    services.upower.enable = true;
+
+    services.displayManager = {
+      enable = true;
+      logToFile = true;
+    };
+
+    fonts.packages = with pkgs; [
+      ubuntu-sans
+      ubuntu-classic
+      vollkorn
+      font-awesome
+      caladea
+      carlito
+      cantarell-fonts
+      comic-relief
+      liberation_ttf
+      fira
+      fira-mono
+      fira-code
+      fira-code-symbols
+      dejavu_fonts
+      powerline-fonts
+      unifont
+      siji
+      tamsyn
+      noto-fonts
+      noto-fonts-emoji
+      material-icons
+      nerd-fonts.jetbrains-mono
+      nerd-fonts._0xproto
+      nerd-fonts.droid-sans-mono
+    ];
+
+    security.pam.services.swaylock = {
+      text = ''
+        auth include login
+      '';
+    };
+  };
+
+  x11 = {
+    services.xserver = {
+      enable = true;
+      enableCtrlAltBackspace = true;
+      xkb = {
+        layout = "us";
+        variant = "altgr-intl";
+        options = "eurosign:e";
+      };
+
+      desktopManager.xterm.enable = true;
+      displayManager.gdm.enable = !(cfg.wayland.enable);
+      wacom.enable = false;
+    };
+  };
+
+  wayland = {
+    services.xserver.desktopManager.xterm.enable = false;
+    services.xserver.displayManager.gdm.enable = true;
+    services.xserver.displayManager.gdm.wayland = true;
+    programs.regreet = {
+      enable = true;
+      cageArgs = [
+        "-s"
+        "-m"
+        "extend"
+      ];
+      settings = {
+        background = {
+          path = "${pkgs.nixos-artwork.wallpapers.mosaic-blue}/share/backgrounds/nixos/nix-wallpaper-mosaic-blue.png";
+          fit = "Fill"; # Contain, Cover
+        };
+        GTK = {
+          application_prefer_dark_theme = false;
+        };
+        appearance = {
+          greeting_msg = "May the foo be with you.";
+        };
+      };
+    };
+    programs.sway.enable = true;
+    # programs.river.enable = true;
+  };
+
+  hyprland = {
+    environment.sessionVariables = {
+      NIXOS_OZONE_WL = "1";
+    };
+
+    programs = {
+      hyprland.enable = true;
+      hyprlock.enable = true;
+      waybar.enable = true;
+    };
+
+    security = {
+      pam.services.hyprlock = {
+        text = ''
+          auth include login
+        '';
+      };
+    };
+  };
+
+  plasma = {
+    services = {
+      blueman.enable = lib.mkForce false;
+      upower.enable = lib.mkForce false;
+
+      displayManager.sddm = {
+        enable = true;
+        wayland.enable = true;
+      };
+
+      desktopManager.plasma6 = {
+        enable = true;
+      };
+    };
+
+    environment.systemPackages = with pkgs; [
+      pinentry-qt
+      wl-clipboard
+    ];
+
+    environment.sessionVariables = {
+      MOZ_ENABLE_WAYLAND = "1";
+    };
+  };
+in
+{
+  options.features.desktop = {
+    enable = mkEnableOption "Enable desktop configs";
+    x11.enable = mkEnableOption "Enable X11";
+    wayland.enable = mkEnableOption "Enable Wayland";
+    hyprland.enable = mkEnableOption "Enable Hyprland";
+    plasma.enable = mkEnableOption "Enable KDE Plasma";
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable configuration)
+    (mkIf (cfg.enable && cfg.x11.enable) x11)
+    (mkIf (cfg.enable && cfg.wayland.enable) wayland)
+    (mkIf (cfg.enable && cfg.hyprland.enable) hyprland)
+    (mkIf (cfg.enable && cfg.plasma.enable) plasma)
+  ];
+}
--- a/modules/lan.nix
+++ b/modules/lan.nix
@@ -0,0 +1,115 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.features.lan;
+
+  configuration = {
+    services.cntlm.netbios_hostname = config.networking.hostName;
+
+    services.samba = {
+      enable = true;
+      nmbd.enable = true;
+      nsswins = true;
+    };
+
+    networking.firewall = {
+      allowedTCPPorts = [
+        139
+        445
+      ];
+      allowedUDPPorts = [
+        137
+        138
+      ];
+    };
+
+    security.krb5 = {
+      enable = cfg.krb5.enable;
+      settings = {
+        libdefaults = {
+          default_realm = cfg.krb5.default_realm;
+        };
+        domain_realm = cfg.krb5.domain_realm;
+        realms = cfg.krb5.realms;
+      };
+    };
+
+    # Ugly hack because of hard coded kernel path
+    system.activationScripts.symlink-requestkey = ''
+      if [ ! -d /sbin ]; then
+        mkdir /sbin
+      fi
+      ln -sfn /run/current-system/sw/bin/request-key /sbin/request-key
+    '';
+
+    environment.systemPackages = [ pkgs.krb5 ];
+
+    # request-key expects a configuration file under /etc
+    environment.etc."request-key.conf" = {
+      text =
+        let
+          upcall = "${pkgs.cifs-utils}/bin/cifs.upcall";
+          keyctl = "${pkgs.keyutils}/bin/keyctl";
+        in
+        ''
+          #OP     TYPE          DESCRIPTION  CALLOUT_INFO  PROGRAM
+          # -t is required for DFS share servers...
+          create  cifs.spnego   *            *             ${upcall} -t %k
+          create  dns_resolver  *            *             ${upcall} %k
+          # Everything below this point is essentially the default configuration,
+          # modified minimally to work under NixOS. Notably, it provides debug
+          # logging.
+          create  user          debug:*      negate        ${keyctl} negate %k 30 %S
+          create  user          debug:*      rejected      ${keyctl} reject %k 30 %c %S
+          create  user          debug:*      expired       ${keyctl} reject %k 30 %c %S
+          create  user          debug:*      revoked       ${keyctl} reject %k 30 %c %S
+          create  user          debug:loop:* *             |${pkgs.coreutils}/bin/cat
+          create  user          debug:*      *             ${pkgs.keyutils}/share/keyutils/request-key-debug.sh %k %d %c %S
+          negate  *             *            *             ${keyctl} negate %k 30 %S
+        '';
+    };
+  };
+in
+{
+  options.features.lan = {
+    enable = mkEnableOption "Enable LAN configs";
+
+    domain = mkOption {
+      type = types.str;
+      default = "";
+    };
+
+    domainSearch = mkOption {
+      type = types.listOf types.str;
+      default = [ cfg.lan.domain ];
+    };
+
+    krb5 = {
+      enable = mkEnableOption "Enable Kerberos";
+
+      default_realm = mkOption {
+        type = types.str;
+        default = "";
+      };
+
+      domain_realm = mkOption {
+        type = types.attrs;
+        default = { };
+      };
+
+      realms = mkOption {
+        type = types.attrs;
+        default = { };
+      };
+    };
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable configuration)
+  ];
+}
--- a/modules/laptop.nix
+++ b/modules/laptop.nix
@@ -0,0 +1,60 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.features.laptop;
+
+  hibernateEnvironment = {
+    HIBERNATE_SECONDS = "10800";
+    HIBERNATE_LOCK = "/var/run/autohibernate.lock";
+  };
+
+  configuration = {
+    services.libinput.touchpad.disableWhileTyping = true;
+
+    systemd.services."awake-after-suspend-for-a-time" = {
+      description = "Sets up the suspend so that it'll wake for hibernation";
+      wantedBy = [ "suspend.target" ];
+      before = [ "systemd-suspend.service" ];
+      environment = hibernateEnvironment;
+      script = ''
+        curtime=$(date +%s)
+        echo "$curtime $1" >> /tmp/autohibernate.log
+        echo "$curtime" > $HIBERNATE_LOCK
+        ${pkgs.utillinux}/bin/rtcwake -m no -s $HIBERNATE_SECONDS
+      '';
+      serviceConfig.Type = "simple";
+    };
+
+    systemd.services."hibernate-after-recovery" = {
+      description = "Hibernates after a suspend recovery due to timeout";
+      wantedBy = [ "suspend.target" ];
+      after = [ "systemd-suspend.service" ];
+      environment = hibernateEnvironment;
+      script = ''
+        curtime=$(date +%s)
+        sustime=$(cat $HIBERNATE_LOCK)
+        rm $HIBERNATE_LOCK
+        if [ $(($curtime - $sustime)) -ge $HIBERNATE_SECONDS ] ; then
+        systemctl hibernate
+        else
+        ${pkgs.utillinux}/bin/rtcwake -m no -s 1
+        fi
+      '';
+      serviceConfig.Type = "simple";
+    };
+  };
+in
+{
+  options.features.laptop = {
+    enable = mkEnableOption "Enable laptop configs";
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable configuration)
+  ];
+}
--- a/modules/os.nix
+++ b/modules/os.nix
@@ -0,0 +1,179 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib;
+let
+  cfg = config.features.os;
+
+  configuration = {
+    networking = {
+      networkmanager = {
+        enable = cfg.networkmanager.enable;
+        unmanaged = [
+          "interface-name:veth*"
+          "interface-name:docker*"
+        ];
+      };
+      firewall.trustedInterfaces = [
+        "docker0"
+        "cbr0"
+        "veth+"
+      ];
+    };
+
+    users.extraUsers.admin.openssh.authorizedKeys.keys = cfg.adminAuthorizedKeys;
+    users.extraUsers.root.openssh.authorizedKeys.keys = cfg.adminAuthorizedKeys;
+
+    programs.vim.defaultEditor = true;
+    programs.vim.enable = true;
+    programs.fish.enable = true;
+    programs.tmux.enable = true;
+
+    services.openssh.enable = true;
+    services.gvfs.enable = true;
+    services.fwupd.enable = true;
+
+    security.sudo.extraConfig = ''
+      Defaults env_keep+=SSH_AUTH_SOCK
+      Defaults lecture=never
+      Defaults shell_noargs
+      root   ALL=(ALL) SETENV: ALL
+      %wheel ALL=(ALL) NOPASSWD: ALL, SETENV: ALL
+    '';
+
+    security.rtkit.enable = true;
+    security.pam.services.sshd.googleAuthenticator.enable = true;
+
+    # $ ecryptfs-migrate-home -u <username>
+    # security.pam.enableEcryptfs = true;
+
+    # The NixOS release to be compatible with for stateful data such as databases.
+    system.stateVersion = "21.05";
+    system.autoUpgrade = {
+      enable = false;
+      dates = "02:00";
+      randomizedDelaySec = "45min";
+      channel = "https://nixos.org/channels/nixos-25.05";
+    };
+    nixpkgs.config.allowUnfree = true;
+
+    boot = {
+      tmp.cleanOnBoot = true;
+      # Boot animation
+      plymouth.enable = true;
+      initrd = {
+        checkJournalingFS = false;
+        # Quiet boot
+        verbose = false;
+        # Use zstd compression instead of gzip for initrd
+        compressor = "zstd";
+        # Make boot more reliable by using systemd inside initrd
+        systemd.enable = true;
+      };
+    };
+
+    nix = {
+      package = pkgs.nixVersions.stable;
+      # package = pkgs.nixVersions.nix_2_23;
+      settings = {
+        # Cleanup
+        auto-optimise-store = true;
+        # Keep them for debugging
+        keep-derivations = true;
+        keep-outputs = true;
+        experimental-features = [
+          "nix-command"
+          "flakes"
+          "pipe-operators"
+        ];
+      };
+      gc = {
+        automatic = true;
+        dates = "weekly";
+        options = "--delete-older-than 14d";
+      };
+      extraOptions = ''
+        # See https://jackson.dev/post/nix-reasonable-defaults/
+        connect-timeout = 5
+        download-attempts = 2
+        log-lines = 25
+        warn-dirty = false
+        fallback = true
+        # Only brings pain
+        flake-registry = ""
+      '';
+    };
+  };
+
+  docker = {
+    virtualisation.docker.enable = cfg.docker.enable;
+    virtualisation.docker.autoPrune.enable = true;
+    virtualisation.docker.extraOptions = "--insecure-registry 10.0.0.0/8";
+    networking = {
+      nat.enable = true;
+      nat.internalInterfaces = [ "veth+" ];
+      nat.externalInterface = if cfg.externalInterface == null then [ ] else cfg.externalInterface;
+    };
+  };
+
+  nfs = {
+    networking = {
+      firewall.allowedTCPPorts = [
+        111
+        2049
+      ];
+      firewall.allowedUDPPorts = [
+        111
+        2049
+        24007
+        24008
+      ];
+    };
+
+    environment.systemPackages = with pkgs; [ nfs-utils ];
+
+    services.nfs.server = {
+      enable = true;
+      exports = cfg.nfs.exports;
+    };
+  };
+
+in
+{
+  options.features.os = {
+    networkmanager.enable = mkEnableOption "Enable NetworkManager";
+
+    docker.enable = mkEnableOption "Enable Docker";
+
+    externalInterface = mkOption {
+      type = types.nullOr types.str;
+      default = null;
+      description = "External interface (i.e. for Docker nat)";
+    };
+
+    adminAuthorizedKeys = mkOption {
+      type = types.listOf types.str;
+      default = [ ];
+    };
+
+    nfs = {
+      enable = mkEnableOption "Enable nfs fileserver";
+
+      exports = mkOption {
+        type = types.str;
+        default = "";
+      };
+    };
+  };
+
+  config = mkMerge [
+    configuration
+
+    (mkIf cfg.docker.enable docker)
+
+    (mkIf cfg.nfs.enable nfs)
+  ];
+}
--- a/modules/packages.nix
+++ b/modules/packages.nix
@@ -0,0 +1,68 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.features.packages;
+
+  configuration = {
+    environment.systemPackages = with pkgs; [
+      stdenv
+      findutils
+      coreutils
+      psmisc
+      iputils
+      nettools
+      netcat
+      inetutils
+      rsync
+      iotop
+      wget
+      neovim-unwrapped
+      helix
+      unzip
+      zip
+      bind
+      file
+      bc
+      bun
+      sshuttle
+      lsof
+      patchelf
+      binutils
+      git
+      gcc
+      nmap
+      gnupg
+      nixos-container
+      nix-prefetch-git
+      cachix
+      cifs-utils
+      keyutils
+      fuse
+      home-manager
+      google-authenticator
+      surf
+      zathura
+      cmake
+      doxygen
+      graphviz
+    ];
+  };
+in
+{
+  options.features.packages = {
+    enable = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable default system packages";
+    };
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable configuration)
+  ];
+}
--- a/modules/pki.nix
+++ b/modules/pki.nix
@@ -0,0 +1,210 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.features.pki;
+
+  certName = attrs: {
+    CN = "${attrs.name}";
+    O = "${attrs.o}";
+    OU = "${attrs.name}.pki.caSpec";
+    L = "certmgr";
+  };
+
+  ca_csr = pkgs.writeText "${cfg.name}-csr.json" (
+    builtins.toJSON {
+      CN = "${cfg.name}";
+      key = {
+        algo = cfg.algo;
+        size = if cfg.algo == "ecdsa" then 256 else 2048;
+      };
+      names = [ (certName cfg) ];
+    }
+  );
+
+  # make ca derivation sha depend on initca cfssl output
+  initca = pkgs.stdenv.mkDerivation {
+    name = cfg.name;
+    src =
+      if cfg.ca != ./. then
+        cfg.ca
+      else
+        pkgs.runCommand "initca" { buildInputs = [ pkgs.cfssl ]; } ''
+          cfssl genkey -initca ${ca_csr} | cfssljson -bare ca;
+          mkdir -p $out; cp *.pem $out
+        '';
+    buildCommand = ''
+      mkdir -p $out;
+      cp -r $src/* $out
+    '';
+  };
+
+  ca = {
+    key = "${initca}/ca-key.pem";
+    cert = "${initca}/ca.pem";
+  };
+
+  ca-config = pkgs.writeText "ca-config.json" ''
+    {
+      "signing": {
+         "default": {
+            "expiry": "8760h"
+          },
+          "profiles": {
+             "default": {
+                "usages": [
+                   "signing",
+                   "key encipherment",
+                   "server auth",
+                   "client auth"
+                 ],
+                 "expiry": "8760h"
+             }
+          }
+       }
+    }
+  '';
+
+  gencsr =
+    args:
+    let
+      csr = {
+        CN = "${args.cn}";
+        key = {
+          algo = cfg.algo;
+          size = if cfg.algo == "ecdsa" then 256 else 2048;
+        };
+        names = [ (certName args) ];
+        hosts = args.hosts;
+      };
+    in
+    pkgs.writeText "${args.cn}-csr.json" (builtins.toJSON csr);
+
+  # Example usage:
+  # gencert { cn = "test"; ca = ca; o = "test; };
+  gencert =
+    cn: attrs:
+    let
+      conf = {
+        inherit ca cn;
+        csr = gencsr {
+          cn = cn;
+          hosts = attrs.hosts;
+        };
+      };
+      cfssl = conf: ''
+        cfssl gencert -ca ${ca.cert} -ca-key ${ca.key} \
+        -config=${ca-config} -profile=default ${conf.csr} | \
+        cfssljson -bare cert; \
+        mkdir -p $out; cp *.pem $out
+      '';
+    in
+    pkgs.runCommand "${cn}" {
+      buildInputs = [ pkgs.cfssl ];
+    } (cfssl conf);
+
+  certmgr = {
+    services.certmgr = {
+      enable = true;
+      package = pkgs.certmgr-selfsigned;
+      svcManager = "command";
+      specs =
+        let
+          secret = name: "/var/lib/secrets/${name}.pem";
+          mkSpec = name: cert: {
+            service = name;
+            action = "reload";
+            authority = {
+              file.path = ca.cert;
+            };
+            certificate = {
+              path = secret name;
+            };
+            private_key = {
+              owner = "root";
+              group = "root";
+              mode = "0600";
+              path = secret "${name}-key";
+            };
+            request = {
+              CN = name;
+              hosts = [ name ] ++ cert.hosts;
+              key = {
+                algo = "rsa";
+                size = 2048;
+              };
+              names = certName cfg;
+            };
+          };
+        in
+        mapAttrs mkSpec cfg.certs;
+    };
+  };
+
+  # gencerts = {
+  #    mapAttrs gencert cfg.certs;
+  # };
+
+  configuration = {
+    security.pki.certificateFiles = [ ca.cert ];
+  };
+in
+{
+  options.features.pki = {
+    enable = mkEnableOption "Enable default system packages";
+
+    ca = mkOption {
+      type = types.path;
+      default = ./.;
+      description = "Path to ca certificate to use as Root CA.";
+    };
+
+    algo = mkOption {
+      type = types.str;
+      default = "rsa";
+    };
+
+    name = mkOption {
+      type = types.str;
+      default = "ca";
+    };
+
+    o = mkOption {
+      type = types.str;
+      default = "NixOS";
+    };
+
+    certs = mkOption {
+      type = types.attrsOf types.attrs;
+      default = { };
+      example = {
+        "example.local" = {
+          hosts = [ ];
+        };
+      };
+    };
+
+    certmgr = {
+      enable = mkEnableOption "Enable certmgr";
+
+      domain = mkOption {
+        type = types.str;
+        default = "local";
+      };
+    };
+
+    static.enable = mkEnableOption "Generate static cert derivations";
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable configuration)
+
+    (mkIf (cfg.enable && cfg.certmgr.enable) certmgr)
+
+    # (mkIf (cfg.enable && cfg.static.enable) gencerts)
+  ];
+}
--- a/modules/server.nix
+++ b/modules/server.nix
@@ -0,0 +1,37 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  cfg = config.features.server;
+
+  configuration = {
+    environment.systemPackages = with pkgs; [
+      nmap
+    ];
+
+    powerManagement = {
+      enable = false;
+      cpuFreqGovernor = "ondemand";
+    };
+
+    systemd.targets = {
+      sleep.enable = false;
+      suspend.enable = false;
+      hibernate.enable = false;
+      hybrid-sleep.enable = false;
+    };
+  };
+in
+{
+  options.features.server = {
+    enable = mkEnableOption "Enable server configs";
+  };
+
+  config = mkMerge [
+    (mkIf cfg.enable configuration)
+  ];
+}
--- a/tos/hive.nix
+++ b/tos/hive.nix
@@ -0,0 +1,191 @@
+let
+  sources = import ./nix;
+  pkgs = import sources.nixos-2505 { };
+  dashboard = "https://grafana.adm.oceanbox.io/d/ba1383fb-b53d-4a90-bd0c-bc76c75450bc/umami?orgId=1&kiosk&refresh=5m&from=now-7d&to=now&timezone=browser&var-groups=$__all";
+  krdp = pkgs.callPackage packages/krdp.nix { };
+in
+{
+  meta = {
+    nixpkgs = sources.nixos-2505;
+  };
+
+  hashmap =
+    { ... }:
+    {
+      imports = [
+        (import hosts/hashmap/configuration.nix)
+        (import ./modules)
+        (import "${sources.nixos-hardware}/common/cpu/intel/comet-lake")
+      ];
+
+      deployment = {
+        # NOTE: Build on hashmap
+        buildOnTarget = true;
+        targetHost = "hashmap.ts.obx";
+        tags = [
+          "tos"
+          "dashboard"
+        ];
+      };
+
+      environment.systemPackages = with pkgs; [
+        htop
+        btop
+      ];
+
+      features = {
+        lan.enable = pkgs.lib.mkForce false;
+      };
+
+      networking = {
+        firewall.enable = false;
+      };
+
+      users.groups = {
+        "coffee-kai" = {
+          gid = 1002;
+        };
+      };
+
+      users.users.coffee-kai = {
+        createHome = true;
+        isNormalUser = true;
+        uid = 1002;
+        description = "Coffee Kai";
+        hashedPassword = "$y$j9T$9PDWdg.Hrz8pLABo4DngQ.$DSVTPzzTlU5/fHWsjlwsTJfPRErXXtlNllKij6tUWO8";
+        group = "coffee-kai";
+        extraGroups = [
+          "users"
+          "wheel"
+          "root"
+          "adm"
+          "cdrom"
+          "docker"
+          "fuse"
+          "wireshark"
+          "libvirtd"
+          "networkmanager"
+          "tty"
+          "keys"
+        ];
+        shell = pkgs.fish;
+        useDefaultShell = false;
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas-3"
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== ski027@uit.no"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
+        ];
+        packages = with pkgs; [
+          ghostty
+          flatpak
+          openssl
+          kdePackages.kconfig
+        ];
+      };
+
+      services = {
+        displayManager = {
+          defaultSession = "plasma";
+          autoLogin = {
+            enable = true;
+            user = "coffee-kai";
+          };
+        };
+
+        # TODO: Create module
+        gitlab-runner = {
+          enable = true;
+          settings = {
+            concurrent = 16;
+          };
+          services = {
+            nix = {
+              registrationConfigFile = "/run/secrets/gitlab-runner-registration";
+
+              dockerImage = "alpine";
+              dockerVolumes = [
+                "/nix/store:/nix/store:ro"
+                "/nix/var/nix/db:/nix/var/nix/db:ro"
+                "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
+              ];
+              dockerDisableCache = true;
+
+              preBuildScript = pkgs.writeScript "setup-container" ''
+                mkdir -p -m 0755 /nix/var/log/nix/drvs
+                mkdir -p -m 0755 /nix/var/nix/gcroots
+                mkdir -p -m 0755 /nix/var/nix/profiles
+                mkdir -p -m 0755 /nix/var/nix/temproots
+                mkdir -p -m 0755 /nix/var/nix/userpool
+                mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
+                mkdir -p -m 1777 /nix/var/nix/profiles/per-user
+                mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
+                mkdir -p -m 0700 "$HOME/.nix-defexpr"
+                . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
+                ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-25.05 nixpkgs
+                ${pkgs.nix}/bin/nix-channel --update nixpkgs
+              '';
+
+              environmentVariables = {
+                ENV = "/etc/profile";
+                USER = "root";
+                NIX_REMOTE = "daemon";
+                # Taken from https://cobalt.rocks/posts/nix-gitlab/
+                PATH =
+                  (pkgs.lib.strings.makeSearchPathOutput "bin" "bin" (
+                    with pkgs;
+                    [
+                      gnugrep
+                      coreutils
+                      nix
+                      openssh
+                      bash
+                      git
+                      skopeo
+                    ]
+                  ))
+                  + ":/nix/var/nix/profiles/default/bin:/usr/local/bin:/usr/local/sbin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
+              };
+
+              tagList = [ "nix" ];
+            };
+          };
+        };
+      };
+
+      systemd.user.services.krdp = {
+        enable = true;
+        description = "KDE RDP server";
+        after = [
+          "plasma-core.target"
+          "plasma-xdg-desktop-portal-kde.service"
+        ];
+        wantedBy = [ "default.target" ];
+        serviceConfig = {
+          Type = "exec";
+          ExecStart = "${krdp}/bin/krdpserver -u admin -p 'en to tre fire'";
+          # Restart when closed/on-failure
+          Restart = "on-abnormal";
+        };
+        unitConfig.ConditionUser = "coffee-kai";
+      };
+
+      systemd.user.services.dashboard = {
+        enable = true;
+        description = "Kiosk Dashboard";
+        after = [
+          "plasma-core.target"
+          "plasma-xdg-desktop-portal-kde.service"
+        ];
+        wantedBy = [ "plasma-workspace.target" ];
+        serviceConfig = {
+          Type = "exec";
+          ExecStart = "${pkgs.chromium}/bin/chromium-browser --kiosk ${dashboard}";
+          # Restart when closed/on-failure
+          Restart = "always";
+          RestartSec = 3;
+        };
+        unitConfig.ConditionUser = "coffee-kai";
+      };
+    };
+}
--- a/tos/hosts/hashmap/certificates.nix
+++ b/tos/hosts/hashmap/certificates.nix
@@ -0,0 +1,121 @@
+{ ... }:
+{
+  security.pki.certificates = [
+    ''
+      obx-k8s
+      -----BEGIN CERTIFICATE-----
+      MIIBijCCATCgAwIBAgIRAML2sKHuRRU3o+LiyniC3hEwCgYIKoZIzj0EAwIwFTET
+      MBEGA1UEChMKa3ViZXJuZXRlczAeFw0yNDAxMTUxMDU4MDRaFw0zNDAxMTIxMDU4
+      MDRaMBUxEzARBgNVBAoTCmt1YmVybmV0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMB
+      BwNCAARGTPqkfZeik3pQDZTEOercIIumiQ2PJ+DIHc1rHFZA6EFRXrQr7PZ6bQ+k
+      D0cBS1u0yFDrkEcbOflyT8e/HK51o2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0l
+      BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+      BBYEFIhf9uRytHnvdZSbeTjY6MFRk4VjMAoGCCqGSM49BAMCA0gAMEUCIQDDfa7E
+      JyLQDORiYilpKejnWF/Pxe4pGNQ4SRNLUUJcoAIgYVoSEsqOoH2Kdk92fkS+yxoT
+      m9H0cfSnZwsuwl6yETI=
+      -----END CERTIFICATE-----
+    ''
+    ''
+      ceph.tos
+      -----BEGIN CERTIFICATE-----
+      MIIBijCCAS+gAwIBAgIQa1qcHNH1wha2lnjxPTw+kjAKBggqhkjOPQQDAjAVMRMw
+      EQYDVQQKEwprdWJlcm5ldGVzMB4XDTI0MDIxNDEyNDYxMVoXDTM0MDIxMTEyNDYx
+      MVowFTETMBEGA1UEChMKa3ViZXJuZXRlczBZMBMGByqGSM49AgEGCCqGSM49AwEH
+      A0IABPFCzfx6UxuVF8m+Fal8TZ9KP9eU+s2iVAIx6kvXocs6plP45BPL1qgVNg0Q
+      T4k380v+fQHgqfznY9oGC12kGDajYTBfMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUE
+      FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
+      FgQU1/QQCU1nqqrME7vGo6SocbTAi8AwCgYIKoZIzj0EAwIDSQAwRgIhAKoCk3uy
+      YYTdOlpVUixfLHZvqONxw2P3hp72C9g2f7QmAiEA9CortHSI65qpp3e60o/KDRG5
+      SgnWAwqepG3NkF8JUJQ=
+      -----END CERTIFICATE-----
+    ''
+    ''
+      ceph.vtn
+      -----BEGIN CERTIFICATE-----
+      MIIBizCCATCgAwIBAgIRAO7mPhBLSHaiEwRW7508ATowCgYIKoZIzj0EAwIwFTET
+      MBEGA1UEChMKa3ViZXJuZXRlczAeFw0yNTA5MDcxNjM4NTRaFw0zNTA5MDUxNjM4
+      NTRaMBUxEzARBgNVBAoTCmt1YmVybmV0ZXMwWTATBgcqhkjOPQIBBggqhkjOPQMB
+      BwNCAASgQ+z/9GFDF1oxmVpfpxVM1NvfC4knReLtkjpkM/xD1vijjW9ciHReN528
+      Kv5kLR1aPXvUZPid0rhpdHszBWxso2EwXzAOBgNVHQ8BAf8EBAMCAoQwHQYDVR0l
+      BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+      BBYEFMj2igyysGf9JQZPPQyFOAPFKxyDMAoGCCqGSM49BAMCA0kAMEYCIQDCZK6c
+      f6M48oIvD1VQh1PjzyMGwDqA9DXjETyKCVso7wIhAN6Zicfo/R6KjDbVZiMAE6Z8
+      6YhFZPOGyTLixULH+Dxe
+      -----END CERTIFICATE-----
+    ''
+    ''
+      smtpgw
+      -----BEGIN CERTIFICATE-----
+      MIIC1jCCAb6gAwIBAgIQRHJDmL39XbdAQsx0s3DNqjANBgkqhkiG9w0BAQUFADAU
+      MRIwEAYDVQQDEwlEbXotUmVsYXkwHhcNMTkwMzI1MTQ1MTIzWhcNMjAwMzI1MDAw
+      MDAwWjAUMRIwEAYDVQQDEwlEbXotUmVsYXkwggEiMA0GCSqGSIb3DQEBAQUAA4IB
+      DwAwggEKAoIBAQC2yTIs8x+Hr6IP1dpi8LduuGNQ59ZbinQLE/8m3Exk/AIHkjc3
+      62tj+vvP4MrLGq3MNm8Jm45zBeTTHbRIYHqtiedMjUzC1bVLY02GWsfYjCx4VM56
+      mLvTQI+NroZ1TX6Nxeddpl3Zz5XV2hiBMrwZDSQt/6aK+oAEp5uhp4lY737tnSnL
+      QwRTeLb07/6ZIN5DPpw8SV0oZ04c9Bo279TfTtFEu8XOQhBN+hnNf3hL9XsJTsnS
+      iyD7Snyis79nw0z2gE1H9xo3a7kMH02NpFwHiFIP64qqloHnNi2KMhqrsdXb/FTo
+      oepUjkRrxCljxKN37PRREKRWtSPTxAfAt4+hAgMBAAGjJDAiMAsGA1UdDwQEAwIE
+      MDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAChhkabIm
+      pYf9s+7JDGY2ifCCd1wcTkKTbXXYMy76EmznI6lQlCB2MGOUVJOuV0WpbEjanrSL
+      9+oTWUfFzQdyF0eTSLfIClfnX1nJUP6AINVoqbXv9wmaWZbb7rQrGFWxS4p8MyfI
+      dCp+G97dyLsMgF72z/QgFjUm6PHlV7syqz2bsGoYmW1XTDhESdJAURM6SCsNylES
+      YjTEK1BAObn27Ac4RuiwGElLjODMsVIfWeyk2Dq1vwTCemrvlE1X70WU233kFuUT
+      nOLWmrFSom1HDCSpdkWVY+OMf4By01Le35wZPMkYiPNjP398/MrklXnN9vLVyfg0
+      +9jRUc3Bl9nOmQ==
+      -----END CERTIFICATE-----
+    ''
+    ''
+      letsencrypt-stg-root-x1
+      -----BEGIN CERTIFICATE-----
+      MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm
+      MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy
+      aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ
+      ZWFyIFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowZjELMAkGA1UE
+      BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+      YXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQgUGVhciBYMTCC
+      AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdDTa1QgGBWSYkyMhsc
+      ZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPWnL++fgehT0FbRHZg
+      jOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigkkmx8OiCO68a4QXg4
+      wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZGTIf/oRt2/c+dYmD
+      oaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6VP19sTGy3yfqK5tPt
+      TdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkLYC0Ft2cYUyHtkstO
+      fRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2UPQFxmWFRQnFjaq6
+      rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/2dBZKmJqxHkxCuOQ
+      FjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRMEeOXUYvbV4lqfCf8
+      mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEmQWUOTWIoDQ5FOia/
+      GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eVEGOIpn26bW5LKeru
+      mJxa/CFBaKi4bRvmdJRLAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB
+      Af8EBTADAQH/MB0GA1UdDgQWBBS182Xy/rAKkh/7PH3zRKCsYyXDFDANBgkqhkiG
+      9w0BAQsFAAOCAgEAncDZNytDbrrVe68UT6py1lfF2h6Tm2p8ro42i87WWyP2LK8Y
+      nLHC0hvNfWeWmjZQYBQfGC5c7aQRezak+tHLdmrNKHkn5kn+9E9LCjCaEsyIIn2j
+      qdHlAkepu/C3KnNtVx5tW07e5bvIjJScwkCDbP3akWQixPpRFAsnP+ULx7k0aO1x
+      qAeaAhQ2rgo1F58hcflgqKTXnpPM02intVfiVVkX5GXpJjK5EoQtLceyGOrkxlM/
+      sTPq4UrnypmsqSagWV3HcUlYtDinc+nukFk6eR4XkzXBbwKajl0YjztfrCIHOn5Q
+      CJL6TERVDbM/aAPly8kJ1sWGLuvvWYzMYgLzDul//rUF10gEMWaXVZV51KpS9DY/
+      5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR
+      xUuXY4xRdh45tMJnLTUDdC9FIU0flTeO9/vNpVA8OPU1i14vCz+MU8KX1bV3GXm/
+      fxlB7VBBjX9v5oUep0o/j68R/iDlCOM4VVfRa8gX6T2FU7fNdatvGro7uQzIvWof
+      gN9WUwCbEMBy/YhBSrXycKA8crgGg3x1mIsopn88JKwmMBa68oS7EHM9w7C4y71M
+      7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc=
+      -----END CERTIFICATE-----
+    ''
+    ''
+      letsencrypt-stg-root-x2
+      -----BEGIN CERTIFICATE-----
+      MIICTjCCAdSgAwIBAgIRAIPgc3k5LlLVLtUUvs4K/QcwCgYIKoZIzj0EAwMwaDEL
+      MAkGA1UEBhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0
+      eSBSZXNlYXJjaCBHcm91cDEkMCIGA1UEAxMbKFNUQUdJTkcpIEJvZ3VzIEJyb2Nj
+      b2xpIFgyMB4XDTIwMDkwNDAwMDAwMFoXDTQwMDkxNzE2MDAwMFowaDELMAkGA1UE
+      BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl
+      YXJjaCBHcm91cDEkMCIGA1UEAxMbKFNUQUdJTkcpIEJvZ3VzIEJyb2Njb2xpIFgy
+      MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEOvS+w1kCzAxYOJbA06Aw0HFP2tLBLKPo
+      FQqR9AMskl1nC2975eQqycR+ACvYelA8rfwFXObMHYXJ23XLB+dAjPJVOJ2OcsjT
+      VqO4dcDWu+rQ2VILdnJRYypnV1MMThVxo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYD
+      VR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU3tGjWWQOwZo2o0busBB2766XlWYwCgYI
+      KoZIzj0EAwMDaAAwZQIwRcp4ZKBsq9XkUuN8wfX+GEbY1N5nmCRc8e80kUkuAefo
+      uc2j3cICeXo1cOybQ1iWAjEA3Ooawl8eQyR4wrjCofUE8h44p0j7Yl/kBlJZT8+9
+      vbtH7QiVzeKCOTQPINyRql6P
+      -----END CERTIFICATE-----
+    ''
+  ];
+}
--- a/tos/hosts/hashmap/configuration.nix
+++ b/tos/hosts/hashmap/configuration.nix
@@ -0,0 +1,163 @@
+{ pkgs, config, ... }:
+{
+  networking = {
+    hostName = "hashmap";
+    domain = "local";
+    search = [ "local" ];
+    firewall.allowedTCPPorts = [ 3389 ];
+    firewall.extraCommands = '''';
+  };
+
+  boot = {
+    consoleLogLevel = 3;
+    kernel = {
+      sysctl = {
+        "net.ipv4.ip_forward" = true;
+      };
+    };
+    kernelParams = [
+      # Quite boot
+      "quiet"
+      "udev.log_level=3"
+    ];
+    supportedFilesystems = [ "ntfs" ];
+    loader.systemd-boot.enable = true;
+    loader.efi.canTouchEfiVariables = true;
+    initrd.luks.devices = {
+      luksroot = {
+        device = "/dev/nvme0n1p1";
+        preLVM = true;
+        allowDiscards = true;
+      };
+      luks-data = {
+        device = "/dev/sda1";
+        preLVM = true;
+        allowDiscards = true;
+      };
+    };
+    loader.grub = {
+      enable = false;
+      device = "/dev/sda1";
+      configurationLimit = 3;
+    };
+  };
+
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "us";
+  };
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    extraLocaleSettings = {
+      LC_CTYPE = "en_DK.UTF-8";
+      LC_TIME = "en_DK.UTF-8";
+      LC_PAPER = "en_DK.UTF-8";
+      LC_NAME = "en_DK.UTF-8";
+      LC_ADDRESS = "en_DK.UTF-8";
+      LC_TELEPHONE = "en_DK.UTF-8";
+      LC_MEASUREMENT = "en_DK.UTF-8";
+      LC_IDENTIFICATION = "en_DK.UTF-8";
+    };
+  };
+
+  time.timeZone = "Europe/Oslo";
+
+  features = {
+    desktop.enable = true;
+    laptop.enable = false;
+    desktop.wayland.enable = false;
+    desktop.plasma.enable = true;
+    desktop.hyprland.enable = false;
+
+    pki = {
+      enable = false;
+      certmgr.enable = true;
+      certs = {
+        foo = {
+          hosts = [ "localhost" ];
+        };
+      };
+    };
+
+    os = {
+      networkmanager.enable = true;
+      externalInterface = "eno2";
+
+      docker.enable = true;
+
+      adminAuthorizedKeys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC68qcYMBNNWjCoRo1OrfGe3OTBsHprPJPQwaywlOUM03xQLNyF2JcqY8wXJ+Hf2dOopJWOWnS5RwsOtxxV5bUX0tk7yPV38AKGhwW1Q0Xy//nGYypoe4JSvvLJLN4dWoBtkhJFQcJcdAbi6jRrDU1J8n2ZwPwFtQWoEwdm0Mq0H+MR6c97Xnl4pkjCHUOVxyaaCCzo1GSotAG2TQanwcbr5AOTptP3CRGOQ8D7T0iN1v5bJmP4fc6P/av30spOzKksksIg21aMHcted5K5I8XJymftfgJbHr5uKtsgrnHtx7qcPiISkoToQWRttYhTEj0GjLIJwCXZ5Fon1rCVWDW+VvhzI7PhXmhBEOHxuLeSuG3lC9L0NpWJkoIJo7WqMtFo3rJPmRQS6AWFy11SIjvsBQVfDk3Jz1QmV8dxM1ksyZzx5VQ0+zOqIsagjJJIHwKhxgNsVXSO/Hqrua5oCsdgSfnrNVujwagfxY9TQa0bNwYkEs79Oot9EiFdLi9wwrE= Simen Kirkvik (gitlab.com)"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC2tox0uyFGfU1zPNU6yAVSoGOUkeU959aiTMrqu1U9MCCOP2o4IhZIlRpZ08XVnUU/AhycCUF4HgGqdcco8oIVX0P0Cn83KJoD/DOqAiz+1VwIUUV1ylrRdNqCgf4wnmLni3sUPHJdQnuq57+pzDDjHMr9CcBL2KzOHD/QanfR+jZmv9K3OS5oDcWquSCziXkpbkWQURPactmtyzGK2FRRxONZgYrB8gRTDstlWQg/t6GHNVelzuJ7SEf+t8pk/S2e/XAvfZyRJhrVJ35iZKpmxkIn5v0g1Z+z0yX/KRSAPRtNg9uM44cmto77MFx7iFs0CuleL3zHvRvZYW1ZnsKAiP07UkEK87luMpkTzFr9CSHJGpgk1RZYA3qidQti44n6NU9YRNhzO4v+KQE6XDqO80gZCJboSXr3fnYn/QHpPXzK5JcZNWmClyMURYj10qv9So3Fh0o3LV5GThA6JgN874vUywUZanPEdn8ePBcAsjLRzA4YBGEuvJCc6FELSuY2s+/pFba8NXQvrOdJKSRC0g5USQFfaWDln4Q4zZ1G5z76p1u6GtRWxvakkUQ0fze9KAW7msxeKaw+B7uMtyvCL8V2zEE8WKFP1sNyYEe7Sgp3RVfym2VPMNTZVhEImfM/3D+WbzfoJztnJvFKXeeMCcne4G8swyef3o1s3b+CvQ== Simen Kirkvik (gitlab.com)"
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDIQUQsPdS3Wvl46cPl6rBrAPDLX9r8tx1V7yVkr1GhP07hVYVcLV0wojMaB8Zi5kvr/sgBpiuU6oKNqx4+5gN70uQC+JbM5Orna8SoN4L2jfO2WgTMFZEqmDoyzCCglUl2EiqFDvKEC/dvFSjn/qJG6eUdEGpTuB/VQljidZMJrloq0kf4iYy0uaXdrkoKLlBEjXo1forlr2KAYq48PsTovyQxrDqG25UcRhjmoq0Ag7ZGquQXB8Ouwe+H/lVWQFJU+Vy4nqqvv1Fq/bQHW92dZDnlwrMyY6lVsp6Cgc3jzcB5dTfN9Zt+iaVFSE+Tojl04n1oKU4Z5kMbTPRTLLDgjlVRY9JGHOXNO8bqEPG0E7sNXBGSncie9nXnfDoVhXAd8KoVkvXCXYvS+pk82ig0ET+8HC7KRZysB5sqD++GbexbPZFYrOhEZYfvY00sOAVvFCh8h6sC1tXAvXZqUgvTClOINDh42NBs/vTmg6RoG57z1moTa5RsGlVAguKqaiE= Simen Kirkvik (gitlab.com)"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
+      ];
+
+      nfs.enable = false;
+      # nfs.exports = ''
+      #   /exports 10.1.1.0/24(insecure,ro,async,crossmnt,no_subtree_check,fsid=0,no_root_squash)
+      # '';
+    };
+
+    lan = {
+      enable = true;
+
+      krb5 = {
+        enable = false;
+        default_realm = "ACME";
+
+        domain_realm = {
+          "acme.com" = "ACME";
+        };
+
+        realms = {
+          "ACME" = {
+            admin_server = "dc.acme.com";
+            kdc = "dc.acme.com";
+          };
+        };
+      };
+    };
+  };
+
+  services.pcscd.enable = false; # For Yubikey ykman
+
+  security.pam.yubico = {
+    enable = false;
+    mode = "client"; # "challenge-response";
+    id = "92753";
+    control = "sufficient";
+  };
+
+  services.udev.extraRules = ''
+    ACTION=="remove",\
+    ENV{ID_BUS}=="usb",\
+    ENV{ID_MODEL_ID}=="0407",\
+    ENV{ID_VENDOR_ID}=="1050",\
+    ENV{ID_VENDOR}=="Yubico",\
+    RUN+="${pkgs.systemd}/bin/loginctl lock-sessions"
+  '';
+
+  nixpkgs.config.allowUnfreee = true;
+
+  services.tailscale = {
+    enable = true;
+    useRoutingFeatures = "client";
+    extraUpFlags = [
+      "--login-server=https://headscale.svc.oceanbox.io"
+      "--accept-dns=true"
+      "--accept-routes"
+    ];
+  };
+
+  imports = [
+    ./.
+    ./kernel.nix
+    ./hardware-configuration.nix
+    #"${builtins.fetchGit { url = "https://github.com/NixOS/nixos-hardware.git"; }}/lenovo/thinkpad/x1/7th-gen"
+  ];
+
+}
--- a/tos/hosts/hashmap/default.nix
+++ b/tos/hosts/hashmap/default.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./users.nix
+    ./hosts.nix
+    ./certificates.nix
+  ];
+}
--- a/tos/hosts/hashmap/hardware-configuration.nix
+++ b/tos/hosts/hashmap/hardware-configuration.nix
@@ -0,0 +1,48 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "nvme"
+    "usbhid"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/954fb6f1-a95d-41ef-bca3-991e2716b415";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/EDC0-FC90";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/062df612-c520-4067-b300-65908ea882bb"; }
+  ];
+
+  fileSystems."/data" = {
+    device = "/dev/vg1/data";
+    fsType = "ext4";
+  };
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
--- a/tos/hosts/hashmap/hosts.nix
+++ b/tos/hosts/hashmap/hosts.nix
@@ -0,0 +1,4 @@
+{ ... }:
+{
+  networking.extraHosts = '''';
+}
--- a/tos/hosts/hashmap/kernel.nix
+++ b/tos/hosts/hashmap/kernel.nix
@@ -0,0 +1,17 @@
+{
+  pkgs,
+  stdenv,
+  fetchurl,
+  config,
+  ...
+}:
+let
+in
+{
+  nixpkgs.overlays = [ ];
+
+  boot = {
+    extraModulePackages = [ ];
+    # kernelPackages = pkgs.linuxPackages_6_2;
+  };
+}
--- a/tos/hosts/hashmap/users.nix
+++ b/tos/hosts/hashmap/users.nix
@@ -0,0 +1,107 @@
+{ pkgs, ... }:
+{
+  users.extraGroups = {
+    admin = {
+      gid = 10000;
+    };
+    bast = {
+      gid = 1000;
+    };
+    stig = {
+      gid = 1001;
+    };
+  };
+
+  users.extraUsers.admin = {
+    description = "Administrator";
+    home = "/home/admin";
+    group = "admin";
+    extraGroups = [
+      "users"
+      "wheel"
+      "root"
+      "adm"
+      "cdrom"
+      "docker"
+      "fuse"
+      "wireshark"
+      "libvirtd"
+      "networkmanager"
+      "tty"
+      "keys"
+    ];
+    uid = 10000;
+    isNormalUser = true;
+    createHome = true;
+    useDefaultShell = false;
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKiAS30ZO+wgfAqDE9Y7VhRunn2QszPHA5voUwo+fGOf jonas-3"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDULdlLC8ZLu9qBZUYsjhpr6kv5RH4yPkekXQdD7prkqapyoptUkO1nOTDwy7ZsKDxmp9Zc6OtdhgoJbowhGW3VIZPmooWO8twcaYDpkxEBLUehY/n8SlAwBtiHJ4mTLLcynJMVrjmTQLF3FeWVof0Aqy6UtZceFpLp1eNkiHTCM3anwtb9+gfr91dX1YsAOqxqv7ooRDu5rCRUvOi4OvRowepyuBcCjeWpTkJHkC9WGxuESvDV3CySWkGC2fF2LHkAu6SFsFE39UA5ZHo0b1TK+AFqRFiBAb7ULmtuno1yxhpBxbozf8+Yyc7yLfMNCyBpL1ci7WnjKkghQv7yM1xN2XMJLpF56v0slSKMoAs7ThoIlmkRm/6o3NCChgu0pkpNg/YP6A3HfYiEDgChvA6rAHX6+to50L9xF3ajqk4BUzWd/sCk7Q5Op2lzj31L53Ryg8vMP8hjDjYcgEcCCsGOcjUVgcsmfC9LupwRIEz3aF14AWg66+3zAxVho8ozjes= jonas.juselius@juselius.io"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfgY468dPNpdXZCkD9jw1p2qA0+z56Wi/c1VYE+riki"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII77Aa2MFZMTha8PdkNg32UR8y6Hwb4R0aR9Ad9qifNq"
+    ];
+  };
+
+  users.extraUsers.stig = {
+    description = "Stig Rune Jensen";
+    home = "/home/stig";
+    group = "stig";
+    extraGroups = [
+      "users"
+      "wheel"
+      "root"
+      "adm"
+      "cdrom"
+      "docker"
+      "fuse"
+      "wireshark"
+      "libvirtd"
+      "networkmanager"
+      "video"
+      "render"
+      "tty"
+      "keys"
+    ];
+    uid = 1001;
+    isNormalUser = true;
+    createHome = true;
+    useDefaultShell = false;
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfgY468dPNpdXZCkD9jw1p2qA0+z56Wi/c1VYE+riki"
+    ];
+  };
+
+  users.extraUsers.bast = {
+    description = "Radovan Bast";
+    home = "/home/bast";
+    group = "bast";
+    extraGroups = [
+      "users"
+      "wheel"
+      "root"
+      "adm"
+      "cdrom"
+      "docker"
+      "fuse"
+      "wireshark"
+      "libvirtd"
+      "networkmanager"
+      "video"
+      "render"
+      "tty"
+    ];
+    uid = 1000;
+    isNormalUser = true;
+    createHome = true;
+    useDefaultShell = false;
+    shell = pkgs.fish;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFbrEhm1acesXmbgfO5lN1gcTFXqusq61QyCZXunYJpl"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdcJteh9d/N1o8BbdEMRVxeMjm28saon/Oh2tV0+TYj"
+    ];
+  };
+}
--- a/tos/nix/default.nix
+++ b/tos/nix/default.nix
@@ -0,0 +1,146 @@
+/*
+  This file is provided under the MIT licence:
+
+  Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+  The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+  THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+*/
+# Generated by npins. Do not modify; will be overwritten regularly
+let
+  data = builtins.fromJSON (builtins.readFile ./sources.json);
+  version = data.version;
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/lists.nix#L295
+  range =
+    first: last: if first > last then [ ] else builtins.genList (n: first + n) (last - first + 1);
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L257
+  stringToCharacters = s: map (p: builtins.substring p 1 s) (range 0 (builtins.stringLength s - 1));
+
+  # https://github.com/NixOS/nixpkgs/blob/0258808f5744ca980b9a1f24fe0b1e6f0fecee9c/lib/strings.nix#L269
+  stringAsChars = f: s: concatStrings (map f (stringToCharacters s));
+  concatMapStrings = f: list: concatStrings (map f list);
+  concatStrings = builtins.concatStringsSep "";
+
+  # If the environment variable NPINS_OVERRIDE_${name} is set, then use
+  # the path directly as opposed to the fetched source.
+  # (Taken from Niv for compatibility)
+  mayOverride =
+    name: path:
+    let
+      envVarName = "NPINS_OVERRIDE_${saneName}";
+      saneName = stringAsChars (c: if (builtins.match "[a-zA-Z0-9]" c) == null then "_" else c) name;
+      ersatz = builtins.getEnv envVarName;
+    in
+    if ersatz == "" then
+      path
+    else
+      # this turns the string into an actual Nix path (for both absolute and
+      # relative paths)
+      builtins.trace "Overriding path of \"${name}\" with \"${ersatz}\" due to set \"${envVarName}\"" (
+        if builtins.substring 0 1 ersatz == "/" then
+          /. + ersatz
+        else
+          /. + builtins.getEnv "PWD" + "/${ersatz}"
+      );
+
+  mkSource =
+    name: spec:
+    assert spec ? type;
+    let
+      path =
+        if spec.type == "Git" then
+          mkGitSource spec
+        else if spec.type == "GitRelease" then
+          mkGitSource spec
+        else if spec.type == "PyPi" then
+          mkPyPiSource spec
+        else if spec.type == "Channel" then
+          mkChannelSource spec
+        else if spec.type == "Tarball" then
+          mkTarballSource spec
+        else
+          builtins.throw "Unknown source type ${spec.type}";
+    in
+    spec // { outPath = mayOverride name path; };
+
+  mkGitSource =
+    {
+      repository,
+      revision,
+      url ? null,
+      submodules,
+      hash,
+      branch ? null,
+      ...
+    }:
+    assert repository ? type;
+    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
+    # In the latter case, there we will always be an url to the tarball
+    if url != null && !submodules then
+      builtins.fetchTarball {
+        inherit url;
+        sha256 = hash; # FIXME: check nix version & use SRI hashes
+      }
+    else
+      let
+        url =
+          if repository.type == "Git" then
+            repository.url
+          else if repository.type == "GitHub" then
+            "https://github.com/${repository.owner}/${repository.repo}.git"
+          else if repository.type == "GitLab" then
+            "${repository.server}/${repository.repo_path}.git"
+          else
+            throw "Unrecognized repository type ${repository.type}";
+        urlToName =
+          url: rev:
+          let
+            matched = builtins.match "^.*/([^/]*)(\\.git)?$" url;
+
+            short = builtins.substring 0 7 rev;
+
+            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
+          in
+          "${if matched == null then "source" else builtins.head matched}${appendShort}";
+        name = urlToName url revision;
+      in
+      builtins.fetchGit {
+        rev = revision;
+        inherit name;
+        # hash = hash;
+        inherit url submodules;
+      };
+
+  mkPyPiSource =
+    { url, hash, ... }:
+    builtins.fetchurl {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkChannelSource =
+    { url, hash, ... }:
+    builtins.fetchTarball {
+      inherit url;
+      sha256 = hash;
+    };
+
+  mkTarballSource =
+    {
+      url,
+      locked_url ? url,
+      hash,
+      ...
+    }:
+    builtins.fetchTarball {
+      url = locked_url;
+      sha256 = hash;
+    };
+in
+if version == 5 then
+  builtins.mapAttrs mkSource data.pins
+else
+  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
--- a/tos/nix/sources.json
+++ b/tos/nix/sources.json
@@ -0,0 +1,37 @@
+{
+  "pins": {
+    "nixos-2505": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nixos",
+        "repo": "nixpkgs"
+      },
+      "branch": "nixos-25.05",
+      "submodules": false,
+      "revision": "1c8ba8d3f7634acac4a2094eef7c32ad9106532c",
+      "url": "https://github.com/nixos/nixpkgs/archive/1c8ba8d3f7634acac4a2094eef7c32ad9106532c.tar.gz",
+      "hash": "0kal9wdvh0f9kcgh0ya1dpiir9331ykmkvsdh6a37lq77ln6m3vm"
+    },
+    "nixos-hardware": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nixos",
+        "repo": "nixos-hardware"
+      },
+      "branch": "master",
+      "submodules": false,
+      "revision": "da17006633ca9cda369be82893ae36824a2ddf1a",
+      "url": "https://github.com/nixos/nixos-hardware/archive/da17006633ca9cda369be82893ae36824a2ddf1a.tar.gz",
+      "hash": "050i03nvf0nrhighs9g4nfcfp5c3pbh7yg7dsri84wqh1cnjslvg"
+    },
+    "nixpkgs": {
+      "type": "Channel",
+      "name": "nixpkgs-unstable",
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-26.05pre902880.5c46f3bd9814/nixexprs.tar.xz",
+      "hash": "0s8yjnxhp28nyfc40a0pjsqqdnx7jv7nakx5h2lcgp5br546100j"
+    }
+  },
+  "version": 5
+}
--- a/tos/packages/krdp.nix
+++ b/tos/packages/krdp.nix
@@ -0,0 +1,55 @@
+{ }:
+let
+  nixpkgs = fetchTarball "https://github.com/nixos/nixpkgs/tarball/nixos-unstable";
+  pkgs = import nixpkgs {
+    config = { };
+    overlays = [ ];
+  };
+in
+pkgs.stdenv.mkDerivation rec {
+  name = "krdp";
+  version = "6.5.3";
+
+  outputs = [
+    "out"
+  ];
+
+  src = pkgs.fetchFromGitLab {
+    domain = "invent.kde.org";
+    owner = "plasma";
+    repo = "krdp";
+    tag = "v${version}";
+    hash = "sha256-J4lPMh1ZqwoHOXfmOJOa2M/KUf/z0ZsyVqVrPpuvPzk=";
+  };
+
+  nativeBuildInputs = with pkgs; [
+    cmake
+    pkg-config
+
+    qt6.qtbase
+    qt6.wrapQtAppsNoGuiHook
+
+    kdePackages.extra-cmake-modules
+    kdePackages.kcmutils
+    kdePackages.kconfig
+    kdePackages.kcrash
+    kdePackages.kguiaddons
+    kdePackages.ki18n
+    kdePackages.kpipewire
+    kdePackages.kstatusnotifieritem
+    kdePackages.qtkeychain
+    kdePackages.qtquick3d
+  ];
+
+  buildInputs = with pkgs; [
+    freerdp
+    pam
+    kdePackages.qtwayland
+  ];
+
+  cmakeFlags = [
+    "-DQT_MAJOR_VERSION=6"
+  ];
+
+  env.LANG = "C.UTF-8";
+}
--- a/tos/shell.nix
+++ b/tos/shell.nix
@@ -0,0 +1,13 @@
+{
+  sources ? import ./nix,
+  pkgs ? import sources.nixos-2505 { },
+}:
+pkgs.mkShellNoCC {
+  packages = with pkgs; [
+    npins
+    colmena
+    nixfmt-rfc-style
+  ];
+
+  NPINS_DIRECTORY = "nix";
+}