From 7a14f3d49f113347175ff75589fc3304bdd2fe1a Mon Sep 17 00:00:00 2001
From: Andre-Philippe Paquet <appaquet@gmail.com>
Date: Mon, 23 Dec 2024 12:00:50 -0500
Subject: [PATCH 1/6] servapp: initial move to nixos

---
 .github/workflows/push-check.yaml            |   2 +-
 .github/workflows/updater.yaml               |   6 +-
 flake.lock                                   |   6 +-
 flake.nix                                    |  17 +-
 home-manager/servapp.nix                     |   2 +-
 nixos/servapp/configuration.nix              |  95 +++++++
 nixos/servapp/hardware-configuration.nix     |  53 ++++
 nixos/servapp/virt/default.nix               |  33 +++
 nixos/servapp/virt/domains/homeassistant.xml | 250 +++++++++++++++++++
 nixos/servapp/virt/domains/pihole.xml        | 241 ++++++++++++++++++
 nixos/servapp/virt/pools/download.xml        |  15 ++
 secrets                                      |   2 +-
 x                                            |  10 +-
 13 files changed, 718 insertions(+), 14 deletions(-)
 create mode 100644 nixos/servapp/configuration.nix
 create mode 100644 nixos/servapp/hardware-configuration.nix
 create mode 100644 nixos/servapp/virt/default.nix
 create mode 100644 nixos/servapp/virt/domains/homeassistant.xml
 create mode 100644 nixos/servapp/virt/domains/pihole.xml
 create mode 100644 nixos/servapp/virt/pools/download.xml

diff --git a/.github/workflows/push-check.yaml b/.github/workflows/push-check.yaml
index 21d3005..88dcf68 100644
--- a/.github/workflows/push-check.yaml
+++ b/.github/workflows/push-check.yaml
@@ -58,7 +58,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        machine: ["appaquet@deskapp"]
+        machine: ["appaquet@deskapp", "appaquet@servapp"]
     steps:
     - uses: actions/checkout@v4
     - uses: DeterminateSystems/nix-installer-action@main
diff --git a/.github/workflows/updater.yaml b/.github/workflows/updater.yaml
index c88ba2f..f486269 100644
--- a/.github/workflows/updater.yaml
+++ b/.github/workflows/updater.yaml
@@ -87,7 +87,7 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        machine: ["appaquet@deskapp"]
+        machine: ["appaquet@deskapp", "appaquet@servapp"]
     steps:
       - uses: actions/checkout@v4
 
@@ -107,7 +107,7 @@ jobs:
       - name: Building NixOS baseline
         run: |
           set -xe
-          MACHINE_KEY="appaquet@deskapp" ./x nixos build
+          MACHINE_KEY="${{ matrix.machine }}" ./x nixos build
           nix-collect-garbage # free up intermediary, since we're low on disk on gha
           mv result result-before
 
@@ -119,7 +119,7 @@ jobs:
       - name: Building NixOS new
         run: |
           set -xe
-          MACHINE_KEY="appaquet@deskapp" ./x nixos build
+          MACHINE_KEY="${{ matrix.machine }}" ./x nixos build
           mv result result-after
 
       - name: Diffing...
diff --git a/flake.lock b/flake.lock
index 76c182c..7122db4 100644
--- a/flake.lock
+++ b/flake.lock
@@ -441,11 +441,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734116890,
-        "narHash": "sha256-5QVuAB30qgg07ryz7U5Ch33K5VPhUb3KS9uYasvntLs=",
+        "lastModified": 1734973134,
+        "narHash": "sha256-44vUcOsZRHWqV02XfCHfD1HUxAi/ODLRRxBHKtNH79E=",
         "owner": "appaquet",
         "repo": "dotfiles-secrets",
-        "rev": "dcf013a62cbcc9db1cbf62727725a50e441146f5",
+        "rev": "1f78be17751b4be2dc5e75ceea9aaf7fa5531d79",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 2d6c7b0..384d078 100755
--- a/flake.nix
+++ b/flake.nix
@@ -135,8 +135,11 @@
                   extraSpecialArgs.secrets.commonHome
                 ] ++ commonHomeModules;
                 extraSpecialArgs = {
-                  inherit inputs unstablePkgs cfg;
+                  inherit inputs unstablePkgs;
                   secrets = secrets.init "linux";
+                  cfg = cfg // {
+                    isNixos = true;
+                  };
                 };
               };
 
@@ -191,6 +194,18 @@
             ./nixos/deskapp/configuration.nix
           ];
         };
+
+        servapp = nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit (self) common;
+            inherit inputs;
+            secrets = secrets.init "linux";
+          };
+          modules = [
+            nixosOverlaysModule
+            ./nixos/servapp/configuration.nix
+          ];
+        };
       };
     };
 }
diff --git a/home-manager/servapp.nix b/home-manager/servapp.nix
index b4025a5..0e0a87f 100644
--- a/home-manager/servapp.nix
+++ b/home-manager/servapp.nix
@@ -10,5 +10,5 @@
 
   home.username = "appaquet";
   home.homeDirectory = "/home/appaquet";
-  home.stateVersion = "23.11";
+  home.stateVersion = "24.11";
 }
diff --git a/nixos/servapp/configuration.nix b/nixos/servapp/configuration.nix
new file mode 100644
index 0000000..4d22247
--- /dev/null
+++ b/nixos/servapp/configuration.nix
@@ -0,0 +1,95 @@
+{ pkgs, secrets, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./virt
+    ../common.nix
+    ../dev.nix
+    ../docker.nix
+    ../network-bridge.nix
+    ../ups.nix
+    ../nasapp.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+  boot.kernelParams = [ ];
+
+  networking.hostName = "servapp";
+
+  # Drives
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 16 * 1024; # 16GB
+    }
+  ];
+
+  # Networking
+  # networking.networkmanager.enable = true;
+  # networking.myBridge = {
+  #   enable = true;
+  #   interface = "enp1s0"; # TODO: probably wrong
+  #   lanIp = "192.168.0.13";
+  # };
+
+  # NasAPP mounts
+  nasapp = {
+    enable = true;
+    credentials = secrets.servapp.nasappCifs;
+    uid = "appaquet";
+    gid = "users";
+    shares = [
+      {
+        share = "backup_servapp"; # TODO: move to backup
+        mount = "/mnt/backup_servapp";
+      }
+      {
+        share = "video";
+        mount = "/mnt/video";
+      }
+    ];
+  };
+
+  # Display
+  services.xserver.enable = true;
+  services.xserver.displayManager.lightdm.enable = true;
+  services.xserver.desktopManager.xfce.enable = true;
+  services.xserver = {
+    xkb.layout = "us";
+    xkb.variant = "";
+  };
+  services.displayManager.autoLogin.enable = true;
+  services.displayManager.autoLogin.user = "appaquet";
+
+  # Enable sound with pipewire.
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+  };
+
+  # Programs & services
+  programs.firefox.enable = true;
+  services.printing.enable = false;
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.11";
+}
diff --git a/nixos/servapp/hardware-configuration.nix b/nixos/servapp/hardware-configuration.nix
new file mode 100644
index 0000000..db4b963
--- /dev/null
+++ b/nixos/servapp/hardware-configuration.nix
@@ -0,0 +1,53 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "ahci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/141971f9-e5ed-4eec-b306-a7b3db3d005d";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/8A5E-82A3";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  networking.interfaces.eno1.useDHCP = false;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/nixos/servapp/virt/default.nix b/nixos/servapp/virt/default.nix
new file mode 100644
index 0000000..6b75aec
--- /dev/null
+++ b/nixos/servapp/virt/default.nix
@@ -0,0 +1,33 @@
+{
+  inputs,
+  ...
+}:
+
+{
+  imports = [
+    ../../virt.nix
+    inputs.nixvirt.nixosModules.default
+  ];
+
+  virtualisation = {
+    libvirt.enable = true;
+    libvirt.connections = {
+      "qemu:///system" = {
+        domains = [
+          {
+            definition = ./domains/homeassistant.xml;
+          }
+          {
+            definition = ./domains/pihole.xml;
+          }
+        ];
+        pools = [
+          {
+            definition = ./pools/download.xml;
+            active = true;
+          }
+        ];
+      };
+    };
+  };
+}
diff --git a/nixos/servapp/virt/domains/homeassistant.xml b/nixos/servapp/virt/domains/homeassistant.xml
new file mode 100644
index 0000000..60b429e
--- /dev/null
+++ b/nixos/servapp/virt/domains/homeassistant.xml
@@ -0,0 +1,250 @@
+<domain type='kvm' id='2'>
+  <name>homeassistant</name>
+  <uuid>594f25c4-862c-448c-8154-4666f6f36718</uuid>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://debian.org/debian/12"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit='KiB'>4194304</memory>
+  <currentMemory unit='KiB'>4194304</currentMemory>
+  <vcpu placement='static'>4</vcpu>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os firmware='efi'>
+    <type arch='x86_64' machine='pc-q35-8.0'>hvm</type>
+    <firmware>
+      <feature enabled='no' name='enrolled-keys'/>
+      <feature enabled='no' name='secure-boot'/>
+    </firmware>
+    <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
+    <nvram template='/run/libvirt/nix-ovmf/OVMF_VARS.fd'>/home/appaquet/homeassistant/OVMF_VARS.fd</nvram>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <vmport state='off'/>
+  </features>
+  <cpu mode='host-passthrough' check='none' migratable='on'/>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2'/>
+      <source file='/home/appaquet/homeassistant/haos_ova-10.5.qcow2' index='1'/>
+      <backingStore/>
+      <target dev='vda' bus='virtio'/>
+      <alias name='virtio-disk0'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </disk>
+    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+      <alias name='usb'/>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'>
+      <alias name='pcie.0'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x10'/>
+      <alias name='pci.1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x11'/>
+      <alias name='pci.2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0x12'/>
+      <alias name='pci.3'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0x13'/>
+      <alias name='pci.4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0x14'/>
+      <alias name='pci.5'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0x15'/>
+      <alias name='pci.6'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+    </controller>
+    <controller type='pci' index='7' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='7' port='0x16'/>
+      <alias name='pci.7'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
+    </controller>
+    <controller type='pci' index='8' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='8' port='0x17'/>
+      <alias name='pci.8'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
+    </controller>
+    <controller type='pci' index='9' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='9' port='0x18'/>
+      <alias name='pci.9'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='10' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='10' port='0x19'/>
+      <alias name='pci.10'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
+    </controller>
+    <controller type='pci' index='11' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='11' port='0x1a'/>
+      <alias name='pci.11'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
+    </controller>
+    <controller type='pci' index='12' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='12' port='0x1b'/>
+      <alias name='pci.12'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/>
+    </controller>
+    <controller type='pci' index='13' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='13' port='0x1c'/>
+      <alias name='pci.13'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/>
+    </controller>
+    <controller type='pci' index='14' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='14' port='0x1d'/>
+      <alias name='pci.14'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <alias name='ide'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='virtio-serial' index='0'>
+      <alias name='virtio-serial0'/>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </controller>
+    <interface type='bridge'>
+      <mac address='52:54:00:a3:77:84'/>
+      <source bridge='br0'/>
+      <target dev='vnet1'/>
+      <model type='virtio'/>
+      <link state='up'/>
+      <alias name='net0'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <source path='/dev/pts/1'/>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+      <alias name='serial0'/>
+    </serial>
+    <console type='pty' tty='/dev/pts/1'>
+      <source path='/dev/pts/1'/>
+      <target type='serial' port='0'/>
+      <alias name='serial0'/>
+    </console>
+    <channel type='spicevmc'>
+      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
+      <alias name='channel0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <channel type='unix'>
+      <target type='virtio' name='org.qemu.guest_agent.0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <input type='tablet' bus='usb'>
+      <alias name='input0'/>
+      <address type='usb' bus='0' port='1'/>
+    </input>
+    <input type='mouse' bus='ps2'>
+      <alias name='input1'/>
+    </input>
+    <input type='keyboard' bus='ps2'>
+      <alias name='input2'/>
+    </input>
+    <graphics type='spice' port='5901' autoport='yes' listen='127.0.0.1'>
+      <listen type='address' address='127.0.0.1'/>
+      <image compression='off'/>
+    </graphics>
+    <sound model='ich9'>
+      <alias name='sound0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
+    </sound>
+    <audio id='1' type='spice'/>
+    <video>
+      <model type='virtio' heads='1' primary='yes'/>
+      <alias name='video0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+    </video>
+    <hostdev mode='subsystem' type='usb' managed='yes'>
+      <source>
+        <vendor id='0x10c4'/>
+        <product id='0xea60'/>
+        <address bus='3' device='7'/>
+      </source>
+      <alias name='hostdev0'/>
+      <address type='usb' bus='0' port='4'/>
+    </hostdev>
+    <hostdev mode='subsystem' type='usb' managed='yes'>
+      <source>
+        <vendor id='0x0658'/>
+        <product id='0x0200'/>
+        <address bus='3' device='4'/>
+      </source>
+      <alias name='hostdev1'/>
+      <address type='usb' bus='0' port='5'/>
+    </hostdev>
+    <redirdev bus='usb' type='spicevmc'>
+      <alias name='redir0'/>
+      <address type='usb' bus='0' port='2'/>
+    </redirdev>
+    <redirdev bus='usb' type='spicevmc'>
+      <alias name='redir1'/>
+      <address type='usb' bus='0' port='3'/>
+    </redirdev>
+    <watchdog model='itco' action='reset'>
+      <alias name='watchdog0'/>
+    </watchdog>
+    <memballoon model='virtio'>
+      <alias name='balloon0'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <alias name='rng0'/>
+      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
+    </rng>
+  </devices>
+  <seclabel type='dynamic' model='dac' relabel='yes'>
+    <label>+958:+958</label>
+    <imagelabel>+958:+958</imagelabel>
+  </seclabel>
+</domain>
+
diff --git a/nixos/servapp/virt/domains/pihole.xml b/nixos/servapp/virt/domains/pihole.xml
new file mode 100644
index 0000000..9758185
--- /dev/null
+++ b/nixos/servapp/virt/domains/pihole.xml
@@ -0,0 +1,241 @@
+<domain type='kvm' id='1'>
+  <name>pihole</name>
+  <uuid>b60eab6c-bf2d-4a7b-841c-a2235c6a3654</uuid>
+  <metadata>
+    <libosinfo:libosinfo xmlns:libosinfo="http://libosinfo.org/xmlns/libvirt/domain/1.0">
+      <libosinfo:os id="http://libosinfo.org/linux/2022"/>
+    </libosinfo:libosinfo>
+  </metadata>
+  <memory unit='KiB'>524288</memory>
+  <currentMemory unit='KiB'>524288</currentMemory>
+  <vcpu placement='static'>2</vcpu>
+  <resource>
+    <partition>/machine</partition>
+  </resource>
+  <os firmware='efi'>
+    <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
+    <firmware>
+      <feature enabled='no' name='enrolled-keys'/>
+      <feature enabled='yes' name='secure-boot'/>
+    </firmware>
+    <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
+    <nvram template='/run/libvirt/nix-ovmf/OVMF_VARS.fd'>/home/appaquet/pihole/OVMF_VARS.fd</nvram>
+    <boot dev='hd'/>
+  </os>
+  <features>
+    <acpi/>
+    <apic/>
+    <vmport state='off'/>
+    <smm state='on'/>
+  </features>
+  <cpu mode='host-passthrough' check='none' migratable='on'/>
+  <clock offset='utc'>
+    <timer name='rtc' tickpolicy='catchup'/>
+    <timer name='pit' tickpolicy='delay'/>
+    <timer name='hpet' present='no'/>
+  </clock>
+  <on_poweroff>destroy</on_poweroff>
+  <on_reboot>restart</on_reboot>
+  <on_crash>destroy</on_crash>
+  <pm>
+    <suspend-to-mem enabled='no'/>
+    <suspend-to-disk enabled='no'/>
+  </pm>
+  <devices>
+    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <disk type='file' device='disk'>
+      <driver name='qemu' type='qcow2' discard='unmap'/>
+      <source file='/home/appaquet/pihole/pihole.qcow2' index='2'/>
+      <backingStore/>
+      <target dev='vda' bus='virtio'/>
+      <alias name='virtio-disk0'/>
+      <address type='pci' domain='0x0000' bus='0x04' slot='0x00' function='0x0'/>
+    </disk>
+    <disk type='file' device='cdrom'>
+      <driver name='qemu'/>
+      <target dev='sda' bus='sata'/>
+      <readonly/>
+      <alias name='sata0-0-0'/>
+      <address type='drive' controller='0' bus='0' target='0' unit='0'/>
+    </disk>
+    <controller type='usb' index='0' model='qemu-xhci' ports='15'>
+      <alias name='usb'/>
+      <address type='pci' domain='0x0000' bus='0x02' slot='0x00' function='0x0'/>
+    </controller>
+    <controller type='pci' index='0' model='pcie-root'>
+      <alias name='pcie.0'/>
+    </controller>
+    <controller type='pci' index='1' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='1' port='0x10'/>
+      <alias name='pci.1'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='2' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='2' port='0x11'/>
+      <alias name='pci.2'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x1'/>
+    </controller>
+    <controller type='pci' index='3' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='3' port='0x12'/>
+      <alias name='pci.3'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x2'/>
+    </controller>
+    <controller type='pci' index='4' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='4' port='0x13'/>
+      <alias name='pci.4'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x3'/>
+    </controller>
+    <controller type='pci' index='5' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='5' port='0x14'/>
+      <alias name='pci.5'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x4'/>
+    </controller>
+    <controller type='pci' index='6' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='6' port='0x15'/>
+      <alias name='pci.6'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x5'/>
+    </controller>
+    <controller type='pci' index='7' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='7' port='0x16'/>
+      <alias name='pci.7'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x6'/>
+    </controller>
+    <controller type='pci' index='8' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='8' port='0x17'/>
+      <alias name='pci.8'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x02' function='0x7'/>
+    </controller>
+    <controller type='pci' index='9' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='9' port='0x18'/>
+      <alias name='pci.9'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x0' multifunction='on'/>
+    </controller>
+    <controller type='pci' index='10' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='10' port='0x19'/>
+      <alias name='pci.10'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x1'/>
+    </controller>
+    <controller type='pci' index='11' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='11' port='0x1a'/>
+      <alias name='pci.11'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x2'/>
+    </controller>
+    <controller type='pci' index='12' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='12' port='0x1b'/>
+      <alias name='pci.12'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x3'/>
+    </controller>
+    <controller type='pci' index='13' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='13' port='0x1c'/>
+      <alias name='pci.13'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x4'/>
+    </controller>
+    <controller type='pci' index='14' model='pcie-root-port'>
+      <model name='pcie-root-port'/>
+      <target chassis='14' port='0x1d'/>
+      <alias name='pci.14'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x03' function='0x5'/>
+    </controller>
+    <controller type='sata' index='0'>
+      <alias name='ide'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1f' function='0x2'/>
+    </controller>
+    <controller type='virtio-serial' index='0'>
+      <alias name='virtio-serial0'/>
+      <address type='pci' domain='0x0000' bus='0x03' slot='0x00' function='0x0'/>
+    </controller>
+    <interface type='bridge'>
+      <mac address='52:54:00:dd:33:68'/>
+      <source bridge='br0'/>
+      <target dev='vnet0'/>
+      <model type='virtio'/>
+      <alias name='net0'/>
+      <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
+    </interface>
+    <serial type='pty'>
+      <source path='/dev/pts/0'/>
+      <target type='isa-serial' port='0'>
+        <model name='isa-serial'/>
+      </target>
+      <alias name='serial0'/>
+    </serial>
+    <console type='pty' tty='/dev/pts/0'>
+      <source path='/dev/pts/0'/>
+      <target type='serial' port='0'/>
+      <alias name='serial0'/>
+    </console>
+    <channel type='unix'>
+      <source mode='bind' path='/run/libvirt/qemu/channel/1-pihole/org.qemu.guest_agent.0'/>
+      <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
+      <alias name='channel0'/>
+      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+    </channel>
+    <channel type='spicevmc'>
+      <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
+      <alias name='channel1'/>
+      <address type='virtio-serial' controller='0' bus='0' port='2'/>
+    </channel>
+    <input type='tablet' bus='usb'>
+      <alias name='input0'/>
+      <address type='usb' bus='0' port='1'/>
+    </input>
+    <input type='mouse' bus='ps2'>
+      <alias name='input1'/>
+    </input>
+    <input type='keyboard' bus='ps2'>
+      <alias name='input2'/>
+    </input>
+    <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'>
+      <listen type='address' address='127.0.0.1'/>
+      <image compression='off'/>
+    </graphics>
+    <sound model='ich9'>
+      <alias name='sound0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x1b' function='0x0'/>
+    </sound>
+    <audio id='1' type='spice'/>
+    <video>
+      <model type='virtio' heads='1' primary='yes'/>
+      <alias name='video0'/>
+      <address type='pci' domain='0x0000' bus='0x00' slot='0x01' function='0x0'/>
+    </video>
+    <redirdev bus='usb' type='spicevmc'>
+      <alias name='redir0'/>
+      <address type='usb' bus='0' port='2'/>
+    </redirdev>
+    <redirdev bus='usb' type='spicevmc'>
+      <alias name='redir1'/>
+      <address type='usb' bus='0' port='3'/>
+    </redirdev>
+    <watchdog model='itco' action='reset'>
+      <alias name='watchdog0'/>
+    </watchdog>
+    <memballoon model='virtio'>
+      <alias name='balloon0'/>
+      <address type='pci' domain='0x0000' bus='0x05' slot='0x00' function='0x0'/>
+    </memballoon>
+    <rng model='virtio'>
+      <backend model='random'>/dev/urandom</backend>
+      <alias name='rng0'/>
+      <address type='pci' domain='0x0000' bus='0x06' slot='0x00' function='0x0'/>
+    </rng>
+  </devices>
+  <seclabel type='dynamic' model='dac' relabel='yes'>
+    <label>+958:+958</label>
+    <imagelabel>+958:+958</imagelabel>
+  </seclabel>
+</domain>
+
diff --git a/nixos/servapp/virt/pools/download.xml b/nixos/servapp/virt/pools/download.xml
new file mode 100644
index 0000000..02d2a39
--- /dev/null
+++ b/nixos/servapp/virt/pools/download.xml
@@ -0,0 +1,15 @@
+<pool type='dir'>
+  <name>download</name>
+  <uuid>146285e4-c183-4ab1-9bb6-ac5c73508702</uuid>
+  <source>
+  </source>
+  <target>
+    <path>/home/appaquet/Downloads</path>
+    <permissions>
+      <mode>0755</mode>
+      <owner>1000</owner>
+      <group>100</group>
+    </permissions>
+  </target>
+</pool>
+
diff --git a/secrets b/secrets
index dcf013a..1f78be1 160000
--- a/secrets
+++ b/secrets
@@ -1 +1 @@
-Subproject commit dcf013a62cbcc9db1cbf62727725a50e441146f5
+Subproject commit 1f78be17751b4be2dc5e75ceea9aaf7fa5531d79
diff --git a/x b/x
index d4f8d6d..3a4186b 100755
--- a/x
+++ b/x
@@ -12,13 +12,15 @@ fi
 
 HOME_CONFIG=""
 NIXOS=0
-if [[ "${MACHINE_KEY}" == "appaquet@deskapp"* || "${MACHINE_KEY}" == "appaquet@nixos"* ]]; then
+if [[ "${MACHINE_KEY}" == "appaquet@deskapp"* ]]; then
     HOME_CONFIG="appaquet@deskapp"
     HOSTNAME="deskapp"
     NIXOS=1
 
 elif [[ "${MACHINE_KEY}" == "appaquet@servapp"* ]]; then
     HOME_CONFIG="appaquet@servapp"
+    HOSTNAME="servapp"
+    NIXOS=1
 
 elif [[ "${MACHINE_KEY}" == "appaquet@mbpapp"* || "${MACHINE_KEY}" == "appaquet@mbpvmapp"* ]]; then
     HOME_CONFIG="appaquet@mbpapp"
@@ -279,9 +281,9 @@ update)
         nix flake update
 
         for shell in $(ls shells); do
-          pushd "shells/${shell}"
-          nix flake update
-          popd
+            pushd "shells/${shell}"
+            nix flake update
+            popd
         done
     else
         nix flake lock --update-input $PACKAGE

From 09f9420a4fa6b81fb0530a2d0cea827eb5c42ee8 Mon Sep 17 00:00:00 2001
From: Andre-Philippe Paquet <appaquet@gmail.com>
Date: Mon, 23 Dec 2024 12:03:43 -0500
Subject: [PATCH 2/6] servapp: nixos up

---
 nixos/deskapp/configuration.nix | 7 +------
 nixos/servapp/configuration.nix | 7 +------
 2 files changed, 2 insertions(+), 12 deletions(-)

diff --git a/nixos/deskapp/configuration.nix b/nixos/deskapp/configuration.nix
index 47fffd3..13d3de0 100644
--- a/nixos/deskapp/configuration.nix
+++ b/nixos/deskapp/configuration.nix
@@ -53,6 +53,7 @@
   networking.hosts = {
     "100.109.193.77" = [ "localhost.humanfirst.ai" ];
   };
+  networking.firewall.enable = false;
 
   # NasAPP mounts
   nasapp = {
@@ -88,12 +89,6 @@
   services.printing.enable = false;
   services.openssh.enable = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave
diff --git a/nixos/servapp/configuration.nix b/nixos/servapp/configuration.nix
index 4d22247..d2d6c47 100644
--- a/nixos/servapp/configuration.nix
+++ b/nixos/servapp/configuration.nix
@@ -34,6 +34,7 @@
   #   interface = "enp1s0"; # TODO: probably wrong
   #   lanIp = "192.168.0.13";
   # };
+  networking.firewall.enable = false;
 
   # NasAPP mounts
   nasapp = {
@@ -79,12 +80,6 @@
   services.printing.enable = false;
   services.openssh.enable = true;
 
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions
   # on your system were taken. It‘s perfectly fine and recommended to leave

From f3ba2d3e7506056f80e767995bb305427e82c4a1 Mon Sep 17 00:00:00 2001
From: Andre-Philippe Paquet <appaquet@gmail.com>
Date: Sat, 28 Dec 2024 11:50:39 -0500
Subject: [PATCH 3/6] servapp: nixos up

---
 README.md                                    |   7 ++
 nixos/common.nix                             |   2 +
 nixos/servapp/configuration-init.nix         | 122 +++++++++++++++++++
 nixos/servapp/configuration.nix              |  19 +--
 nixos/servapp/hardware-configuration.nix     |  47 +++----
 nixos/servapp/virt/domains/homeassistant.xml |  10 +-
 nixos/servapp/virt/domains/pihole.xml        |  10 +-
 nixos/virt.nix                               |   6 +
 8 files changed, 169 insertions(+), 54 deletions(-)
 create mode 100644 nixos/servapp/configuration-init.nix

diff --git a/README.md b/README.md
index 4e134a8..66736e5 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,13 @@
    set -Ua fish_user_paths /home/appaquet/.local/utils/
    ```
   
+1. `failed: unable to open database file at ... command-not-found`
+   As root, run:
+   ```
+   nix-channel --add https://nixos.org/channels/nixos-unstable nixos
+   nix-channel --update
+   ```
+
 ## Cheat sheets
 
 ## Nix
diff --git a/nixos/common.nix b/nixos/common.nix
index 021bb2b..79f7c24 100644
--- a/nixos/common.nix
+++ b/nixos/common.nix
@@ -26,6 +26,8 @@
     shell = pkgs.fish;
     description = "appaquet";
 
+    homeMode = "0755"; # virt access to var files
+
     extraGroups = [
       "networkmanager"
       "wheel"
diff --git a/nixos/servapp/configuration-init.nix b/nixos/servapp/configuration-init.nix
new file mode 100644
index 0000000..4d7579b
--- /dev/null
+++ b/nixos/servapp/configuration-init.nix
@@ -0,0 +1,122 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ config, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+    ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "servapp"; # Define your hostname.
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "America/Toronto";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_CA.UTF-8";
+
+  # Enable the X11 windowing system.
+  services.xserver.enable = true;
+
+  # Enable the XFCE Desktop Environment.
+  services.xserver.displayManager.lightdm.enable = true;
+  services.xserver.desktopManager.xfce.enable = true;
+
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  # Enable CUPS to print documents.
+  services.printing.enable = true;
+
+  # Enable sound with pipewire.
+  hardware.pulseaudio.enable = false;
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    # If you want to use JACK applications, uncomment this
+    #jack.enable = true;
+
+    # use the example session manager (no others are packaged yet so this is enabled by default,
+    # no need to redefine it in your config for now)
+    #media-session.enable = true;
+  };
+
+  # Enable touchpad support (enabled default in most desktopManager).
+  # services.xserver.libinput.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.appaquet = {
+    isNormalUser = true;
+    description = "appaquet";
+    extraGroups = [ "networkmanager" "wheel" ];
+    packages = with pkgs; [
+    #  thunderbird
+    ];
+  };
+
+  # Enable automatic login for the user.
+  services.xserver.displayManager.autoLogin.enable = true;
+  services.xserver.displayManager.autoLogin.user = "appaquet";
+
+  # Install firefox.
+  programs.firefox.enable = true;
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+  #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+  #  wget
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "24.11"; # Did you read the comment?
+
+}
diff --git a/nixos/servapp/configuration.nix b/nixos/servapp/configuration.nix
index d2d6c47..3ff63bf 100644
--- a/nixos/servapp/configuration.nix
+++ b/nixos/servapp/configuration.nix
@@ -8,14 +8,15 @@
     ../dev.nix
     ../docker.nix
     ../network-bridge.nix
-    ../ups.nix
+    # TODO: ../ups.nix
     ../nasapp.nix
   ];
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernelPackages = pkgs.linuxPackages_latest;
-  boot.kernelParams = [ ];
+  boot.kernel.sysctl = {
+    "net.ipv6.conf.all.forwarding" = "1"; # VMs forward
+  };
 
   networking.hostName = "servapp";
 
@@ -28,12 +29,12 @@
   ];
 
   # Networking
-  # networking.networkmanager.enable = true;
-  # networking.myBridge = {
-  #   enable = true;
-  #   interface = "enp1s0"; # TODO: probably wrong
-  #   lanIp = "192.168.0.13";
-  # };
+  networking.networkmanager.enable = true;
+  networking.myBridge = {
+    enable = true;
+    interface = "enp1s0";
+    lanIp = "192.168.0.13";
+  };
   networking.firewall.enable = false;
 
   # NasAPP mounts
diff --git a/nixos/servapp/hardware-configuration.nix b/nixos/servapp/hardware-configuration.nix
index db4b963..507c6f9 100644
--- a/nixos/servapp/hardware-configuration.nix
+++ b/nixos/servapp/hardware-configuration.nix
@@ -1,43 +1,28 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{
-  config,
-  lib,
-  modulesPath,
-  ...
-}:
+{ config, lib, pkgs, modulesPath, ... }:
 
 {
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
 
-  boot.initrd.availableKernelModules = [
-    "nvme"
-    "xhci_pci"
-    "ahci"
-    "usbhid"
-    "usb_storage"
-    "sd_mod"
-  ];
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "uas" "sd_mod" ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/141971f9-e5ed-4eec-b306-a7b3db3d005d";
-    fsType = "ext4";
-  };
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/43e201c8-72e4-4164-9883-a88b5d73e401";
+      fsType = "ext4";
+    };
 
-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/8A5E-82A3";
-    fsType = "vfat";
-    options = [
-      "fmask=0022"
-      "dmask=0022"
-    ];
-  };
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/D192-E6E9";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
 
   swapDevices = [ ];
 
@@ -46,7 +31,9 @@
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
   networking.useDHCP = lib.mkDefault true;
-  networking.interfaces.eno1.useDHCP = false;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp4s0.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
   hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
diff --git a/nixos/servapp/virt/domains/homeassistant.xml b/nixos/servapp/virt/domains/homeassistant.xml
index 60b429e..1f6c1a9 100644
--- a/nixos/servapp/virt/domains/homeassistant.xml
+++ b/nixos/servapp/virt/domains/homeassistant.xml
@@ -12,12 +12,8 @@
   <resource>
     <partition>/machine</partition>
   </resource>
-  <os firmware='efi'>
+  <os>
     <type arch='x86_64' machine='pc-q35-8.0'>hvm</type>
-    <firmware>
-      <feature enabled='no' name='enrolled-keys'/>
-      <feature enabled='no' name='secure-boot'/>
-    </firmware>
     <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
     <nvram template='/run/libvirt/nix-ovmf/OVMF_VARS.fd'>/home/appaquet/homeassistant/OVMF_VARS.fd</nvram>
     <boot dev='hd'/>
@@ -173,7 +169,7 @@
     <channel type='spicevmc'>
       <target type='virtio' name='com.redhat.spice.0' state='disconnected'/>
       <alias name='channel0'/>
-      <address type='virtio-serial' controller='0' bus='0' port='1'/>
+      <address type='virtio-serial' controller='0' bus='0' port='2'/>
     </channel>
     <channel type='unix'>
       <target type='virtio' name='org.qemu.guest_agent.0'/>
@@ -207,7 +203,6 @@
       <source>
         <vendor id='0x10c4'/>
         <product id='0xea60'/>
-        <address bus='3' device='7'/>
       </source>
       <alias name='hostdev0'/>
       <address type='usb' bus='0' port='4'/>
@@ -216,7 +211,6 @@
       <source>
         <vendor id='0x0658'/>
         <product id='0x0200'/>
-        <address bus='3' device='4'/>
       </source>
       <alias name='hostdev1'/>
       <address type='usb' bus='0' port='5'/>
diff --git a/nixos/servapp/virt/domains/pihole.xml b/nixos/servapp/virt/domains/pihole.xml
index 9758185..3e409e9 100644
--- a/nixos/servapp/virt/domains/pihole.xml
+++ b/nixos/servapp/virt/domains/pihole.xml
@@ -12,14 +12,10 @@
   <resource>
     <partition>/machine</partition>
   </resource>
-  <os firmware='efi'>
+  <os>
     <type arch='x86_64' machine='pc-q35-8.2'>hvm</type>
-    <firmware>
-      <feature enabled='no' name='enrolled-keys'/>
-      <feature enabled='yes' name='secure-boot'/>
-    </firmware>
     <loader readonly='yes' type='pflash'>/run/libvirt/nix-ovmf/OVMF_CODE.fd</loader>
-    <nvram template='/run/libvirt/nix-ovmf/OVMF_VARS.fd'>/home/appaquet/pihole/OVMF_VARS.fd</nvram>
+    <nvram template='/run/libvirt/nix-ovmf/OVMF_VARS.fd'>/var/lib/libvirt/qemu/nvram/pihole_VARS.fd</nvram>
     <boot dev='hd'/>
   </os>
   <features>
@@ -42,7 +38,7 @@
     <suspend-to-disk enabled='no'/>
   </pm>
   <devices>
-    <emulator>/usr/bin/qemu-system-x86_64</emulator>
+    <emulator>/run/libvirt/nix-emulators/qemu-system-x86_64</emulator>
     <disk type='file' device='disk'>
       <driver name='qemu' type='qcow2' discard='unmap'/>
       <source file='/home/appaquet/pihole/pihole.qcow2' index='2'/>
diff --git a/nixos/virt.nix b/nixos/virt.nix
index 394aa4a..6683b04 100644
--- a/nixos/virt.nix
+++ b/nixos/virt.nix
@@ -29,6 +29,12 @@
     ];
   };
 
+  # Allow ipv6 forward via bridge
+  networking.firewall.extraCommands = ''
+    ip6tables -A FORWARD -i br0 -o br0 -j ACCEPT
+    ip6tables -A FORWARD -i br0 -j ACCEPT
+  '';
+
   # Allow virsh to be run without password
   security.sudo = {
     extraRules = [

From b852e2eabb43bfe3c0da96f1e9749dedebfcd353 Mon Sep 17 00:00:00 2001
From: Andre-Philippe Paquet <appaquet@gmail.com>
Date: Sat, 28 Dec 2024 13:51:40 -0500
Subject: [PATCH 4/6] servapp: nixos up

---
 nixos/servapp/configuration-init.nix         | 19 +++++----
 nixos/servapp/configuration.nix              |  3 --
 nixos/servapp/hardware-configuration.nix     | 44 +++++++++++++-------
 nixos/servapp/virt/default.nix               | 31 ++++++++++++++
 nixos/servapp/virt/domains/homeassistant.xml | 20 +++++----
 nixos/servapp/virt/domains/pihole.xml        | 18 ++++----
 nixos/virt.nix                               |  7 +---
 7 files changed, 93 insertions(+), 49 deletions(-)

diff --git a/nixos/servapp/configuration-init.nix b/nixos/servapp/configuration-init.nix
index 4d7579b..ffc0f92 100644
--- a/nixos/servapp/configuration-init.nix
+++ b/nixos/servapp/configuration-init.nix
@@ -5,10 +5,10 @@
 { config, pkgs, ... }:
 
 {
-  imports =
-    [ # Include the results of the hardware scan.
-      ./hardware-configuration.nix
-    ];
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
 
   # Bootloader.
   boot.loader.systemd-boot.enable = true;
@@ -69,9 +69,12 @@
   users.users.appaquet = {
     isNormalUser = true;
     description = "appaquet";
-    extraGroups = [ "networkmanager" "wheel" ];
+    extraGroups = [
+      "networkmanager"
+      "wheel"
+    ];
     packages = with pkgs; [
-    #  thunderbird
+      #  thunderbird
     ];
   };
 
@@ -88,8 +91,8 @@
   # List packages installed in system profile. To search, run:
   # $ nix search wget
   environment.systemPackages = with pkgs; [
-  #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
-  #  wget
+    #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    #  wget
   ];
 
   # Some programs need SUID wrappers, can be configured further or are
diff --git a/nixos/servapp/configuration.nix b/nixos/servapp/configuration.nix
index 3ff63bf..f98eb92 100644
--- a/nixos/servapp/configuration.nix
+++ b/nixos/servapp/configuration.nix
@@ -14,9 +14,6 @@
 
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
-  boot.kernel.sysctl = {
-    "net.ipv6.conf.all.forwarding" = "1"; # VMs forward
-  };
 
   networking.hostName = "servapp";
 
diff --git a/nixos/servapp/hardware-configuration.nix b/nixos/servapp/hardware-configuration.nix
index 507c6f9..8ddbea0 100644
--- a/nixos/servapp/hardware-configuration.nix
+++ b/nixos/servapp/hardware-configuration.nix
@@ -1,28 +1,44 @@
 # Do not modify this file!  It was generated by ‘nixos-generate-config’
 # and may be overwritten by future invocations.  Please make changes
 # to /etc/nixos/configuration.nix instead.
-{ config, lib, pkgs, modulesPath, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
 
 {
-  imports =
-    [ (modulesPath + "/installer/scan/not-detected.nix")
-    ];
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
 
-  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "uas" "sd_mod" ];
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "uas"
+    "sd_mod"
+  ];
   boot.initrd.kernelModules = [ ];
   boot.kernelModules = [ "kvm-amd" ];
   boot.extraModulePackages = [ ];
 
-  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/43e201c8-72e4-4164-9883-a88b5d73e401";
-      fsType = "ext4";
-    };
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/43e201c8-72e4-4164-9883-a88b5d73e401";
+    fsType = "ext4";
+  };
 
-  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/D192-E6E9";
-      fsType = "vfat";
-      options = [ "fmask=0077" "dmask=0077" ];
-    };
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/D192-E6E9";
+    fsType = "vfat";
+    options = [
+      "fmask=0077"
+      "dmask=0077"
+    ];
+  };
 
   swapDevices = [ ];
 
diff --git a/nixos/servapp/virt/default.nix b/nixos/servapp/virt/default.nix
index 6b75aec..2150139 100644
--- a/nixos/servapp/virt/default.nix
+++ b/nixos/servapp/virt/default.nix
@@ -1,5 +1,6 @@
 {
   inputs,
+  pkgs,
   ...
 }:
 
@@ -30,4 +31,34 @@
       };
     };
   };
+
+  # VMs ipv6 forward
+  boot.kernel.sysctl = {
+    "net.ipv6.conf.all.forwarding" = "1";
+  };
+
+  # VMs aren't automatically starting since they require USB devices
+  # that may not be mounted yet (see <https://github.com/NixOS/nixpkgs/issues/227636>)
+  #
+  # Also forward ipv6 to bridge devices
+  systemd.services.virt-start-vms = {
+    description = "Starts VMs after system fully booted";
+    after = [ "display-manager.service" "libvirtd.service" ];
+    requires = [ "display-manager.service" "libvirtd.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.writeShellScript "start-vms" ''
+        #!/run/current-system/sw/bin/bash
+        
+        ${pkgs.iptables}/bin/ip6tables -A FORWARD -i br0 -o br0 -j ACCEPT
+        ${pkgs.iptables}/bin/ip6tables -A FORWARD -i br0 -j ACCEPT
+
+        sleep 10 # Really make sure usb is ready
+
+        ${pkgs.libvirt}/bin/virsh start homeassistant || true
+        ${pkgs.libvirt}/bin/virsh start pihole || true
+      ''}";
+    };
+    wantedBy = [ "multi-user.target" ];
+  };
 }
diff --git a/nixos/servapp/virt/domains/homeassistant.xml b/nixos/servapp/virt/domains/homeassistant.xml
index 1f6c1a9..9bcd126 100644
--- a/nixos/servapp/virt/domains/homeassistant.xml
+++ b/nixos/servapp/virt/domains/homeassistant.xml
@@ -1,4 +1,4 @@
-<domain type='kvm' id='2'>
+<domain type='kvm' id='3'>
   <name>homeassistant</name>
   <uuid>594f25c4-862c-448c-8154-4666f6f36718</uuid>
   <metadata>
@@ -148,21 +148,21 @@
     <interface type='bridge'>
       <mac address='52:54:00:a3:77:84'/>
       <source bridge='br0'/>
-      <target dev='vnet1'/>
+      <target dev='vnet2'/>
       <model type='virtio'/>
       <link state='up'/>
       <alias name='net0'/>
       <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
     </interface>
     <serial type='pty'>
-      <source path='/dev/pts/1'/>
+      <source path='/dev/pts/0'/>
       <target type='isa-serial' port='0'>
         <model name='isa-serial'/>
       </target>
       <alias name='serial0'/>
     </serial>
-    <console type='pty' tty='/dev/pts/1'>
-      <source path='/dev/pts/1'/>
+    <console type='pty' tty='/dev/pts/0'>
+      <source path='/dev/pts/0'/>
       <target type='serial' port='0'/>
       <alias name='serial0'/>
     </console>
@@ -172,7 +172,9 @@
       <address type='virtio-serial' controller='0' bus='0' port='2'/>
     </channel>
     <channel type='unix'>
-      <target type='virtio' name='org.qemu.guest_agent.0'/>
+      <source mode='bind' path='/run/libvirt/qemu/channel/3-homeassistant/org.qemu.guest_agent.0'/>
+      <target type='virtio' name='org.qemu.guest_agent.0' state='connected'/>
+      <alias name='channel1'/>
       <address type='virtio-serial' controller='0' bus='0' port='1'/>
     </channel>
     <input type='tablet' bus='usb'>
@@ -185,7 +187,7 @@
     <input type='keyboard' bus='ps2'>
       <alias name='input2'/>
     </input>
-    <graphics type='spice' port='5901' autoport='yes' listen='127.0.0.1'>
+    <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'>
       <listen type='address' address='127.0.0.1'/>
       <image compression='off'/>
     </graphics>
@@ -237,8 +239,8 @@
     </rng>
   </devices>
   <seclabel type='dynamic' model='dac' relabel='yes'>
-    <label>+958:+958</label>
-    <imagelabel>+958:+958</imagelabel>
+    <label>+301:+301</label>
+    <imagelabel>+301:+301</imagelabel>
   </seclabel>
 </domain>
 
diff --git a/nixos/servapp/virt/domains/pihole.xml b/nixos/servapp/virt/domains/pihole.xml
index 3e409e9..eb53a9d 100644
--- a/nixos/servapp/virt/domains/pihole.xml
+++ b/nixos/servapp/virt/domains/pihole.xml
@@ -1,4 +1,4 @@
-<domain type='kvm' id='1'>
+<domain type='kvm' id='2'>
   <name>pihole</name>
   <uuid>b60eab6c-bf2d-4a7b-841c-a2235c6a3654</uuid>
   <metadata>
@@ -156,25 +156,25 @@
     <interface type='bridge'>
       <mac address='52:54:00:dd:33:68'/>
       <source bridge='br0'/>
-      <target dev='vnet0'/>
+      <target dev='vnet1'/>
       <model type='virtio'/>
       <alias name='net0'/>
       <address type='pci' domain='0x0000' bus='0x01' slot='0x00' function='0x0'/>
     </interface>
     <serial type='pty'>
-      <source path='/dev/pts/0'/>
+      <source path='/dev/pts/1'/>
       <target type='isa-serial' port='0'>
         <model name='isa-serial'/>
       </target>
       <alias name='serial0'/>
     </serial>
-    <console type='pty' tty='/dev/pts/0'>
-      <source path='/dev/pts/0'/>
+    <console type='pty' tty='/dev/pts/1'>
+      <source path='/dev/pts/1'/>
       <target type='serial' port='0'/>
       <alias name='serial0'/>
     </console>
     <channel type='unix'>
-      <source mode='bind' path='/run/libvirt/qemu/channel/1-pihole/org.qemu.guest_agent.0'/>
+      <source mode='bind' path='/run/libvirt/qemu/channel/2-pihole/org.qemu.guest_agent.0'/>
       <target type='virtio' name='org.qemu.guest_agent.0' state='disconnected'/>
       <alias name='channel0'/>
       <address type='virtio-serial' controller='0' bus='0' port='1'/>
@@ -194,7 +194,7 @@
     <input type='keyboard' bus='ps2'>
       <alias name='input2'/>
     </input>
-    <graphics type='spice' port='5900' autoport='yes' listen='127.0.0.1'>
+    <graphics type='spice' port='5901' autoport='yes' listen='127.0.0.1'>
       <listen type='address' address='127.0.0.1'/>
       <image compression='off'/>
     </graphics>
@@ -230,8 +230,8 @@
     </rng>
   </devices>
   <seclabel type='dynamic' model='dac' relabel='yes'>
-    <label>+958:+958</label>
-    <imagelabel>+958:+958</imagelabel>
+    <label>+301:+301</label>
+    <imagelabel>+301:+301</imagelabel>
   </seclabel>
 </domain>
 
diff --git a/nixos/virt.nix b/nixos/virt.nix
index 6683b04..9eeb282 100644
--- a/nixos/virt.nix
+++ b/nixos/virt.nix
@@ -7,6 +7,7 @@
   # - https://nixos.wiki/wiki/Libvirt
   virtualisation.libvirtd = {
     enable = true;
+    onBoot = "ignore"; # don't resume running vms automatically
 
     qemu = {
       package = pkgs.qemu_kvm;
@@ -29,12 +30,6 @@
     ];
   };
 
-  # Allow ipv6 forward via bridge
-  networking.firewall.extraCommands = ''
-    ip6tables -A FORWARD -i br0 -o br0 -j ACCEPT
-    ip6tables -A FORWARD -i br0 -j ACCEPT
-  '';
-
   # Allow virsh to be run without password
   security.sudo = {
     extraRules = [

From 204d9591ac81de15f0cc5b62a7f27069a53aa72a Mon Sep 17 00:00:00 2001
From: Andre-Philippe Paquet <appaquet@gmail.com>
Date: Sat, 28 Dec 2024 15:04:09 -0500
Subject: [PATCH 5/6] servapp: nixos up

---
 nixos/servapp/virt/default.nix               | 2 +-
 nixos/servapp/virt/domains/homeassistant.xml | 2 --
 2 files changed, 1 insertion(+), 3 deletions(-)

diff --git a/nixos/servapp/virt/default.nix b/nixos/servapp/virt/default.nix
index 2150139..08eb803 100644
--- a/nixos/servapp/virt/default.nix
+++ b/nixos/servapp/virt/default.nix
@@ -53,7 +53,7 @@
         ${pkgs.iptables}/bin/ip6tables -A FORWARD -i br0 -o br0 -j ACCEPT
         ${pkgs.iptables}/bin/ip6tables -A FORWARD -i br0 -j ACCEPT
 
-        sleep 10 # Really make sure usb is ready
+        sleep 30 # Really make sure usb is ready
 
         ${pkgs.libvirt}/bin/virsh start homeassistant || true
         ${pkgs.libvirt}/bin/virsh start pihole || true
diff --git a/nixos/servapp/virt/domains/homeassistant.xml b/nixos/servapp/virt/domains/homeassistant.xml
index 9bcd126..b7676c6 100644
--- a/nixos/servapp/virt/domains/homeassistant.xml
+++ b/nixos/servapp/virt/domains/homeassistant.xml
@@ -207,7 +207,6 @@
         <product id='0xea60'/>
       </source>
       <alias name='hostdev0'/>
-      <address type='usb' bus='0' port='4'/>
     </hostdev>
     <hostdev mode='subsystem' type='usb' managed='yes'>
       <source>
@@ -215,7 +214,6 @@
         <product id='0x0200'/>
       </source>
       <alias name='hostdev1'/>
-      <address type='usb' bus='0' port='5'/>
     </hostdev>
     <redirdev bus='usb' type='spicevmc'>
       <alias name='redir0'/>

From 50301ff158a1368374a4fe6102781f46b545636d Mon Sep 17 00:00:00 2001
From: Andre-Philippe Paquet <appaquet@gmail.com>
Date: Sat, 28 Dec 2024 15:05:17 -0500
Subject: [PATCH 6/6] servapp: nixos up

---
 flake.lock | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/flake.lock b/flake.lock
index 7122db4..bac4f22 100644
--- a/flake.lock
+++ b/flake.lock
@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1733570843,
-        "narHash": "sha256-sQJAxY1TYWD1UyibN/FnN97paTFuwBw3Vp3DNCyKsMk=",
+        "lastModified": 1735218083,
+        "narHash": "sha256-MoUAbmXz9TEr7zlKDRO56DBJHe30+7B5X7nhXm+Vpc8=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "a35b08d09efda83625bef267eb24347b446c80b8",
+        "rev": "bc03f7818771a75716966ce8c23110b715eff2aa",
         "type": "github"
       },
       "original": {
@@ -384,11 +384,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1734737257,
-        "narHash": "sha256-GIMyMt1pkkoXdCq9un859bX6YQZ/iYtukb9R5luazLM=",
+        "lastModified": 1735141468,
+        "narHash": "sha256-VIAjBr1qGcEbmhLwQJD6TABppPMggzOvqFsqkDoMsAY=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1c6e20d41d6a9c1d737945962160e8571df55daa",
+        "rev": "4005c3ff7505313cbc21081776ad0ce5dfd7a3ce",
         "type": "github"
       },
       "original": {
@@ -441,11 +441,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1734973134,
-        "narHash": "sha256-44vUcOsZRHWqV02XfCHfD1HUxAi/ODLRRxBHKtNH79E=",
+        "lastModified": 1735245536,
+        "narHash": "sha256-qLG15OwT0ZvnZSl+L6T9x3TKd291SoSym0ZGqjtOEgw=",
         "owner": "appaquet",
         "repo": "dotfiles-secrets",
-        "rev": "1f78be17751b4be2dc5e75ceea9aaf7fa5531d79",
+        "rev": "514b740e18ee1f5bf7b443a94c9fd631dd09757f",
         "type": "github"
       },
       "original": {