rename: temp_16tb -> Poup_16T throughout

- Module renamed to poup-16t-disk.nix - Option namespace: gortium.poup16t (was gortium.temp16tb) - LUKS name: poup_16t (was temp_16tb) - Mount point: /mnt/Poup_16T (was /mnt/temp_16tb) - btrbk instance: poup16t (was temp16tb) - flake.nix import and host config updated
feat: add btrfs + btrbk module for 16TB data disk
2026-06-17 14:57:37 -04:00 · 2026-06-17 14:51:47 -04:00 · 2026-06-06 13:19:19 +00:00 · 2026-06-06 09:16:23 -04:00 · 2026-06-05 23:38:21 -04:00 · 2026-06-05 23:33:10 -04:00
24 changed files with 587 additions and 996 deletions
--- a/.gitmodules
+++ b/.gitmodules
@@ -1,7 +1,3 @@
 [submodule "assets/compose"]
 	path = assets/compose
 	url = ssh://git@code.lazyworkhorse.net:2222/gortium/compose.git
 [submodule "assets/dotfiles"]
 	path = assets/dotfiles
 	url = ssh://git@code.lazyworkhorse.net:2222/gortium/dotfiles.git
 	branch = master
--- a/assets/dotfiles
+++ b/assets/dotfiles
--- a/assets/ollama/Dockerfile
+++ b/assets/ollama/Dockerfile
@@ -0,0 +1,106 @@
 # ollama-gfx906/Dockerfile
 #
 # Custom ollama image with ROCm 6.1 + gfx906 (MI50) support.
 # The official ollama/rocm image ships ROCm 7.2 which dropped gfx906.
 # This uses v0.23.2's native CMake build system with AMDGPU_TARGETS including gfx906.
 #
 # Build: docker build -t ollama/ollama:rocm-gfx906 ai/ollama
 FROM rocm/dev-ubuntu-22.04:6.1.2-complete AS builder
 # Build dependencies (CMake, Ninja, Go)
 ARG CMAKEVERSION=3.31.2
 ARG NINJAVERSION=1.12.1
 ARG GOLANG_VERSION=1.22.0
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    curl git ccache build-essential pkg-config unzip \
    && rm -rf /var/lib/apt/lists/*
 # Install CMake from official binaries
 RUN curl -fsSL https://github.com/Kitware/CMake/releases/download/v${CMAKEVERSION}/cmake-${CMAKEVERSION}-linux-x86_64.tar.gz \
    | tar xz -C /usr/local --strip-components 1
 # Install Ninja
 RUN curl -fsSL -o /tmp/ninja.zip \
    https://github.com/ninja-build/ninja/releases/download/v${NINJAVERSION}/ninja-linux.zip \
    && unzip /tmp/ninja.zip -d /usr/local/bin && rm /tmp/ninja.zip
 # Install Go
 RUN curl -fsSL https://go.dev/dl/go${GOLANG_VERSION}.linux-amd64.tar.gz \
    | tar xz -C /usr/local
 ENV PATH=/usr/local/go/bin:$PATH
 ARG OLLAMA_VERSION=v0.23.2
 RUN git clone --depth 1 --branch ${OLLAMA_VERSION} https://github.com/ollama/ollama.git /build
 WORKDIR /build
 # ROCm paths
 ENV HIP_PATH=/opt/rocm
 ENV ROCM_PATH=/opt/rocm
 ENV CMAKE_GENERATOR=Ninja
 ENV LDFLAGS=-s
 # Step 1: Build CPU backends with GCC (no ROCm preset)
 # Pre-set CMAKE_HIP_COMPILER="" to prevent check_language(HIP) from
 # finding a HIP compiler (it searches /opt/rocm even without PATH).
 # Remove /opt/rocm from PATH to prevent find_program from finding hipcc.
 RUN mkdir -p build-cpu && \
    PATH=/usr/local/go/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin \
    cmake -B build-cpu -DCMAKE_BUILD_TYPE=Release \
      -DCMAKE_HIP_COMPILER="" \
      -DCMAKE_INSTALL_PREFIX=/build/dist && \
    cmake --build build-cpu --target ggml-cpu -- -l $(nproc) && \
    cmake --install build-cpu --component CPU --strip && \
    echo "=== CPU install ===" && \
    (find /build/dist/lib/ollama -type f -o -type l 2>&1 | head -20 || echo "empty")
 # Step 2: Build HIP backend with ROCm preset + gfx906 target only
 # The ROCm 6 preset enables HIP language detection (enable_language(HIP))
 # which ensures GPU kernels are properly compiled for gfx906.
 # OLLAMA_RUNNER_DIR=rocm from the preset, so HIP goes to lib/ollama/rocm/
 # Need CMAKE_PREFIX_PATH so find_package(hip) finds hip-config.cmake
 # at /opt/rocm/lib/cmake/hip/hip-config.cmake.
 RUN mkdir -p build-hip && \
    cmake -B build-hip \
      --preset 'ROCm 6' \
      -DAMDGPU_TARGETS="gfx906:xnack-" \
      -DCMAKE_BUILD_TYPE=Release \
      -DCMAKE_PREFIX_PATH="/opt/rocm" && \
    cmake --build build-hip --target ggml-hip -- -l $(nproc) && \
    cmake --install build-hip --component HIP --strip && \
    echo "=== HIP install ===" && \
    find /build/dist/lib/ollama -type f -o -type l | head -20
 # Step 3: Build Go binary (GCC for CGo linking)
 ENV CGO_ENABLED=1
 RUN go build -trimpath -ldflags="-X=github.com/ollama/ollama/version.Version=${OLLAMA_VERSION}" -o /build/dist/ollama .
 # ---------- Runtime image ----------
 FROM ubuntu:24.04
 RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -y \
    ca-certificates curl libstdc++6 libgomp1 libvulkan1 libopenblas0 \
    && rm -rf /var/lib/apt/lists/*
 # Copy ROCm 6.1 runtime libraries
 # These are needed at runtime by ggml-hip via LD_LIBRARY_PATH
 COPY --from=builder /opt/rocm/lib/ /opt/rocm/lib/
 COPY --from=builder /opt/rocm/share/ /opt/rocm/share/
 # Copy ollama binary + all backends (CPU + HIP)
 # CPU install:  /build/dist/lib/ollama/libggml-*.so
 # HIP install:  /build/dist/lib/ollama/rocm/libggml-hip.so
 COPY --from=builder /build/dist/ollama /usr/bin/ollama
 COPY --from=builder /build/dist/lib/ollama/ /usr/lib/ollama/
 RUN ldconfig
 ENV LD_LIBRARY_PATH=/opt/rocm/lib:/usr/lib/ollama/rocm:/usr/lib/ollama
 ENV HSA_OVERRIDE_GFX_VERSION=9.0.6
 ENV HCC_AMDGPU_TARGET=gfx906
 ENV HSA_ENABLE_SDMA=0
 EXPOSE 11434
 ENTRYPOINT ["/bin/ollama"]
 CMD ["serve"]
--- a/flake.lock
+++ b/flake.lock
@@ -23,22 +23,6 @@
        "type": "github"
      }
    },
    "argononed": {
      "flake": false,
      "locked": {
        "lastModified": 1729566243,
        "narHash": "sha256-DPNI0Dpk5aym3Baf5UbEe5GENDrSmmXVdriRSWE+rgk=",
        "owner": "nvmd",
        "repo": "argononed",
        "rev": "16dbee54d49b66d5654d228d1061246b440ef7cf",
        "type": "github"
      },
      "original": {
        "owner": "nvmd",
        "repo": "argononed",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@@ -53,21 +37,6 @@
        "url": "https://git.lix.systems/lix-project/flake-compat/archive/main.tar.gz"
      }
    },
    "flake-compat_2": {
      "locked": {
        "lastModified": 1767039857,
        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@@ -89,27 +58,6 @@
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "nixpkgs-uconsole"
        ]
      },
      "locked": {
        "lastModified": 1779506708,
        "narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "release-25.11",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "lix": {
      "inputs": {
        "flake-compat": "flake-compat",
@@ -196,80 +144,6 @@
        "type": "github"
      }
    },
    "nixos-images": {
      "inputs": {
        "nixos-stable": [
          "nixos-raspberrypi",
          "nixpkgs"
        ],
        "nixos-unstable": [
          "nixos-raspberrypi",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1747747741,
        "narHash": "sha256-LUOH27unNWbGTvZFitHonraNx0JF/55h30r9WxqrznM=",
        "owner": "nvmd",
        "repo": "nixos-images",
        "rev": "cbbd6db325775096680b65e2a32fb6187c09bbb4",
        "type": "github"
      },
      "original": {
        "owner": "nvmd",
        "ref": "sdimage-installer",
        "repo": "nixos-images",
        "type": "github"
      }
    },
    "nixos-raspberrypi": {
      "inputs": {
        "argononed": "argononed",
        "flake-compat": "flake-compat_2",
        "nixos-images": "nixos-images",
        "nixpkgs": [
          "nixpkgs-uconsole"
        ]
      },
      "locked": {
        "lastModified": 1781324200,
        "narHash": "sha256-JWqxN2Yle86+4Q+GFh12SvB92ZyLeqalVsN9lfMh6eQ=",
        "owner": "gortium",
        "repo": "nixos-raspberrypi",
        "rev": "721a6e9e67dca3a23133db650b87018646bca3e6",
        "type": "github"
      },
      "original": {
        "owner": "gortium",
        "ref": "cm5-cross-v1",
        "repo": "nixos-raspberrypi",
        "type": "github"
      }
    },
    "nixos-uconsole": {
      "inputs": {
        "nixos-raspberrypi": [
          "nixos-raspberrypi"
        ],
        "nixpkgs": [
          "nixpkgs-uconsole"
        ]
      },
      "locked": {
        "lastModified": 1781476310,
        "narHash": "sha256-jY6ujqLXNAWJGvt+pAuw1Wg/OiHRGd1B1Z7Czhiq7Q4=",
        "owner": "gortium",
        "repo": "nixos-uconsole",
        "rev": "38a7fcbffbf2d2e122bc1e1c634fe25f66ecda13",
        "type": "github"
      },
      "original": {
        "owner": "gortium",
        "ref": "pr/dcs-panel-detection",
        "repo": "nixos-uconsole",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1705033721,
@@ -302,22 +176,6 @@
        "type": "github"
      }
    },
    "nixpkgs-uconsole": {
      "locked": {
        "lastModified": 1780952837,
        "narHash": "sha256-Fwd1+spDtQ0hDyBwme6ufG3n4mY0UrjjFdYHv+G/Hds=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e820eb4a444b46a19b2e03e8dfd2359439ff30fe",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1774386573,
@@ -353,12 +211,8 @@
    "root": {
      "inputs": {
        "agenix": "agenix",
        "home-manager": "home-manager_2",
        "lix": "lix",
-        "nixos-raspberrypi": "nixos-raspberrypi",
+        "nixpkgs": "nixpkgs_2"
        "nixos-uconsole": "nixos-uconsole",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-uconsole": "nixpkgs-uconsole"
      }
    },
    "systems": {
--- a/flake.nix
+++ b/flake.nix
@@ -12,26 +12,18 @@
      url = "git+https://git.lix.systems/lix-project/lix?ref=main";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nixpkgs-uconsole.url = "github:NixOS/nixpkgs/nixos-25.11";
    nixos-uconsole = {
-      url = "github:gortium/nixos-uconsole/pr/dcs-panel-detection";
+      url = "github:nixos-uconsole/nixos-uconsole";
-      inputs.nixpkgs.follows = "nixpkgs-uconsole";
+      inputs.nixpkgs.follows = "nixpkgs";
      inputs.nixos-raspberrypi.follows = "nixos-raspberrypi";
    };
    nixos-raspberrypi = {
-      url = "github:gortium/nixos-raspberrypi/cm5-cross-v1";
+      url = "github:nvmd/nixos-raspberrypi/v1.20260517.0";
-      inputs.nixpkgs.follows = "nixpkgs-uconsole";
+      inputs.nixpkgs.follows = "nixpkgs";
    };
    home-manager = {
      url = "github:nix-community/home-manager/release-25.11";
      inputs.nixpkgs.follows = "nixpkgs-uconsole";
    };
    self.submodules = true;
  };
-  outputs = { self, nixpkgs, agenix, lix
+  outputs = { self, nixpkgs, agenix, lix, nixos-uconsole, nixos-raspberrypi, ... }@inputs:
            , nixpkgs-uconsole, nixos-uconsole, nixos-raspberrypi
            , home-manager
            , ... }@inputs:
    let
      system = "x86_64-linux";
      keys = import ./lib/keys.nix;
@@ -42,89 +34,20 @@
          "/etc/ssh/ssh_host_ed25519_key"
          "/root/.age/bootstrap.key" ];
      };
-      overlays = [ agenix.overlays.default ];
+      overlays = [ agenix.overlays.default (import ./overlays/reticulum.nix) ];
      pkgs = import nixpkgs {
        inherit system overlays;
        config.allowUnfree = true;
-        config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];
+        config.permittedInsecurePackages = [
          "openclaw-2026.3.12"
        ];
      };
      devShell = import ./shells/nix_dev.nix {
        inherit pkgs system agenix;
      };
-
+    in
      # Cross-compile overlay fixes for Hyprland and deps on aarch64
      uconsoleCrossOverlay = final: prev: {
        libcamera = prev.libcamera.overrideAttrs (_: { meta.platforms = []; });
        libcamera-rpi = prev.libcamera-rpi.overrideAttrs (_: { meta.platforms = []; });
        libpisp = prev.libpisp.overrideAttrs (_: { meta.platforms = []; });
        pipewire = prev.pipewire.overrideAttrs (old: {
          buildInputs = builtins.filter
            (x: !(x?pname && x.pname == "libcamera"))
            (old.buildInputs or []);
          mesonFlags = builtins.filter
            (flag: !(builtins.isString flag && builtins.match ".*libcamera.*" flag != null))
            (old.mesonFlags or []) ++ [ "-Dlibcamera=disabled" ];
        });
        gjs = prev.gjs.overrideAttrs (old: {
          mesonFlags = (old.mesonFlags or []) ++ [ "-Dskip_gtk_tests=true" ];
        });
        hyprland = prev.hyprland.override { wrapRuntimeDeps = false; };
        xdg-desktop-portal-hyprland = prev.xdg-desktop-portal-hyprland.overrideAttrs (old: {
          preConfigure = (old.preConfigure or "") + ''
            cmakeFlags="$cmakeFlags -Dhyprwayland-scanner_DIR=${prev.buildPackages.hyprwayland-scanner}/lib/cmake/hyprwayland-scanner" 2>/dev/null || true
            export PKG_CONFIG_PATH="${prev.buildPackages.hyprwayland-scanner}/lib/pkgconfig:$PKG_CONFIG_PATH"
          '';
        });
      };
      # RPI-specific pipewire libcamera fix (separate nixpkgs instance)
      uconsoleRpiPipewireOverlay = final: prev: {
        pipewire = prev.pipewire.overrideAttrs (old: {
          buildInputs = builtins.filter
            (x: !(x?pname && x.pname == "libcamera"))
            (old.buildInputs or []);
          mesonFlags = builtins.filter
            (flag: !(builtins.isString flag && builtins.match ".*libcamera.*" flag != null))
            (old.mesonFlags or []) ++ [ "-Dlibcamera=disabled" ];
        });
      };
      # Shared uConsole CM5 module set — used by both toplevel and SD image
      uconsoleBaseModules = [
      {
          nixpkgs.buildPlatform = "x86_64-linux";
          nixpkgs.hostPlatform = "aarch64-linux";
          nixpkgs.config.allowUnfree = true;
          boot.loader.raspberry-pi.bootloader = "kernel";
          nixpkgs.overlays = [ uconsoleCrossOverlay ];
        }
        nixos-raspberrypi.nixosModules.nixpkgs-rpi
        ({ config, lib, pkgs, ... }: {
          nixpkgs.overlays = [ uconsoleRpiPipewireOverlay ];
        })
        nixos-raspberrypi.nixosModules.raspberry-pi-5.base
        nixos-raspberrypi.lib.inject-overlays
        nixos-raspberrypi.lib.inject-overlays-global
        nixos-uconsole.nixosModules.uconsole-cm5
        ./modules/nixos/hardware/uconsole-cm5-aio-v2.nix
        # Cross-compiled Lix for uConsole
        ({ config, lib, pkgs, inputs, ... }: let
          lixCross = import inputs.nixpkgs-uconsole {
            localSystem = { system = "x86_64-linux"; };
            crossSystem = { system = "aarch64-linux"; };
            overlays = [ inputs.lix.overlays.default ];
          };
        in { nix.package = lixCross.lix; })
        inputs.home-manager.nixosModules.home-manager
        agenix.nixosModules.default
        ./hosts/uconsole-cm5/configuration.nix
        ./hosts/uconsole-cm5/hardware-configuration.nix
        ./modules/nixos/services/wireguard-client.nix
        ./modules/nixos/security/ai-worker-restricted.nix
        ./users/gortium/gortium.nix
        ./users/ai-worker/ai-worker.nix
      ];
    in {
        nixosConfigurations = {
          lazyworkhorse = nixpkgs.lib.nixosSystem {
            specialArgs = { inherit system self keys paths inputs; };
@@ -133,20 +56,23 @@
                nixpkgs.overlays = overlays;
                nixpkgs.config.allowUnfree = true;
                nixpkgs.config.rocmSupport = true;
-              nixpkgs.config.permittedInsecurePackages = [ "openclaw-2026.3.12" ];
+                nixpkgs.config.permittedInsecurePackages = [
                  "openclaw-2026.3.12"
                ];
                nix.package = lix.packages.${system}.default;
              }
        inputs.home-manager.nixosModules.home-manager
              agenix.nixosModules.default
              ./hosts/lazyworkhorse/configuration.nix
              ./hosts/lazyworkhorse/hardware-configuration.nix
              ./modules/nixos/filesystem/hoardingcow-mount.nix
              ./modules/nixos/filesystem/poup-16t-disk.nix
              ./modules/nixos/services/docker_manager.nix
-            ./modules/nixos/services/wireguard-client.nix
+              ./modules/nixos/services/open_code_server.nix
              ./modules/nixos/services/ollama_init_custom_models.nix
              ./modules/nixos/services/openclaw_node.nix
              ./modules/nixos/security/ai-worker-restricted.nix
-            ./users/gortium/gortium.nix
+              ./users/gortium.nix
-            ./users/ai-worker/ai-worker.nix
+              ./users/ai-worker.nix
            ];
          };
@@ -161,36 +87,25 @@
              }
              ./hosts/cyt-pi/configuration.nix
              ./hosts/cyt-pi/hardware-configuration.nix
            ./modules/nixos/services/wireguard-client.nix
            ./users/gortium/gortium.nix
            ];
          };
-        uconsole-cm5 = nixpkgs-uconsole.lib.nixosSystem {
+          uConsole = nixos-raspberrypi.lib.nixosSystem {
-          system = "aarch64-linux";
+            specialArgs = { inherit self keys paths inputs nixos-raspberrypi; };
-          specialArgs = {
+            modules = [
-            inherit self keys paths inputs;
+              {
-            nixos-raspberrypi = nixos-raspberrypi;
+                nixpkgs.overlays = overlays;
-            isCM4 = false;
+                nixpkgs.config.allowUnfree = true;
-          };
+                nixpkgs.hostPlatform = "aarch64-linux";
-          modules = uconsoleBaseModules;
+                nix.package = lix.packages."aarch64-linux".default;
              }
              nixos-raspberrypi.nixosModules.raspberry-pi-5.base
              nixos-uconsole.nixosModules.uconsole-cm5
              ./hosts/uConsole/configuration.nix
              ./hosts/uConsole/hardware-configuration.nix
            ];
          };
        };
        devShells.${system}.default = devShell;
      packages.${system} = {
        uconsole-cm5-image = (nixos-raspberrypi.lib.nixosSystem {
          system = "aarch64-linux";
          specialArgs = {
            inherit self keys inputs;
            nixos-raspberrypi = nixos-raspberrypi;
            isCM4 = false;
          };
          modules = uconsoleBaseModules ++ [
            nixos-raspberrypi.nixosModules.sd-image
          ];
        }).config.system.build.sdImage;
      };
      };
 }
--- a/hosts/lazyworkhorse/configuration.nix
+++ b/hosts/lazyworkhorse/configuration.nix
@@ -8,9 +8,21 @@
  # NAS Mounting
  hoardingcow-mount.enable = true;
  # 16TB btrfs storage disk (WD Red Pro — Poup_16T — LUKS2 + btrfs + btrbk snapshots)
  # ⚠ SETUP REQUIRED: Connect the disk, get the LUKS UUID with 'blkid /dev/sdb',
  #   then set gortium.poup16t.luksUuid here and deploy.
  # gortium.poup16t = {
  #   enable = true;
  #   luksUuid = "REPLACE_ME_WITH_REAL_UUID";
  # };
  # Flakesss
-  nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" "ca-derivations" ];
+  nix.settings.experimental-features = [ "nix-command" "flakes" "flake-self-attrs" ];
  nix.settings.trusted-users = [ "root" "gortium" ];
  nix.settings.extra-platforms = [ "aarch64-linux" ];
  # QEMU binfmt for cross-building aarch64 NixOS targets
  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
  # Garbage collection
  nix.gc = {
@@ -49,12 +61,24 @@
  networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
  networking.hostId = "deadbeef";
-  # WireGuard VPN client -- module, always up, connects to wg-easy server
+  # WireGuard VPN client -- always up, connects to wg-easy server
-  gortium.wireguard-client = {
+  # Create age-encrypted secrets before deploying (run on the host):
-    enable = true;
+  #   echo -n "<private_key>" | agenix -e secrets/wireguard_private_key.age
-    vpnIp = "10.8.0.3/24";
+  #   echo -n "<preshared_key>" | agenix -e secrets/wireguard_preshared_key.age
  networking.wireguard.interfaces = {
    wg0 = {
      ips = [ "10.8.0.3/24" ];
      privateKeyFile = config.age.secrets.wireguard_private_key.path;
      peers = [
        {
          publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
          presharedKeyFile = config.age.secrets.wireguard_preshared_key.path;
          allowedIPs = [ "10.8.0.0/24" ];
          endpoint = "vpn.lazyworkhorse.net:51820";
          persistentKeepalive = 25;
        }
      ];
    };
  };
  # Set your time zone.
--- a/hosts/uConsole/configuration.nix
+++ b/hosts/uConsole/configuration.nix
@@ -0,0 +1,171 @@
 { config, lib, pkgs, paths, self, keys, ... }:
 {
  # Basic Host Info
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  # System State
  system.stateVersion = "25.05";
  # Boot & Hardware (migrated to kernel bootloader per nixos-raspberrypi deprecation notice)
  boot.loader.raspberry-pi.bootloader = "kernel";
  # kernel managed by nixos-raspberrypi module — don't override, patches are version-specific
  # boot.kernelPackages = pkgs.linuxPackages_latest;
  # Networking
  networking.networkmanager.enable = true;
  services.openssh = {
    enable = true;
    settings.PermitRootLogin = lib.mkForce "prohibit-password";
    settings.PasswordAuthentication = lib.mkForce false;
  };
  # User
  users.users.gortium = {
    isNormalUser = true;
    extraGroups = [ "wheel" "networkmanager" "video" "dialout" "kismet" ];
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
      keys.users.gortium.gitea
    ];
  };
  security.sudo.extraRules = [
    {
      users = [ "gortium" ];
      commands = [
        {
          command = "ALL";
          options = [ "NOPASSWD" ];
        }
      ];
    }
  ];
  # ============================================================
  # Package groups
  # ============================================================
  environment.systemPackages = with pkgs; [
    # ===== Base =====
    emacs-pgtk
    git
    ripgrep
    fd
    htop
    tmux
    neovim
    # ===== HAM Radio =====
    js8call
    wsjtx
    fldigi
    pat                        # Winlink client
    direwolf                   # AX.25 packet modem
    chirp                      # Radio programming tool
    hamlib                     # Ham radio control libraries
    trustedqsl                 # Logbook of the World (LoTW)
    # ===== SDR / RF =====
    sdrpp                      # SDR++ spectrum analyzer
    gqrx                       # SDR receiver GUI
    rtl-sdr                    # RTL-SDR drivers & utilities
    inspectrum                # Offline signal analysis
    soapysdr-with-plugins      # SoapySDR + hardware support plugins
    # ===== Mesh / LoRa =====
    meshtastic                 # Python CLI for Meshtastic devices
    reticulumStack             # Reticulum Network Stack (rnsd, rnsh, rncp, rnx, rnpath, etc.)
    lxmf                       # LXMF messaging protocol
    nomadnet                   # Nomad Network client
    # ===== Security =====
    nmap
    aircrack-ng
    kismet                     # Wi-Fi monitor / IDS
    bettercap                  # MITM/network attack framework
    wireshark                  # Packet analyzer
    hashcat                    # GPU password cracker
    john                       # John the Ripper
    sqlmap                     # SQL injection tool
    # ===== GPS / Maps =====
    foxtrotgps
    viking                     # GPS map editor
    gpsbabel                   # GPS data conversion
  ];
  # Packages noted but not in unstable nixpkgs:
  #   - metasploit: unfree; install manually via Git clone
  #   - burpsuite: unfree Java app (Community Edition available for download)
  #   - sidechannel: not a distinct PyPI package; functionality covered by
  #     the Reticulum stack. For LXMF GUI client, install Sideband manually
  #     from github.com/markqvist/Sideband
  # ============================================================
  # Reticulum Service (rnsd)
  # ============================================================
  systemd.services.rnsd = {
    description = "Reticulum Network Stack Daemon";
    wants = [ "network-online.target" ];
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "gortium";
      Group = "gortium";
      ExecStart = "${pkgs.reticulumStack}/bin/rnsd";
      Restart = "always";
      RestartSec = "10s";
      LimitNOFILE = 65536;
    };
  };
  # ============================================================
  # Kismet Service (Wi-Fi monitoring / mesh node)
  # ============================================================
  systemd.services.kismet = {
    description = "Kismet Wi-Fi Monitor & IDS";
    wants = [ "network-online.target" ];
    after = [ "network-online.target" ];
    wantedBy = [ "multi-user.target" ];
    serviceConfig = {
      User = "gortium";
      Group = "kismet";
      ExecStart = "${pkgs.kismet}/bin/kismet -c wlan0 --log-base=/home/gortium/kismet_logs --no-nc-ui";
      Restart = "always";
      RestartSec = "10s";
    };
  };
  # ============================================================
  # Kernel modules for SDR and radio
  # ============================================================
  boot.kernelModules = [
    "88x2bu"          # Realtek 8812/8821BU USB WiFi (common adapter)
    "rtl8xxxu"        # RTL8188/8192/8723 USB WiFi
    "rtl2832_sdr"     # RTL-SDR kernel module
    "dvb_usb_rtl28xxu" # RTL-SDR DVB-T
  ];
  boot.blacklistedKernelModules = [ ];
  # ============================================================
  # Extra udev rules for SDR and HAM radio devices
  # ============================================================
  services.udev.packages = with pkgs; [ rtl-sdr ];
  # ============================================================
  # Enable IPv6 for Reticulum mesh
  # ============================================================
  networking.enableIPv6 = true;
  # ============================================================
  # Firewall: open ports for Reticulum (optional)
  # ============================================================
  networking.firewall.allowedTCPPorts = [ 22 ]; # SSH only
  networking.firewall.allowedUDPPorts = [ ];
  # Reticulum uses its own encryption and doesn't need open ports
  # for basic mesh operations (peer-to-peer discovery).
  # For TCP interfaces, open additional ports as needed.
 }
--- a/hosts/uconsole-cm5/hardware-configuration.nix
+++ b/hosts/uconsole-cm5/hardware-configuration.nix
@@ -1,27 +1,23 @@
 { config, lib, pkgs, modulesPath, ... }:
 {
-  imports = [
+  imports =
-    (modulesPath + "/installer/scan/not-detected.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
  boot.initrd.availableKernelModules = [ "xhci_pci" "usbhid" "usb_storage" "sdhci_pci" "nvme" ];
  boot.initrd.kernelModules = [ ];
  boot.extraModulePackages = [ ];
-  # SD card partitions (nixos-uconsole layout)
+  # uConsole CM5 uses NVMe or eMMC for boot storage
-  fileSystems."/" = {
+  # The uconsole-cm5 module sets up /boot/firmware and default /
-    device = "/dev/disk/by-label/NIXOS_SD";
+  # Override device label here if using different storage
  fileSystems."/" = lib.mkDefault {
    device = "/dev/disk/by-label/NIXOS_UCM5";
    fsType = "ext4";
    options = [ "noatime" ];
  };
  fileSystems."/boot/firmware" = {
    device = "/dev/disk/by-label/FIRMWARE";
    fsType = "vfat";
    options = [ "fmask=0022" "dmask=0022" ];
  };
  swapDevices = [ ];
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
--- a/hosts/uconsole-cm5/configuration.nix
+++ b/hosts/uconsole-cm5/configuration.nix
@@ -1,58 +0,0 @@
 { config, lib, pkgs, keys, ... }:
 {
  networking.hostName = "uConsole";
  time.timeZone = "America/Montreal";
  i18n.defaultLocale = "en_CA.UTF-8";
  system.stateVersion = "25.11";
  # SSH — root access avec clés gortium + ai-worker
  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = lib.mkForce "prohibit-password";
      PasswordAuthentication = lib.mkForce false;
    };
  };
  users.users.root.openssh.authorizedKeys.keys = with keys; [
    users.gortium.main
    users.ai-worker.main
  ];
  # AI worker user (Hermes SSH access)
  # Age secret for gortium password (file created by user)
  age.secrets.gortium_password = {
    file = ../../secrets/gortium_password.age;
  };
  # Password file for gortium (merges with users/gortium/default.nix)
  # WiFi via NetworkManager + secret agenix
  networking.networkmanager.enable = true;
  # Firmware
  hardware.enableRedistributableFirmware = true;
  # Hyprland Wayland compositor (manual start — no SDDM)
  programs.hyprland = {
    enable = true;
    xwayland.enable = true;
  };
  # HackerGadgets AIO v2 board
  hardware.uconsole-cm5-aio-v2 = {
    enable = true;
    # Rails actifs au boot
    bootRails = {
      GPS  = false;
      LORA = false;
      SDR  = false;
      USB  = false;
    };
    enableGPS = false;
  };
 }
--- a/modules/nixos/filesystem/poup-16t-disk.nix
+++ b/modules/nixos/filesystem/poup-16t-disk.nix
@@ -0,0 +1,121 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.gortium.poup16t;
  luksName = cfg.luksName;
 in
 with lib;
 {
  options.gortium.poup16t = {
    enable = mkEnableOption "Poup_16T storage disk (btrfs + LUKS + btrbk snapshots)";
    luksUuid = mkOption {
      type = types.str;
      description = ''
        UUID of the LUKS partition on the 16TB disk (WD Red Pro).
        Find this by running as root when the disk is connected:
          blkid /dev/sdb   # or wherever the disk appears
          lsblk -o NAME,SIZE,FSTYPE,UUID
        Since btrfs is inside LUKS, the FS UUID is hidden — use the
        LUKS partition UUID from blkid (it'll show TYPE=\"crypto_LUKS\").
      '';
      example = "00000000-0000-0000-0000-000000000000";
    };
    luksName = mkOption {
      type = types.str;
      default = "poup_16t";
      description = "Name for the LUKS /dev/mapper/ mapping";
    };
    mountPoint = mkOption {
      type = types.str;
      default = "/mnt/Poup_16T";
      description = "Mount point for the 16TB data disk";
    };
    btrfsOptions = mkOption {
      type = types.listOf types.str;
      default = [ "defaults" "noatime" "compress=zstd:3" "nofail" ];
      description = "Mount options for the btrfs filesystem. 'nofail' ensures boot succeeds when disk is disconnected.";
    };
    btrbk = {
      enable = mkOption {
        type = types.bool;
        default = true;
        description = "Enable btrbk snapshot management on this volume";
      };
      schedule = mkOption {
        type = types.str;
        default = "daily";
        description = "systemd calendar event for btrbk (e.g. 'daily', 'hourly', '*-*-* 00:00:00')";
      };
      preserveMin = mkOption {
        type = types.str;
        default = "2d";
        description = "btrbk snapshot_preserve_min — minimum age before pruning";
      };
      preserve = mkOption {
        type = types.str;
        default = "14d 4w 3m";
        description = "btrbk snapshot_preserve — retention policy (daily, weekly, monthly)";
      };
      snapshotDir = mkOption {
        type = types.str;
        default = ".snapshots";
        description = "Directory name for snapshots relative to volume root";
      };
    };
  };
  config = mkIf cfg.enable {
    # Enable btrfs kernel support (no DKMS needed — it's in-tree)
    boot.supportedFilesystems = [ "btrfs" ];
    # Install btrfs administration tools
    environment.systemPackages = with pkgs; [
      btrfs-progs       # mkfs.btrfs, btrfs, fsck, balance, scrub
      btrbk             # Snapshot management + rotation
    ];
    # LUKS2 unlock at boot (uses keyfile or prompts if unavailable)
    # Since the disk may be disconnected, initrd times out gracefully (~30s)
    boot.initrd.luks.devices.${luksName} = {
      device = "/dev/disk/by-uuid/${cfg.luksUuid}";
      preLVM = false;
      allowDiscards = true;
    };
    # Mount the unlocked mapper device as btrfs
    fileSystems.${cfg.mountPoint} = {
      device = "/dev/mapper/${luksName}";
      fsType = "btrfs";
      options = cfg.btrfsOptions;
    };
    # btrbk — automated snapshot creation and rotation
    services.btrbk = mkIf cfg.btrbk.enable {
      instances.poup16t = {
        onCalendar = cfg.btrbk.schedule;
        settings = {
          snapshot_preserve_min = cfg.btrbk.preserveMin;
          snapshot_preserve = cfg.btrbk.preserve;
          volume.${cfg.mountPoint} = {
            snapshot_create = "always";
            snapshot_dir = cfg.btrbk.snapshotDir;
            subvolume = ".";
          };
        };
      };
    };
  };
 }
--- a/modules/nixos/hardware/uconsole-cm5-aio-v2.nix
+++ b/modules/nixos/hardware/uconsole-cm5-aio-v2.nix
@@ -1,169 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.hardware.uconsole-cm5-aio-v2;
  # GPIO pin map matching the AIO v2 board hardware
  #   SDR  (RTL-SDR):  GPIO 7
  #   LoRa (SX1262) :  GPIO 16
  #   USB Hub Interne: GPIO 23
  #   GPS (GNSS)    :  GPIO 27
  gpioMap = {
    GPS  = 27;
    LORA = 16;
    SDR  = 7;
    USB  = 23;
  };
  # Generate a script that applies boot rail states via pinctrl
  applyRailsScript = pkgs.writeShellScript "apply-aio-v2-rails" (
    ''
      set -e
      PINCTRL=${pkgs.libraspberrypi}/bin/pinctrl
    ''
    + concatStringsSep "" (mapAttrsToList (name: pin: ''
      if [ "${if cfg.bootRails.${name} then "1" else "0"}" = "1" ]; then
        echo "AIO v2: ${name} (GPIO${toString pin}) -> ON"
        $PINCTRL set ${toString pin} op dh
      else
        echo "AIO v2: ${name} (GPIO${toString pin}) -> OFF"
        $PINCTRL set ${toString pin} op dl
      fi
    '') gpioMap)
  );
  # aiov2_ctl CLI tool -- fetched from GitHub, available as `aiov2_ctl`
  aiov2CtlPkg = pkgs.stdenv.mkDerivation rec {
    pname = "aiov2_ctl";
    version = "0-unstable-2026-06-16";
    src = pkgs.fetchFromGitHub {
      owner = "hackergadgets";
      repo = "aiov2_ctl";
      rev = "main";
      hash = "sha256-hqOvS1K5pDVXAroUE50i5R9YqRgC2U3fzby6uuB67K0=";
    };
    dontUnpack = true;
    installPhase = ''
      mkdir -p $out/bin $out/share/aiov2_ctl/img
      cp $src/aiov2_ctl.py $out/bin/aiov2_ctl
      chmod +x $out/bin/aiov2_ctl
      patchShebangs $out/bin/aiov2_ctl
      substituteInPlace $out/bin/aiov2_ctl \
        --replace-fail '"/usr/local/share/aiov2_ctl/img/' '"'$out'/share/aiov2_ctl/img/'
      cp -r $src/img/* $out/share/aiov2_ctl/img/
    '';
    meta = {
      description = "HackerGadgets uConsole AIO v2 GPIO control and telemetry tool";
      homepage = "https://github.com/hackergadgets/aiov2_ctl";
      license = lib.licenses.mit;
      maintainers = with lib.maintainers; [ ];
      platforms = [ "aarch64-linux" ];
    };
  };
 in {
  options.hardware.uconsole-cm5-aio-v2 = {
    enable = mkEnableOption "HackerGadgets uConsole AIO v2 board support";
    bootRails = {
      GPS = mkOption {
        type = types.bool;
        default = false;
        description = "Enable GPS module at boot (GPIO 27)";
      };
      LORA = mkOption {
        type = types.bool;
        default = false;
        description = "Enable LoRa module at boot (GPIO 16)";
      };
      SDR = mkOption {
        type = types.bool;
        default = false;
        description = "Enable SDR module at boot (GPIO 7)";
      };
      USB = mkOption {
        type = types.bool;
        default = false;
        description = "Enable internal USB hub at boot (GPIO 23)";
      };
    };
    package = mkOption {
      type = types.package;
      default = aiov2CtlPkg;
      defaultText = literalExpression "aiov2CtlPkg";
      description = "aiov2_ctl package to use";
    };
    enableGPS = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable GPS UART (/dev/ttyAMA0 at 9600 baud).
        Requires enabling UART on the CM5 via boot.kernelParams.
      '';
    };
    enableGUI = mkOption {
      type = types.bool;
      default = false;
      description = ''
        Enable the system tray GUI for aiov2_ctl.
        Requires a desktop environment with system tray support.
      '';
    };
  };
  config = mkIf cfg.enable {
    # Package the aiov2_ctl tool + pinctrl
    environment.systemPackages = with pkgs; [
      cfg.package
      libraspberrypi      # provides pinctrl
    ];
    # Boot rail systemd oneshot service
    systemd.services.aiov2-rails-boot = {
      description = "Apply AIO v2 GPIO rail boot states";
      after = [ "local-fs.target" ];
      wants = [ "local-fs.target" ];
      before = [ "multi-user.target" ];
      wantedBy = [ "multi-user.target" ];
      serviceConfig = {
        Type = "oneshot";
        ExecStart = "${applyRailsScript}";
        RemainAfterExit = true;
      };
    };
    # GPS configuration
    boot.kernelParams = mkIf cfg.enableGPS [ "uart0=on" ];
    users.users = mkIf cfg.enableGPS {
      gortium = {
        extraGroups = [ "dialout" ];
      };
    };
    # GUI autostart (XDG)
    systemd.user.services.aiov2-ctl-gui = mkIf cfg.enableGUI {
      description = "AIO v2 System Tray Controller";
      after = [ "graphical-session.target" ];
      wants = [ "graphical-session.target" ];
      wantedBy = [ "graphical-session.target" ];
      serviceConfig = {
        Type = "simple";
        ExecStart = "${cfg.package}/bin/aiov2_ctl --gui";
        Restart = "on-failure";
        RestartSec = 5;
      };
      environment = {
        AIOV2_CTL_DEBUG = "0";
      };
    };
  };
 }
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -1,5 +0,0 @@
 {
  imports = [
    ./systemd
  ];
 }
--- a/modules/nixos/services/staging-vm.nix.bak
+++ b/modules/nixos/services/staging-vm.nix.bak
@@ -1,275 +0,0 @@
 { config, pkgs, lib, ... }:
 with lib;
 let
  cfg = config.services.stagingVm;
 in
 {
  options.services.stagingVm = {
    enable = mkOption {
      type = types.bool;
      default = false;
      description = "Enable KVM/libvirt staging VM for compose PR testing";
    };
    vmName = mkOption {
      type = types.str;
      default = "compose-test-vm";
      description = "Name of the staging VM";
    };
    memory = mkOption {
      type = types.str;
      default = "4096";
      description = "RAM allocated to the staging VM (MB)";
    };
    vcpus = mkOption {
      type = types.int;
      default = 2;
      description = "Number of vCPUs for the staging VM";
    };
    storagePath = mkOption {
      type = types.str;
      default = "/var/lib/libvirt/images";
      description = "Path for libvirt storage pool";
    };
    dataPath = mkOption {
      type = types.str;
      default = "/var/lib/staging-vm";
      description = "Path for compose test data (PR checkouts, test results)";
    };
  };
  config = mkIf cfg.enable {
    # Enable libvirt daemon
    virtualisation.libvirtd = {
      enable = true;
      qemu = {
        package = pkgs.qemu_kvm;
        runAsRoot = true;
        swtpm.enable = true;
        ovmf = {
          enable = true;
          packages = [ pkgs.OVMFFull.fd ];
        };
      };
    };
    # Kernel modules + groups already handled in configuration.nix
    # libvirt NAT network (192.168.122.0/24)
    environment.etc."libvirt/qemu/networks/default.xml" = {
      text = ''
        <network>
          <name>default</name>
          <uuid>2b8f7a3c-9e5d-4a1f-bc3d-6e7a8f9b0c1d</uuid>
          <forward mode='nat'>
            <nat>
              <port start='1024' end='65535'/>
            </nat>
          </forward>
          <bridge name='virbr0' stp='on' delay='0'/>
          <mac address='52:54:00:12:34:56'/>
          <ip address='192.168.122.1' netmask='255.255.255.0'>
            <dhcp>
              <range start='192.168.122.2' end='192.168.122.254'/>
            </dhcp>
          </ip>
        </network>
      '';
      # Autostart the network so it comes up on boot
      mode = "0644";
    };
    # Ensure the default network is defined and autostarted
    systemd.services.libvirtd = {
      postStart = ''
        ${pkgs.libvirt}/bin/virsh net-define /etc/libvirt/qemu/networks/default.xml 2>/dev/null || true
        ${pkgs.libvirt}/bin/virsh net-autostart default 2>/dev/null || true
        ${pkgs.libvirt}/bin/virsh net-start default 2>/dev/null || true
      '';
    };
    # Storage directory for VM images
    systemd.tmpfiles.rules = [
      "d ${cfg.storagePath} 0755 root root -"
      "d ${cfg.dataPath} 0755 root root -"
    ];
    # Ensure storage pool exists in libvirt
    systemd.services.libvirtd.postStart = mkAfter ''
      ${pkgs.libvirt}/bin/virsh pool-define-as default dir --target "${cfg.storagePath}" 2>/dev/null || true
      ${pkgs.libvirt}/bin/virsh pool-autostart default 2>/dev/null || true
      ${pkgs.libvirt}/bin/virsh pool-start default 2>/dev/null || true
    '';
    # Firewall: allow traffic from virbr0 to host and outbound NAT
    networking.firewall = {
      extraCommands = ''
        # Allow inbound DHCP/DNS from libvirt guests
        iptables -I INPUT -i virbr0 -p udp --dport 67:68 -j ACCEPT
        iptables -I INPUT -i virbr0 -p tcp --dport 53 -j ACCEPT
        iptables -I INPUT -i virbr0 -p udp --dport 53 -j ACCEPT
        # Allow established/related traffic back to guests
        iptables -I FORWARD -i virbr0 -o virbr0 -j ACCEPT
        iptables -I FORWARD -o virbr0 -j ACCEPT
        iptables -I FORWARD -i virbr0 -j ACCEPT
      '';
    };
    # Packages needed for VM management
    environment.systemPackages = with pkgs; [
      libvirt
      qemu_kvm
      virt-manager  # optional GUI for manual management
      OVMFFull
      swtpm
    ];
    # Enable docker in the host (already enabled, but ensure for compose testing)
    virtualisation.docker.enable = true;
    # Helper script: pr-test-vm
    # Usage:
    #   pr-test-vm build    — build the staging VM derivation
    #   pr-test-vm start    — boot the VM with a compose PR branch
    #   pr-test-vm stop     — graceful shutdown
    #   pr-test-vm destroy  — force stop + delete VM
    #   pr-test-vm ssh      — SSH into the running VM
    systemd.tmpfiles.rules = mkAfter [
      "d ${cfg.dataPath}/scripts 0755 root root -"
    ];
    environment.systemPackages = [ (pkgs.writeShellScriptBin "pr-test-vm" ''
      set -euo pipefail
      DATA="${cfg.dataPath}"
      VM_NAME="${cfg.vmName}"
      VM_IMAGE="''${DATA}/''${VM_NAME}.qcow2"
      VM_PORT=2223
      build_vm() {
        echo "==> Building NixOS staging VM for compose testing..."
        # Build the VM config inline — a minimal NixOS with Docker + SSH
        cat > /tmp/staging-vm-config.nix << 'NIXEOF'
          { config, pkgs, lib, ... }: {
            boot.loader.grub.devices = [ "/dev/vda" ];
            boot.loader.timeout = 0;
            # Minimal kernel
            boot.kernelParams = [ "console=ttyS0" ];
            boot.initrd.kernelModules = [ "virtio_blk" "virtio_net" "virtio_pci" ];
            # SSH access
            services.openssh = {
              enable = true;
              settings.PasswordAuthentication = false;
              settings.PermitRootLogin = "prohibit-password";
            };
            # Docker for compose testing
            virtualisation.docker.enable = true;
            # Network (DHCP via virbr0)
            networking.useDHCP = true;
            networking.firewall.enable = false;
            # Users
            users.users.root.openssh.authorizedKeys.keys = [
              "$(cat /root/.ssh/authorized_keys 2>/dev/null || echo 'ssh-ed25519 AAAAC3... placeholder')"
            ];
            users.users.testrunner = {
              isNormalUser = true;
              extraGroups = [ "docker" ];
              openssh.authorizedKeys.keys = [
                "$(cat /root/.ssh/authorized_keys 2>/dev/null || echo 'ssh-ed25519 AAAAC3... placeholder')"
              ];
            };
            # Git + compose tools
            environment.systemPackages = with pkgs; [ git docker-compose curl ];
            system.stateVersion = "24.11";
          }
        NIXEOF
        nixos-rebuild build-vm -I nixpkgs=channel:nixos-unstable \
          --arg configuration 'import /tmp/staging-vm-config.nix' \
          --out-link "''${DATA}/vm-result"
        echo "==> VM built. Run 'pr-test-vm start' to boot."
      }
      start_vm() {
        if [ -f "''${VM_IMAGE}" ]; then
          echo "==> Booting existing VM..."
        else
          echo "==> Creating VM image..."
          ${pkgs.qemu_kvm}/bin/qemu-img create -f qcow2 "''${VM_IMAGE}" 20G
        fi
        # Check if already running
        if ${pkgs.libvirt}/bin/virsh list --name 2>/dev/null | grep -q "''${VM_NAME}"; then
          echo "==> VM already running."
          exit 0
        fi
        ${pkgs.qemu_kvm}/bin/qemu-system-x86_64 \
          -name "''${VM_NAME}" \
          -machine q35,accel=kvm \
          -cpu host \
          -smp ${toString cfg.vcpus} \
          -m ${cfg.memory} \
          -drive file="''${VM_IMAGE}",if=virtio,format=qcow2 \
          -netdev user,id=net0,hostfwd=tcp::''${VM_PORT}-:22 \
          -device virtio-net-pci,netdev=net0 \
          -nographic \
          -serial mon:stdio \
          -pidfile "''${DATA}/''${VM_NAME}.pid" \
          -daemonize
        echo "==> VM booting... SSH on port ''${VM_PORT}"
        echo "==> Wait for it: ssh -p ''${VM_PORT} testrunner@localhost"
      }
      stop_vm() {
        PIDFILE="''${DATA}/''${VM_NAME}.pid"
        if [ -f "''${PIDFILE}" ]; then
          PID=$(cat "''${PIDFILE}")
          kill "''${PID}" 2>/dev/null || true
          rm -f "''${PIDFILE}"
          echo "==> VM stopped."
        else
          ${pkgs.libvirt}/bin/virsh destroy "''${VM_NAME}" 2>/dev/null || true
          echo "==> VM destroyed."
        fi
      }
      ssh_vm() {
        exec ssh -p "''${VM_PORT}" -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null "testrunner@localhost" "$@"
      }
      # Main dispatch
      case "''${1:-help}" in
        build)   build_vm ;;
        start)   start_vm ;;
        stop)    stop_vm ;;
        destroy) stop_vm; rm -f "''${VM_IMAGE}"; echo "==> VM deleted." ;;
        ssh)     shift; ssh_vm "$@" ;;
        *)
          echo "Usage: pr-test-vm {build|start|stop|destroy|ssh}"
          echo ""
          echo "  build    — build the NixOS VM derivation"
          echo "  start    — boot the VM (create image if needed)"
          echo "  stop     — graceful VM shutdown"
          echo "  destroy  — stop + delete VM image"
          echo "  ssh      — SSH into the running VM"
          ;;
      esac
    '') ];
  };
 }
--- a/modules/nixos/services/wireguard-client.nix
+++ b/modules/nixos/services/wireguard-client.nix
@@ -1,54 +0,0 @@
 { config, lib, pkgs, ... }:
 with lib;
 let
  cfg = config.gortium.wireguard-client;
 in
 {
  ##### Options #####
  options.gortium.wireguard-client = {
    enable = mkEnableOption "WireGuard VPN client to lazyworkhorse VPN server";
    vpnIp = mkOption {
      type = types.str;
      description = "Assigned VPN IP with CIDR, e.g. \"10.8.0.4/24\"";
      example = "10.8.0.4/24";
    };
    privateKeyFile = mkOption {
      type = types.path;
      description = "Path to the WireGuard private key (age-encrypted, via agenix)";
    };
    presharedKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = "Path to the WireGuard preshared key (optional, age-encrypted)";
    };
  };
  ##### Config #####
  config = mkIf cfg.enable {
    networking.wireguard.interfaces = {
      wg0 = {
        ips = [ cfg.vpnIp ];
        privateKeyFile = cfg.privateKeyFile;
        peers = [
          {
            # Server public key (lazyworkhorse wg-easy)
            publicKey = "rY9zII3AOm8rog2rv02PyA3Bq7zdvTOGkZapfCV1DkE=";
            presharedKeyFile = cfg.presharedKeyFile;
            # Split-tunnel: only route the VPN subnet
            allowedIPs = [ "10.8.0.0/24" ];
            endpoint = "vpn.lazyworkhorse.net:51820";
            persistentKeepalive = 25;
          }
        ];
      };
    };
    environment.systemPackages = with pkgs; [ wireguard-tools ];
  };
 }
--- a/overlays/reticulum.nix
+++ b/overlays/reticulum.nix
@@ -0,0 +1,81 @@
 final: prev: let
  python3 = final.python3;
  pyPkgs = python3.pkgs;
 in {
  reticulumStack = python3.pkgs.buildPythonApplication rec {
    pname = "reticulum";
    version = "1.2.9";
    format = "setuptools";
    src = pyPkgs.fetchPypi {
      pname = "rns";
      inherit version;
      sha256 = "554814231c237b9caacf8df669312e57dd7d3f84b6d4810125087d1a79a75d75";
    };
    propagatedBuildInputs = with pyPkgs; [ cryptography pyserial ];
    doCheck = false;
    pythonImportsCheck = [ "RNS" ];
    meta = with final.lib; {
      description = "Self-configuring, encrypted and resilient mesh networking stack";
      homepage = "https://reticulum.network/";
      license = licenses.mit;
      platforms = platforms.linux;
    };
  };
  lxmf = python3.pkgs.buildPythonApplication rec {
    pname = "lxmf";
    version = "0.9.8";
    format = "setuptools";
    src = pyPkgs.fetchPypi {
      inherit pname version;
      sha256 = "30f39f3a975a049c12ee2cfceb3261d24cb5adec881c6821f7354464b3f3650c";
    };
    propagatedBuildInputs = [ final.reticulumStack ];
    doCheck = false;
    pythonImportsCheck = [ "LXMF" ];
    meta = with final.lib; {
      description = "Lightweight Extensible Message Format for Reticulum";
      homepage = "https://github.com/markqvist/lxmf";
      license = licenses.mit;
      platforms = platforms.linux;
    };
  };
  nomadnet = python3.pkgs.buildPythonApplication rec {
    pname = "nomadnet";
    version = "1.1.1";
    format = "setuptools";
    src = pyPkgs.fetchPypi {
      inherit pname version;
      sha256 = "fa13b64a10e75b705a58024815ab72451700aa726af96d415ba99dec28dfc40a";
    };
    propagatedBuildInputs = with pyPkgs; [ final.reticulumStack final.lxmf urwid qrcode ];
    doCheck = false;
    pythonImportsCheck = [ "nomadnet" ];
    meta = with final.lib; {
      description = "Nomad Network — resilient mesh communications platform";
      homepage = "https://github.com/markqvist/NomadNet";
      license = licenses.mit;
      platforms = platforms.linux;
    };
  };
  rnsh = python3.pkgs.buildPythonApplication rec {
    pname = "rnsh";
    version = "0.1.7";
    format = "setuptools";
    src = pyPkgs.fetchPypi {
      inherit pname version;
      sha256 = "9cb72f25abb1c6d300f8014b264184ff78f592fe88e36094938012990b797c93";
    };
    propagatedBuildInputs = [ final.reticulumStack ];
    doCheck = false;
    pythonImportsCheck = [ "rnsh" ];
    meta = with final.lib; {
      description = "Remote shell over Reticulum";
      homepage = "https://github.com/acehoss/rnsh";
      license = licenses.mit;
      platforms = platforms.linux;
    };
  };
 }
--- a/patches/0008-panel-cwu50-fix-init-seq1.patch
+++ b/patches/0008-panel-cwu50-fix-init-seq1.patch
@@ -1,19 +0,0 @@
 --- a/drivers/gpu/drm/panel/panel-cwu50.c
 +++ b/drivers/gpu/drm/panel/panel-cwu50.c
@@ -58,5 +58,8 @@
 	dcs_write_seq(0x72,0x06);
 	dcs_write_seq(0x75,0x03);
 +	/* DSI_INIT0: set 4 lanes (bits[1:0]=11) */
 +	dcs_write_seq(0x80,0x03);
 	dcs_write_seq(0xE0,0x01);
 +
 	dcs_write_seq(0x00,0x00);
 	dcs_write_seq(0x01,0x47);//VCOM0x47
@@ -721,6 +723,6 @@
 	dsi->lanes = 4;
 	dsi->format = MIPI_DSI_FMT_RGB888;
 -	dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_BURST | MIPI_DSI_MODE_VIDEO_SYNC_PULSE;
 +	dsi->mode_flags = MIPI_DSI_MODE_VIDEO | MIPI_DSI_MODE_VIDEO_SYNC_PULSE;
 	ctx->id_gpio = devm_gpiod_get_optional(dev, "reset", GPIOD_IN);
 	if (IS_ERR(ctx->id_gpio)) {
--- a/1
+++ b/1
@@ -1 +0,0 @@
 /nix/store/z86r4awsbrc5q9qhwwi757wxixcqgn31-nixos-system-uConsole-25.11.20260608.e820eb4
--- a/1
+++ b/1
@@ -1 +0,0 @@
 /nix/store/7y7rfksqcf5smz59jjixyl56bxq50j9g-nixos-system-uConsole-25.11.20260608.e820eb4
--- a/secrets/gortium_password.age
+++ b/secrets/gortium_password.age
@@ -1,10 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSA4MlFz
 SHFjYjJMVHRlTWNGVGI2bHQxc0xRd2tlaExlM0NFMWhlbkR2bVg0CkxxenVTaXkr
 eWxybDdCeUM0ejRvZWI4cFZCWm5VczRvZkNnT0d5Y1oyYmsKLT4gK1NmRzVtLWdy
 ZWFzZSB3UDI6TyNaCnF4Ylk0QWduaXZxRFBFbDBOZ0dxeGxiWTVCYjRtZTJBRkFC
 YU5qaytYWWI4OWl1K1FSdXNlY2JXZjkzak9tTHkKVFlCRlRqY1FVSzFmNS9yZmxF
 aEUxelUwNEpKN3VXYi9KUWN4bXFscm5oUEFOajhRZDlERWVYcFgvQQotLS0gK1JI
 VERTQjB6d1k3NDQwbjNveXBqcFk1WE96cHlaTTVkTWRMZENPamFJZwpcT1CP/KvU
 CsunvfX9RBlSSKuw4eem9N9s3JqJNj4FRQizNx6QzlE1vSME
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/home_wifi.age
+++ b/secrets/home_wifi.age
@@ -1,10 +0,0 @@
 -----BEGIN AGE ENCRYPTED FILE-----
 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEdoTUQ4QSAycE1Y
 YmMvUWZpK2VKQVlqaHFtaERBRGROcFIyL0d6dEVRQmFxLzlqdFZNCkYxWkNIUXRZ
 V0dQOG4zY3U3Nk1JelBtY0cwUGdxaEI3dmZaVTZId04rVTQKLT4geV1cZC4wMnst
 Z3JlYXNlIDYgOG1IME1xCkQ0RGN1NU1FUWk0Y1RmamNEY0tJWmFQNGdoMkROcGVy
 aU5UYVFobVRLMVVUQ1JicUM2c0tSVzRQdEZ0VE5YamQKZUxPeVpLWDZJR0hqemdD
 cmkyUUdFZEZKZjBDNGhmNFR6bVUKLS0tIDRQUGR5RGI5UEhGNk5EQWw4dFk0R01k
 TUJWOFpleXBUajFPckFmem52cGsKHzn+QnuYLI2NEh5WWZQHrNuvVzYk+kVjsAsn
 KNS2dHjvadAopVY2Gypldf1p2RRtmgZkDHaPlNzv5Hk=
 -----END AGE ENCRYPTED FILE-----
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -8,8 +8,6 @@ let
 in
 {
  "containers.env.age".publicKeys = authorizedKeys;
  "gortium_password.age".publicKeys = authorizedKeys;
  "home_wifi.age".publicKeys = authorizedKeys;
  "lazyworkhorse_host_ssh_key.age".publicKeys = authorizedKeys;
  "n8n_ssh_key.age".publicKeys = authorizedKeys;
  "openclaw_gateway_token.age".publicKeys = authorizedKeys;
--- a/users/ai-worker/ai-worker.nix
+++ b/users/ai-worker/ai-worker.nix
@@ -22,6 +22,7 @@
  #   - NO access to infra repo (no bind mount)
  #   - NO sudo access (no nh, nixos-rebuild, nixpkgs-fmt, nix)
  # WORKFLOW: SSH from Hermes container, run docker benchmarks, return and save results to /opt/data/ai-optimizer/
  services.aiWorkerAccess = true;
  # Restricted sudo for ai-worker - security checks only
  security.sudo.extraRules = [
--- a/users/gortium/gortium.nix
+++ b/users/gortium/gortium.nix
@@ -1,6 +1,4 @@
 { pkgs, inputs, config, keys, ... }: {
  home-manager.extraSpecialArgs = { inherit (config.networking) hostName; dotfiles = ../../assets/dotfiles; };
  home-manager.users.gortium = import ./home.nix;
  users.users.gortium = {
    isNormalUser = true;
    extraGroups = [ "wheel" "docker" "video" "render"];
@@ -11,8 +9,6 @@
      nh
    ];
    shell = pkgs.zsh;
    passwordFile = config.age.secrets.gortium_password.path;
    ignoreShellProgramCheck = true;
    openssh.authorizedKeys.keys = [
      keys.users.gortium.main
    ];
--- a/users/gortium/home.nix
+++ b/users/gortium/home.nix
@@ -1,65 +0,0 @@
 { pkgs, lib, config, inputs, hostName, ... }:
 let
  dotfiles = ../../assets/dotfiles;
  isUconsole = hostName == "uConsole";
 in {
  home.username = "gortium";
  home.homeDirectory = "/home/gortium";
  home.stateVersion = "23.11";
  programs.home-manager.enable = true;
  home.file = {
    # tmux
    ".tmux.conf".source = "${dotfiles}/tmux/.tmux.conf";
    # kitty
    ".config/kitty/kitty.conf".source = "${dotfiles}/kitty/.config/kitty/kitty.conf";
    # nvim
    ".config/nvim/init.lua".source = "${dotfiles}/nvim/.config/nvim/init.lua";
    # starship
    ".config/starship.toml".source = "${dotfiles}/starship/.config/starship.toml";
    # btop
    ".config/btop/btop.conf".source = "${dotfiles}/btop/.config/btop/btop.conf";
    # waybar
    ".config/waybar/style.css".source = "${dotfiles}/waybar/.config/waybar/style.css";
    ".config/waybar/config.jsonc".source = "${dotfiles}/waybar/.config/waybar/config.jsonc";
    # wofi
    ".config/wofi/style.css".source = "${dotfiles}/wofi/.config/wofi/style.css";
    ".config/wofi/config".source = "${dotfiles}/wofi/.config/wofi/config";
    # yazi
    ".config/yazi/yazi.toml".source = "${dotfiles}/yazi/.config/yazi/yazi.toml";
    # hyprland — common config
    ".config/hypr/hyprland.conf".source = "${dotfiles}/hypr/.config/hypr/hyprland.conf";
    ".config/hypr/hypridle.conf".source = "${dotfiles}/hypr/.config/hypr/hypridle.conf";
    ".config/hypr/hyprlock.conf".source = "${dotfiles}/hypr/.config/hypr/hyprlock.conf";
    ".config/hypr/hyprpaper.conf".source = "${dotfiles}/hypr/.config/hypr/hyprpaper.conf";
    ".config/hypr/mocha.conf".source = "${dotfiles}/hypr/.config/hypr/mocha.conf";
    # hyprland — host-specific monitor config
    ".config/hypr/host/monitors.conf".source =
      if isUconsole
      then "${dotfiles}/hypr/.config/hypr/hosts/uconsole.conf"
      else "${dotfiles}/hypr/.config/hypr/hosts/laptop.conf";
  };
  home.packages = with pkgs; [
    git zsh tmux starship
    neovim kitty
    btop yazi ripgrep fd fzf
  ] ++ lib.optionals (!isUconsole) [
    waybar wofi swww hyprshot
  ] ++ lib.optionals isUconsole [
    brightnessctl
  ];
  programs.zsh.enable = true;
  programs.starship.enable = true;
 }
Author	SHA1	Message	Date
Hermes	7a3885a036	rename: temp_16tb -> Poup_16T throughout - Module renamed to poup-16t-disk.nix - Option namespace: gortium.poup16t (was gortium.temp16tb) - LUKS name: poup_16t (was temp_16tb) - Mount point: /mnt/Poup_16T (was /mnt/temp_16tb) - btrbk instance: poup16t (was temp16tb) - flake.nix import and host config updated	2026-06-17 14:57:37 -04:00
Hermes	44b8121edb	feat: add btrfs + btrbk module for 16TB data disk - New module: modules/nixos/filesystem/temp-16tb-disk.nix with btrfs kernel support, btrfs-progs + btrbk, LUKS2 auto-unlock, nofail mount, btrbk daily snapshots (14d/4w/3m) - Registered in flake.nix for lazyworkhorse - Host config with commented-out enable block (fill UUID when disk reconnected)	2026-06-17 14:51:47 -04:00
Thierry Pouplier	5aca97e057	Merge pull request 'feat: add uConsole CM5 host with Reticulum mesh network support' (#61 ) from feat/uconsole-cm5-v3 into master Reviewed-on: #61	2026-06-06 13:19:19 +00:00
Hermes	a51e095717	feat: enable aarch64 cross-build on lazyworkhorse (QEMU binfmt + extra-platforms)	2026-06-06 09:16:23 -04:00
Hermes	9ebbb1c0c6	fix: bump nixos-raspberrypi to v1.20260517.0 (matches nixos-uconsole tested version)	2026-06-05 23:38:21 -04:00
Hermes	7f11da1878	fix: let nixos-raspberrypi manage kernel version (patches incompatible with linuxPackages_latest)	2026-06-05 23:33:10 -04:00
Hermes	29cc20bb04	fix: add wants=network-online.target to rnsd and kismet services to silence eval warnings	2026-06-05 22:58:09 -04:00
Hermes	1617ac9149	fix: migrate from deprecated kernelboot to kernel bootloader for nixos-raspberrypi	2026-06-05 22:57:26 -04:00
Hermes	24f15c98cd	fix: add format=setuptools to all reticulum overlay python packages	2026-06-05 22:46:54 -04:00
Hermes	bdd6d03739	fix: use mkForce for PermitRootLogin to override upstream module default	2026-06-05 22:45:59 -04:00
Hermes	a0a6663793	fix: use mkForce for PasswordAuthentication to override upstream module default	2026-06-05 22:45:30 -04:00
Hermes	b66ffadb79	fix: add missing 'keys' to uConsole module args	2026-06-05 22:43:53 -04:00
Hermes	db2bd1d157	feat: add uConsole CM5 host configuration with Reticulum mesh stack - New NixOS host 'uConsole' for ClockworkPi CM5 portable terminal - flake.nix: add nixos-uconsole and nixos-raspberrypi inputs - Imports: nixos-uconsole.nixosModules.uconsole-cm5, nixos-raspberrypi.nixosModules.raspberry-pi-5.base - Full package list: base tools, HAM radio, SDR/RF, mesh/LoRa, security tools, GPS/maps - Reticulum stack (rns 1.2.9, lxmf 0.9.8, nomadnet 1.1.1) built from PyPI via overlays/reticulum.nix - systemd services: rnsd (Reticulum daemon), kismet (Wi-Fi IDS) - Kernel modules for SDR (rtl-sdr, dvb) and USB WiFi - Follows existing host config conventions (cyt-pi as template)	2026-05-20 14:34:15 -04:00
		`@@ -1 +0,0 @@`
			`/nix/store/z86r4awsbrc5q9qhwwi757wxixcqgn31-nixos-system-uConsole-25.11.20260608.e820eb4`
		`@@ -1 +0,0 @@`
			`/nix/store/7y7rfksqcf5smz59jjixyl56bxq50j9g-nixos-system-uConsole-25.11.20260608.e820eb4`