Testing btrfs and other fixes

lib/default.nix

@@ -4,13 +4,15 @@
     system    ? "x86_64-linux", 
     username  ? "albert"
   }: {
+    # user = "deploy";
     user = "root";
+    # sshUser = "deploy";
     sshUser = "${username}";
     hostname = "${hostname}";
     sshOpts = [ "-A" "-q"];
 
     profiles = {
-      system.path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostname};
+      system.path       = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.${hostname};
       home-manager.path = inputs.deploy-rs.lib.${system}.activate.home-manager self.homeConfigurations."${username}@${hostname}";
       home-manager.user = "${username}";
     };

nixos/common/packages/default.nix

@@ -1,6 +1,4 @@
 { pkgs, ... }: {
-  imports = [ ./small.nix ];
-
   # List packages installed in system profile
   environment.systemPackages = with pkgs; [
     dig          # DNS utilities 

nixos/common/services/ollama.nix

@@ -1,14 +1,14 @@
 { pkgs, ... }: {
 
   environment.systemPackages = [
-    pkgs.oterm
+    pkgs.oterm # A text based client for Ollama
   ];
 
   services.ollama = {
     enable = true;
-    openFirewall = true;
+    openFirewall = false;
     loadModels = [
-      "vanilj/Phi-4"
+      "Phi4"
       "qwen2.5-coder:3b"
       "qwen2.5-coder:0.5b"
     ];

nixos/containers/bfl-rdesktop/default.nix

@@ -1,22 +0,0 @@
-{ pkgs, desktop, username, ... }: {
-  imports = [
-    ../../users/${username}
-    ../../users/jared
-    ../../common/desktops/${desktop}
-    ../../common/packages
-    ../../common/modules/fonts.nix
-    ../../common/software/cli/scripts.nix
-  ];
-
-  hardware.pulseaudio.extraModules = [ pkgs.pulseaudio-module-xrdp ];
-
-  services.xrdp = {
-    enable = true;
-    openFirewall = true;
-    audio = {
-      enable = true;
-      package = pkgs.pulseaudio-module-xrdp;
-    };
-  };
-
-}

nixos/containers/bfl-rdesktop/mounts.nix

@@ -1,15 +0,0 @@
-{
-  "/etc/nixos/git" = {
-    hostPath = "/etc/nixos/git";
-    mountPoint = "/etc/nixos/git";
-    isReadOnly = false;
-  };
-  "/home/albert/.ssh/id_ed25519" = {
-    mountPoint = "/home/albert/.ssh/id_ed25519";
-    isReadOnly = true;
-  };
-  "/home/albert/.ssh/id_ed25519.pub"  = {
-    mountPoint = "/home/albert/.ssh/id_ed25519.pub";
-    isReadOnly = true;
-  };
-}

nixos/default.nix

@@ -1,30 +1,16 @@
 { inputs, lib, hostname, username, desktop, ... }: {
   imports = [ 
     # Modules
-    inputs.disko.nixosModules.disko
-
+    ./small.nix
+    
     # Services
-    ./common/services/openssh.nix
-    ./common/services/promtail.nix
-    ./common/services/fail2ban.nix
-    ./common/services/telegraf.nix
-    ./common/services/tailscale.nix
     ./common/services/gnupg-agent.nix
     ./common/services/opensnitch.nix
 
     # Software
-    ./common/software/cli/scripts.nix
     ./common/packages
 
     # NixOS Modules
-    ./common/modules/fonts.nix           # Font Configs
-    ./common/modules/networking.nix      # Initial Networking configs
-    ./common/modules/nixos.nix           # NixOS related items
-    ./common/modules/remote-builders.nix # Add remote builders
-
-    ./users/${username}
-    ./hosts/${hostname}
-  ] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop};
-
-  programs.fish.enable = true;
+    ./common/modules/fonts.nix
+  ];
 }

nixos/hosts/framework13/default.nix

@@ -12,15 +12,7 @@
     # ../../common/services/podman.nix
     ../../common/services/geoclue.nix
     ../../common/services/syncthing.nix
-    # ../../common/services/ollama.nix
   ];
-  # TODO:  Fix this
-  environment.variables = {
-    MOZ_ENABLE_WAYLAND = 1;
-    NIXOS_OZONE_WL = "1";
-  };
-  services.ollama.acceleration = "rocm";
-  services.ollama.package = pkgs.ollama-rocm;
 
   hardware.bluetooth.enable = true; # enables support for Bluetooth
   hardware.bluetooth.powerOnBoot = true; # powers up the default Bluetooth controller on boot

nixos/hosts/framework16/default.nix

@@ -13,10 +13,15 @@
     ../../common/services/geoclue.nix
     ../../common/services/syncthing.nix
     ../../common/services/ollama.nix
+    ../../common/services/btrbk.nix
   ];
 
-  services.ollama.acceleration = "rocm";
-  services.ollama.package = pkgs.ollama-rocm;
+    services.ollama = {
+      acceleration = "rocm";
+      package = pkgs.ollama-rocm; 
+      rocmOverrideGfx = "10.3.1";
+    };
+
 
   hardware.bluetooth.enable = true; # enables support for Bluetooth
   hardware.bluetooth.powerOnBoot = true; # powers up the default Bluetooth controller on boot

nixos/hosts/framework16/disks.nix

@@ -13,7 +13,8 @@
   services.btrfs.autoScrub.interval = "weekly";
 
   boot.resumeDevice = "/dev/mapper/ROOT";
-  # https://sawyershepherd.org/post/hibernating-to-an-encrypted-swapfile-on-btrfs-with-nixos/ 
+  # https://sawyershepherd.org/post/hibernating-to-an-encrypted-swapfile-on-btrfs-with-nixos/
+  # Also in Logseq "BTRFS Offset on NixOS for Swap"
   boot.kernelParams = [ "resume_offset=533760" ];
 
   disko.devices.disk.nvme0n1 = {

nixos/hosts/nuc-server/containers.nix

@@ -1,28 +0,0 @@
-{ lib, self, inputs, outputs, stateVersion, hmStateVersion, ... }:
-let 
-  libx = import ../../../lib { inherit lib self inputs outputs stateVersion hmStateVersion; };
-in {
-
-  containers = {
-    rdesktop = libx.mkContainer { hostname = "bfl-rdesktop"; ip = "2"; unfree = true; desktop = "gnome"; };
-  };
-
-  # Networking config
-  networking.bridges.nix-br0.interfaces = [];
-
-  # Add an IP address to the bridge interface.
-  networking.localCommands = ''ip address add 192.168.2.1/24 dev nix-br0'';
-
-  # Firewall commands allowing traffic to go in and out of the bridge interface
-  # (and to the guest LXD instance).  Also sets up the actual NAT masquerade rule.
-  networking.firewall.extraCommands = ''
-    iptables -A INPUT -i nix-br0  -j ACCEPT
-
-    # These three technically aren't needed, since by default the FORWARD and
-    # OUTPUT firewalls accept everything everything, but lets keep them in just
-    # in case.
-    iptables -A FORWARD -o nix-br0  -j ACCEPT
-    iptables -A FORWARD -i nix-br0  -j ACCEPT
-    iptables -A OUTPUT  -o nix-br0  -j ACCEPT
-  '';
-} 

nixos/hosts/nuc-server/default.nix

@@ -10,7 +10,6 @@
     ./mounts.nix
     ./cron.nix
     ./firewall.nix
-    ./containers.nix
   ];
 
   environment.systemPackages =  [

nixos/minimal.nix

@@ -1,23 +0,0 @@
-{ inputs, lib, hostname, username, desktop, ... }: {
-  imports = [ 
-    # Modules
-    inputs.disko.nixosModules.disko
-    
-    # Services
-    ./common/services/openssh.nix
-    ./common/services/fail2ban.nix
-    
-    # Software
-    ./common/packages/small.nix
-
-    # NixOS Modules
-    ./common/modules/networking.nix      # Initial Networking configs
-    ./common/services/tailscale.nix      # Generlc tailscale installation
-    ./common/modules/nixos.nix           # Common NixOS Configurations
-
-    ./users/${username}
-    ./hosts/${hostname}
-  ] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop};
- 
-  programs.fish.enable = true;
-}

nixos/small.nix

@@ -24,4 +24,53 @@
   ] ++ lib.optional (builtins.isString desktop) ./common/desktops/${desktop};
  
   programs.fish.enable = true;
+
+  # NOTE:  This user is used to remotely build NixOS using deploy-rs
+
+  # Configure sops
+  sops = {
+    secrets."deploy/ssh_key" = {
+      sopsFile = ../secrets/secrets.yaml;
+      owner = "deploy";
+      path = "/home/deploy/.ssh/id_ed25519";
+      mode = "0600";  # Correct SSH key permissions
+    };
+  };
+
+  # Configure the user 
+  users.users.deploy = {
+    isNormalUser = true;
+    createHome = true;
+    home = "/home/deploy";
+    # Only add the minimum required groups
+    extraGroups = [ "deploy" ]; # Create a dedicated group
+    # Disable interactive login
+    shell = "/run/current-system/sw/bin/nologin";
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPyjI22cErvcrjDGkdqnnDDh/L6+5GemXL0l/sGXPuIJ deploy" ];
+  };
+
+  # Create a dedicated group
+  users.groups.deploy = {};
+
+  security.sudo = {
+    enable = true;
+    extraRules = [{
+      users = [ "deploy" ];
+      commands = [{
+        command = "/run/current-system/sw/bin/nixos-rebuild";
+        options = [ "NOPASSWD" ];
+      }];
+    }];
+  };
+  
+  # Updated tmpfiles rules with Git repository access
+  systemd.tmpfiles.rules = [
+    # Give access to the Git repository directory
+    "Z /etc/nixos/git 0750 root nixos-rebuild"
+    "z /etc/nixos/git/** 0640 root nixos-rebuild"
+
+    # Ensure Git can still operate on the repository
+    "z /etc/nixos/git/.git/** 0640 root nixos-rebuild"
+  ];
+
 }

nixos/users/jared/desktop.nix

@@ -1,11 +0,0 @@
-{ pkgs, ... }: {
-  # Steam, Vintage Story areu nfree.
-  environment.systemPackages = [
-    pkgs.signal-desktop
-
-  ];
-  
-  imports = [
-    ../../common/software/gui/firefox.nix
-  ];
-}

secrets/secrets.yaml

@@ -4,14 +4,20 @@ services:
     forgejo_token: ENC[AES256_GCM,data:vAH8v82+WI/P0HhtLDfrK66B3u2H49XA1AglfL1LthM6Dm+znBlx4QaFmNk3ag==,iv:/jqtUejqNC9f9kXdUqxl1+LaxKsjXSZdU+I0u+ssmdQ=,tag:+2oWh6sgc7R1PXYxIz3oVQ==,type:str]
 btrfs-backups:
     gotify_token: ENC[AES256_GCM,data:PP8UTJWrDKhonLxN8vEj,iv:hTGWyktK+Ce7hAd0bARztLAQDSvhWgLcKRyGqyfgVKU=,tag:2xboM6Uv8NWld89EUl2jEg==,type:str]
+btrbk:
+    ssh_key: ENC[AES256_GCM,data:HxT85XlROSSKqPOEToSmrpzc6cutWRDkLxIO8o13AENtAlqEfBtcVTe/XKKbUjx+38FkqznVuHgVxXtnWLfON0yCx2PqoWVsluPfW44QFswQdtM0dYYCFy1hK7pg0xSplIeYdNZC9VFhL+SoBYXfTHKpalPo5LwYVrtQnO9yV/PrYw07oYTEKWGVxpi0KJJ2vo4UwxONzEJJSjJU/M0haQ1mvgTU5kFS5e4cMZOy3cGpGSUOPlUDlQgUlANcK92HFZlFnRyd2r+pjYVkSeixfQ9Zq30nNoaSu1J2VZhkt1KTfAXnuGIjlByvSVE9ZF78rlZfTBmZzJEyB3N3rtWEWUOrLZx8ZCh1YIpp6VK2WNJKtW2SpCpkG0fCoKzJiBvf+GuV4P0vdBHo6/xt12CHx498XUZSP644b1vnUim+RRmDQkVnTJnjY4YilIUME8MEFMzNuGamX/IX+U+UDGYwE+/7rc1BMZyJdzQka272uj66Q+fE7f/wzgtVbtgBBkIi3pDfv3smfFU8xGQoNmGJWIy1edvDJpoxsIaZ,iv:SvcLu1ffduCYj6tEfj6cSZM9CSB9TbGXWz4CixXYnsA=,tag:enn3+zPZbDl7IfivWv82Fg==,type:str]
+    ssh_pub_key: ENC[AES256_GCM,data:Ml1yjWnnsOCe0d/iqtgDXshKn3cIrWiqhV9Vz07JKjH7kiGUB1JFMZSGu/U7iYA72DTfqJvGtT+cHzjhYVx5HcPnqTW+6e7o1tdZtpascuDr9qU65o2p,iv:KWos4jYOEWZgZAaPohbLFMg6ecytU9v9quMOrGMaeMk=,tag:jlk6JUuWOnrVJyg52tbMGQ==,type:str]
+deploy:
+    ssh_key: ENC[AES256_GCM,data:UjjdKnvDXHqJYk/n0Q8HoVTBKFbaHOZ6jaJ1IIuLdCp54RYn1AmJybciIR+/KW/Y381astJY68iLgMVrscNZ2IsI5SvdFQ6Z0fNosSsDfF1ntaT04imm++HSlKOghhZl8LtXZa+6+WcLSdCdWNVUb+xmAZh3eqTQZaR+GcqfZKQLk34ZCN3fLTiCtynQtXTON1Zng9FLVszM8G22w9RAo4PsgHCSVircH+BTKd76+YZynREScSWIm3vJrjaTTfOk0OLH1TkS/lObnHJmR9BZi3xuqRj2r16G9BqwyseIEDCMXCxiN/k0q6LAjdpzo1eleNwy9nHG/5Uu5MN3S4y65ESJlD22kk1BGT96l0cyf47Xxst1My33Gr56PT9A4Qu3AQ8mNc8s6VjQHuTF0363C2RwYv8OreRWN/kkzPKNHqXFbyQIwIJ4UsrVoZkDoggiGjXDU7CvJ3BSTXl/z8Lbh3BDEA+8kyWdDgRPAwyVs1nrwcBMOsIEFBYLDwIxYhOc/o1Y+b+jkAC5JTnA3laRji7mIZstu3UsA+FC,iv:utbR484ecLQ2Stm9aOPLr+0kHspMTmius5otq9D5fCY=,tag:vNWHrBapEMF7D8CvJDdOYA==,type:str]
+    ssh_pub_key: ENC[AES256_GCM,data:Ila55CvLNYnxxNVcLS/uzWQa707j7QjMSMGFadYbHpg4hUUXzRODhBWtusSIztrLD1euHFl8Na6M+bx84DSxcsaF0X6mexYVbtxJHF9HTdnZPZM0u+in,iv:yTDPy++YcxcVZjboh4vgAOvh+APKoBeAqtJS0ro2sWQ=,tag:SVtffDUvmyog3uQ4SaoBfA==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2024-12-18T22:38:53Z"
-    mac: ENC[AES256_GCM,data:Z7n4jrtHc2b8zh1Gr57QX9tdLN83x6ZwopwL8cXTmZtyTC7/e/P09QcCrxpksOYbZjsu8UPsyIYigi4M5k/jDTvTBYizI2wREa6F/L734wjpyV/mV/aQuCdkck+b1uYiORrURKPl9cN3CiDX2RKzbit5Z1NSS7MHuOL7YWGOosQ=,iv:wttgCslLasVrh18lPq73l3LmXGF94Hy5LptIxFWt/Uw=,tag:yCI/qa9ulovqJkLKpccbsw==,type:str]
+    lastmodified: "2025-01-14T20:45:34Z"
+    mac: ENC[AES256_GCM,data:KjuiBTPuq0j3FXy5qZRINYsqDoNWXOn8+MDh+QVLIDZqH3qe5iXg9r/hTlGiTOiWfnoMd4nbItcWMqGqZIFeUfBGKYWPUlMM4vxydDaXyZDbtQMGQZ6aSCqKbcO7hazFf4XAyGqKv6YA+tBRPeCXsxeFq1QLRpGoAPsY7wFeQgk=,iv:bgzBJCGcdzQvVGPW5gEha5kEksPEYcXKafyMN797i64=,tag:vnMDLJ/cX0G9TWGTdFkaXA==,type:str]
     pgp:
         - created_at: "2025-01-10T20:21:25Z"
           enc: |-