Move modules folders

2025-09-11 14:00:31 +02:00 · 2025-09-11 14:00:31 +02:00 · c1101e7b45
commit c1101e7b45
parent 914909009c
183 changed files with 327 additions and 327 deletions
--- a/nixos/basics/automatic-garbage-collection.nix
+++ b/nixos/basics/automatic-garbage-collection.nix
@ -0,0 +1,6 @@
+{
+  nix.gc = {
+    automatic = true;
+    options = "--delete-older-than 7d";
+  };
+}
--- a/nixos/basics/btrfs-scrub.nix
+++ b/nixos/basics/btrfs-scrub.nix
@ -0,0 +1,13 @@
+{ lib, config, ... }:
+let
+  inherit (builtins) mapAttrs attrValues;
+  inherit (lib) filterAttrs unique;
+  btrfsFileSystems = filterAttrs (_k: v: v.fsType == "btrfs") config.fileSystems;
+  btrfsDevices = unique (attrValues (mapAttrs (_: v: v.device) btrfsFileSystems));
+in
+{
+  services.btrfs.autoScrub = {
+    enable = btrfsDevices != [ ];
+    fileSystems = btrfsDevices;
+  };
+}
--- a/nixos/basics/default.nix
+++ b/nixos/basics/default.nix
@ -0,0 +1,16 @@
+{
+  imports = [
+    ./git.nix
+    ./automatic-garbage-collection.nix
+    ./btrfs-scrub.nix
+    ./distributed.nix
+    ./docker.nix
+    ./extended-registry.nix
+    ./fstrim.nix
+    ./fwupd.nix
+    ./remote-deploy.nix
+    # ./resolved.nix
+    ./tailscale.nix
+    # ./zerotier.nix
+  ];
+}
--- a/nixos/basics/distributed.nix
+++ b/nixos/basics/distributed.nix
@ -0,0 +1,33 @@
+{
+  # security.sudo.wheelNeedsPassword = false;
+  nix.settings = {
+    # extra-substituters = [
+    #   "https://hyprland.cachix.org"
+    #   "s3://nix-cache?endpoint=heimdall.tsn:9000&scheme=http&parallel-compression=true&want-mass-query=true&priority=35"
+    #   # "s3://nix-cache?endpoint=s3.bertof.net"
+    # ];
+
+    trusted-users = [
+      "root"
+      "@wheel"
+    ];
+
+    trusted-public-keys = [
+      "thor:yRx3HglIxjUYocp4/jAP9dPWxWBEpgP6hqj1ofEfn1A="
+      "odin:ClRXzxmDZl2Y94SG4YlWXGiJDY4L9DgZq/3OLR5+i6k="
+      "loki:HN1P2nXzIkqitl95MvjcSHxtDo7Ao+I8M8U/RqQLC5k="
+      "baldur:iP+Cg3JIcjYES9cmk+nnpd+7Po+rPlwVKqpBOAyrD64="
+      "sif:sa5OcKWpwktvnwEWmOr8Y5R6qLFT0gqW7SxBWeW4eOI="
+
+      "hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
+    ];
+
+    secret-key-files = [ "/etc/nix/key" ];
+
+    # substituters = [
+    #   "ssh-ng://thor.local"
+    #   "ssh-ng://odin.local"
+    #   "ssh-ng://loki.local"
+    # ];
+  };
+}
--- a/nixos/basics/docker.nix
+++ b/nixos/basics/docker.nix
@ -0,0 +1 @@
+{ virtualisation.docker.autoPrune.enable = true; }
--- a/nixos/basics/extended-registry.nix
+++ b/nixos/basics/extended-registry.nix
@ -0,0 +1,48 @@
+{
+  nix.registry = {
+    agenix = {
+      from = {
+        id = "agenix";
+        type = "indirect";
+      };
+      to = {
+        type = "github";
+        owner = "ryantm";
+        repo = "agenix";
+      };
+    };
+    ragenix = {
+      from = {
+        id = "ragenix";
+        type = "indirect";
+      };
+      to = {
+        type = "github";
+        owner = "yaxitech";
+        repo = "ragenix";
+      };
+    };
+    my-templates = {
+      from = {
+        id = "my-templates";
+        type = "indirect";
+      };
+      to = {
+        type = "github";
+        owner = "bertof";
+        repo = "flake-templates";
+      };
+    };
+    tex2nix = {
+      from = {
+        id = "tex2nix";
+        type = "indirect";
+      };
+      to = {
+        type = "github";
+        owner = "Mic92";
+        repo = "tex2nix";
+      };
+    };
+  };
+}
--- a/nixos/basics/fstrim.nix
+++ b/nixos/basics/fstrim.nix
@ -0,0 +1 @@
+{ services.fstrim.enable = true; }
--- a/nixos/basics/fwupd.nix
+++ b/nixos/basics/fwupd.nix
@ -0,0 +1 @@
+{ services.fwupd.enable = true; }
--- a/nixos/basics/git.nix
+++ b/nixos/basics/git.nix
@ -0,0 +1,3 @@
+{
+  programs.git = { enable = true; lfs.enable = true; };
+}
--- a/nixos/basics/remote-deploy.nix
+++ b/nixos/basics/remote-deploy.nix
@ -0,0 +1,16 @@
+{ lib, ... }:
+{
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      KbdInteractiveAuthentication = lib.mkDefault false;
+      PermitRootLogin = lib.mkDefault "prohibit-password";
+      PasswordAuthentication = lib.mkDefault false;
+    };
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKp1Rfb2acLM/5TDUahu+AdV/HVw+hoOTdQIeQIjV5p8"
+  ];
+}
--- a/nixos/basics/resolved.nix
+++ b/nixos/basics/resolved.nix
@ -0,0 +1,18 @@
+{
+  services.resolved = {
+    enable = true;
+    dnssec = "allow-downgrade";
+    # dnsovertls = "true";
+    fallbackDns = [
+      # CLOUDFLARE
+      "1.1.1.1"
+      "1.0.0.1"
+      "2606:4700:4700::1111"
+      "2606:4700:4700::1001"
+
+      #GOOGLE
+      "8.8.8.8"
+      "2001:4860:4860::8844"
+    ];
+  };
+}
--- a/nixos/basics/tailscale.nix
+++ b/nixos/basics/tailscale.nix
@ -0,0 +1,19 @@
+{ lib, ... }:
+let
+  hosts = import ../../hosts.nix;
+  tailscale_hosts = lib.attrsets.mapAttrs'
+    (
+      k: v: lib.attrsets.nameValuePair v [ k ]
+    )
+    hosts.tailscale.ipv4;
+in
+{
+  services.tailscale = {
+    enable = true;
+    permitCertUid = "filippoberto95@gmail.com";
+  };
+
+  networking.firewall.checkReversePath = "loose";
+
+  networking.hosts = tailscale_hosts;
+}
--- a/nixos/basics/zerotier.nix
+++ b/nixos/basics/zerotier.nix
@ -0,0 +1,16 @@
+# let
+#   hosts = import ../../hosts.nix;
+#   zerotier_hosts = lib.attrsets.mapAttrs'
+#     (
+#       k: v: lib.attrsets.nameValuePair v [ k ]
+#     )
+#     hosts.zerotier.ipv4;
+# in
+{
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [ "8056c2e21cf9c753" ];
+  };
+
+  # networking.hosts = zerotier_hosts;
+}
--- a/nixos/big_data.nix
+++ b/nixos/big_data.nix
@ -0,0 +1,326 @@
+{ config
+, lib
+, pkgs
+, modulesPath
+, ...
+}:
+let
+  # setup_script = ''
+  #   sudo mkdir -p /hdfs
+  #   sudo chown -R hdfs:hadoop /hdfs
+
+  #   for p in {nn,dn,jn,rm,nm,jhs,HTTP}; do
+  #     sudo kadmin.local -q "ank -randkey $p/my.engine";
+  #     sudo kadmin.local -q "xst -k /etc/hadoop.keytab $p/my.engine";
+  #     sudo kadmin.local -q "ktrem -k /etc/hadoop.keytab $p/my.engine old"
+  #   done
+  #   sudo chown hdfs:hadoop /etc/hadoop.keytab
+
+  #   sudo kadmin.local -q "ank -randkey spark/my.engine";
+  #   sudo kadmin.local -q "xst -k /etc/spark.keytab spark/my.engine";
+  #   sudo kadmin.local -q "ktrem -k /etc/spark.keytab spark/my.engine old"
+  #   sudo chown spark:spark /etc/spark.keytab
+  # '';
+  hadoop_keytab_path = "/etc/hadoop.keytab";
+  spark_keytab_path = "/etc/spark.keytab";
+  pysparkPackageSelector =
+    p: with p; [
+      numpy
+      pyspark
+    ];
+  pysparkEnv = pkgs.python3.withPackages pysparkPackageSelector;
+  hadoopConf = import (modulesPath + "/services/cluster/hadoop/conf.nix") {
+    inherit pkgs lib;
+    cfg = config.services.hadoop;
+  };
+  hadoopConfDir = "${hadoopConf}/";
+  spark = pkgs.spark.override { extraPythonPackages = pysparkPackageSelector pkgs.python3.pkgs; };
+  sparkConfDir = pkgs.stdenv.mkDerivation {
+    name = "spark-conf";
+    dontUnpack = true;
+    installPhase = ''
+      # source standard environment
+      . $stdenv/setup
+
+      # shorthands
+      base_conf=${pkgs.spark}/lib/${pkgs.spark.untarDir}/conf/
+
+      # create output dirs for new derivation
+      mkdir -p $out/
+
+      # link unchanged files from the original gnome-session
+      for f in $base_conf/*.template ; do
+         ln -sf $f $out/
+      done
+
+      # change selected files
+      cp $out/log4j.properties{.template,}
+
+      cat > $out/spark-env.sh <<- STOP
+      export JAVA_HOME="${pkgs.jdk8}"
+      export SPARK_HOME="${pkgs.spark}/lib/${pkgs.spark.untarDir}"
+      export SPARK_DIST_CLASSPATH=$(${pkgs.hadoop}/bin/hadoop classpath)
+      export PYSPARK_PYTHON="${pysparkEnv.outPath}/bin/${pysparkEnv.executable}"
+      export PYSPARK_DRIVER_PYTHON="${pysparkEnv.outPath}/bin/${pysparkEnv.executable}"
+      export PYTHONPATH="\$PYTHONPATH:$PYTHONPATH"
+      export HADOOP_CONF_DIR="${hadoopConfDir}"
+      export SPARKR_R_SHELL="${pkgs.R}/bin/R"
+      export PATH="\$PATH:${pkgs.R}/bin"
+      STOP
+
+      cat > $out/spark-defaults.conf <<- STOP
+      spark.eventLog.enabled  true
+      spark.eventLog.dir  hdfs://localhost:/logs/spark
+      spark.history.fs.logDirectory  hdfs://localhost:/logs/spark
+      # spark.yarn.keytab  ${spark_keytab_path}
+      # spark.yarn.principal  spark/my.engine@MY.ENGINE
+      spark.history.ui.acls.enable  true
+      spark.history.kerberos.enabled  true
+      spark.history.kerberos.keytab  ${spark_keytab_path}
+      spark.history.kerberos.principal  spark/my.engine@MY.ENGINE
+      spark.yarn.appMasterEnv.PYSPARK_PYTHON  ${pysparkEnv.outPath}/bin/${pysparkEnv.executable}
+      spark.yarn.appMasterEnv.PYTHONPATH  ${pysparkEnv.outPath}/lib/${pysparkEnv.executable}/site-packages
+      spark.executorEnv.PYSPARK_PYTHON        ${pysparkEnv.outPath}/bin/${pysparkEnv.executable}
+      STOP
+    '';
+  };
+in
+{
+
+  networking = {
+    hosts = {
+      "127.0.0.1" = [
+        "ds.my.engine"
+        "kdc.my.engine"
+        "my.engine"
+      ];
+    };
+
+  };
+
+  services = {
+    spark = {
+      package = spark;
+      master = {
+        enable = true;
+        restartIfChanged = true;
+      };
+      worker = {
+        enable = true;
+        restartIfChanged = true;
+      };
+      confDir = sparkConfDir;
+    };
+
+    hadoop = {
+      coreSite = {
+        "fs.defaultFS" = "hdfs://my.engine:8020";
+
+        # HDFS IMPERSONATION
+        "hadoop.proxyuser.hdfs.hosts" = "*";
+        "hadoop.proxyuser.hdfs.groups" = "*";
+
+        # HIVE IMPERSONATION
+        "hadoop.proxyuser.hive.hosts" = "*";
+        "hadoop.proxyuser.hive.groups" = "*";
+
+        # ENABLE AUTHENTICATION
+        "hadoop.security.authentication" = "kerberos";
+        "hadoop.security.authorization" = "true";
+        "hadoop.rpc.protection" = "privacy";
+
+        "hadoop.security.auth_to_local" = ''
+          RULE:[2:$1/$2@$0]([ndj]n/.*@MY\.ENGINE)s/.*/hdfs/
+          RULE:[2:$1/$2@$0]([rn]m/.*@MY\.ENGINE)s/.*/yarn/
+          RULE:[2:$1/$2@$0](jhs/.*@MY\.ENGINE)s/.*/mapred/
+          DEFAULT
+        '';
+      };
+      hdfsSite = {
+        # DATA
+        "dfs.namenode.name.dir" = "/hdfs/dfs/name";
+        "dfs.datanode.data.dir" = "/hdfs/dfs/data";
+        "dfs.journalnode.edits.dir" = "/hdfs/dfs/edits";
+
+        # HDFS SECURITY
+        "dfs.block.access.token.enable" = "true";
+        "dfs.cluster.administrators" = "hdfs,HTTP,bertof";
+
+        # NAME NODE SECURITY
+        "dfs.namenode.keytab.file" = hadoop_keytab_path;
+        "dfs.namenode.kerberos.principal" = "nn/my.engine@MY.ENGINE";
+        "dfs.namenode.kerberos.internal.spnego.principal" = "HTTP/my.engine@MY.ENGINE";
+
+        # SECONDARY NAME NODE SECURITY
+        "dfs.secondary.namenode.keytab.file" = hadoop_keytab_path;
+        "dfs.secondary.namenode.kerberos.principal" = "nn/my.engine@MY.ENGINE";
+        "dfs.secondary.namenode.kerberos.internal.spnego.principal" = "HTTP/my.engine@MY.ENGINE";
+
+        # DATA NODE SECURITY
+        "dfs.datanode.keytab.file" = hadoop_keytab_path;
+        "dfs.datanode.kerberos.principal" = "dn/my.engine@MY.ENGINE";
+
+        # JOURNAL NODE SECURITY
+        "dfs.journalnode.keytab.file" = hadoop_keytab_path;
+        "dfs.journalnode.kerberos.principal" = "jn/my.engine@MY.ENGINE";
+
+        # WEBHDFS SECURITY
+        "dfs.webhdfs.enabled" = "true";
+
+        # WEB AUTHENTICATION CONFIG
+        "dfs.web.authentication.kerberos.principal" = "HTTP/my.engine@MY.ENGINE";
+        "dfs.web.authentication.kerberos.keytab" = hadoop_keytab_path;
+        "ignore.secure.ports.for.testing" = "true";
+        "dfs.http.policy" = "HTTP_ONLY";
+        "dfs.data.transfer.protection" = "privacy";
+
+        # ## MULTIHOMED
+        # "dfs.namenode.rpc-bind-host" = "0.0.0.0";
+        # "dfs.namenode.servicerpc-bind-host" = "0.0.0.0";
+        # "dfs.namenode.http-bind-host" = "0.0.0.0";
+        # "dfs.namenode.https-bind-host" = "0.0.0.0";
+        # "dfs.client.use.datanode.hostname" = "true"; # force connection by hostname
+        # "dfs.datanode.use.datanode.hostname" = "true"; # force connection by hostname
+      };
+      yarnSite = {
+        "yarn.nodemanager.admin-env" = "PATH=$PATH";
+        "yarn.nodemanager.aux-services" = "mapreduce_shuffle";
+        "yarn.nodemanager.aux-services.mapreduce_shuffle.class" = "org.apache.hadoop.mapred.ShuffleHandler";
+        "yarn.nodemanager.bind-host" = "0.0.0.0";
+        "yarn.nodemanager.container-executor.class" = "org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor";
+        "yarn.nodemanager.env-whitelist" = "JAVA_HOME,HADOOP_COMMON_HOME,HADOOP_HDFS_HOME,HADOOP_CONF_DIR,CLASSPATH_PREPEND_DISTCACHE,HADOOP_YARN_HOME,HADOOP_HOME,LANG,TZ";
+        "yarn.nodemanager.linux-container-executor.group" = "hadoop";
+        "yarn.nodemanager.linux-container-executor.path" = "/run/wrappers/yarn-nodemanager/bin/container-executor";
+        "yarn.nodemanager.log-dirs" = "/var/log/hadoop/yarn/nodemanager";
+        "yarn.resourcemanager.bind-host" = "0.0.0.0";
+        "yarn.resourcemanager.scheduler.class" = "org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler";
+
+        "yarn.resourcemanager.keytab" = hadoop_keytab_path;
+        "yarn.resourcemanager.principal" = "rm/my.engine@MY.ENGINE";
+        "yarn.nodemanager.keytab" = hadoop_keytab_path;
+        "yarn.nodemanager.principal" = "nm/my.engine@MY.ENGINE";
+
+        # "yarn.nodemanager.container-executor.class" = "org.apache.hadoop.yarn.server.nodemanager.LinuxContainerExecutor";
+
+        "yarn.scheduler.capacity.root.queues" = "default";
+        "yarn.scheduler.capacity.root.default.capacity" = 100;
+        # "yarn.scheduler.capacity.root.default.state" = "RUNNING";
+        "yarn.scheduler.capacity.root.acl_submit_applications" = "hadoop,yarn,mapred,hdfs";
+      };
+      httpfsSite = {
+        "kerberos.realm" = "MY.ENGINE";
+        "httpfs.authentication.type" = "kerberos";
+        "httpfs.authentication.kerberos.principal  " = "HTTP/my.engine@MY.ENGINE";
+        "httpfs.authentication.kerberos.keytab" = hadoop_keytab_path;
+        "httpfs.hadoop.kerberos.principal  " = "HTTP/my.engine@MY.ENGINE";
+        "httpfs.hadoop.kerberos.keytab" = hadoop_keytab_path;
+      };
+      extraConfDirs = [ ];
+
+      hdfs = {
+        namenode = {
+          enable = true;
+          formatOnInit = true;
+          restartIfChanged = true;
+        };
+        datanode = {
+          enable = true;
+          restartIfChanged = true;
+        };
+        journalnode = {
+          enable = true;
+          restartIfChanged = true;
+        };
+        zkfc = {
+          enable = false;
+          restartIfChanged = true;
+        }; # ZOOKEEPER DISABLED, not using High Availability setup
+        httpfs = {
+          enable = true;
+          restartIfChanged = true;
+        };
+      };
+      yarn = {
+        resourcemanager = {
+          enable = true;
+          restartIfChanged = true;
+        };
+        nodemanager = {
+          enable = true;
+          restartIfChanged = true;
+          useCGroups = false;
+        };
+      };
+    };
+
+    kerberos_server = {
+      enable = true;
+      realms."MY.ENGINE".acl = [
+        {
+          principal = "*/admin";
+          access = "all";
+        }
+        {
+          principal = "*/my.engine";
+          access = "all";
+        }
+      ];
+    };
+  };
+
+  krb5 = {
+    enable = true;
+    realms = {
+      "MY.ENGINE" = {
+        admin_server = "kdc.my.engine";
+        kdc = "kdc.my.engine";
+        # default_domain = "my.engine";
+        # kpasswd_server = "odin";
+      };
+    };
+    domain_realm = {
+      # ".my.engine" = "MY.ENGINE";
+      "my.engine" = "MY.ENGINE";
+    };
+    libdefaults = {
+      default_realm = "MY.ENGINE";
+      dns_lookup_realm = true;
+      dns_lookup_kdc = true;
+      ticket_lifetime = "24h";
+      renew_lifetime = "7d";
+      forwardable = true;
+    };
+    extraConfig = ''
+      [logging]
+        default = FILE:/var/log/krb5libs.log
+        kdc = FILE:/var/log/krb5kdc.log
+        admin_server = FILE:/var/log/kadmind.log
+    '';
+  };
+
+  users.users.bertof.extraGroups = [ "hadoop" ];
+
+  systemd.services.spark-history = {
+    path = builtins.attrValues { inherit (pkgs) procps openssh nettools; };
+    description = "spark history service.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    restartIfChanged = true;
+    environment = {
+      SPARK_CONF_DIR = sparkConfDir;
+      SPARK_LOG_DIR = "/var/log/spark";
+    };
+    serviceConfig = {
+      Type = "forking";
+      User = "spark";
+      Group = "spark";
+      WorkingDirectory = "${pkgs.spark}/lib/${pkgs.spark.untarDir}";
+      ExecStart = "${pkgs.spark}/lib/${pkgs.spark.untarDir}/sbin/start-history-server.sh";
+      ExecStop = "${pkgs.spark}/lib/${pkgs.spark.untarDir}/sbin/stop-history-server.sh";
+      TimeoutSec = 300;
+      StartLimitBurst = 10;
+      Restart = "always";
+    };
+  };
+
+}
--- a/nixos/cuda_support.nix
+++ b/nixos/cuda_support.nix
@ -0,0 +1 @@
+{ nixpkgs.config.cudaSupport = true; }
--- a/nixos/defcon.nix
+++ b/nixos/defcon.nix
@ -0,0 +1,24 @@
+{
+  networking.hosts = {
+    "54.176.11.243" = [ "vpn.mhackeroni.it" ];
+    "10.100.0.50" = [
+      "master.cb.cloud.mhackeroni.it"
+      "bartender.cb.cloud.mhackeroni.it"
+      "grafana.cb.cloud.mhackeroni.it"
+      "menu.cb.cloud.mhackeroni.it"
+      "maitre.cb.cloud.mhackeroni.it"
+      "accountant.cb.cloud.mhackeroni.it"
+    ];
+    "10.100.0.150" = [
+      "flowgui.cloud.mhackeroni.it"
+      "smb.cloud.mhackeroni.it"
+    ];
+    "10.100.0.200" = [ "tunniceddu.cloud.mhackeroni.it" ];
+    "10.100.0.250" = [ "rev.cloud.mhackeroni.it" ];
+    "10.100.0.66" = [ "attackerbackup.cloud.mhackeroni.it" ];
+    "192.168.128.1" = [
+      "smb.hotel.mhackeroni.it"
+      "rev.hotel.mhackeroni.it"
+    ];
+  };
+}
--- a/nixos/digitalocean.nix
+++ b/nixos/digitalocean.nix
@ -0,0 +1 @@
+{ services.do-agent.enable = true; }
--- a/nixos/dnsmasq.nix
+++ b/nixos/dnsmasq.nix
@ -0,0 +1,26 @@
+let
+  blocklist = builtins.fetchurl {
+    sha256 = "sha256:16xcx2z8ziv2fbqhr4ajayxblcs4i1ckrwnf50iina9asgia18za";
+    url = "https://github.com/notracking/hosts-blocklists/raw/master/dnsmasq/dnsmasq.blacklist.txt";
+  };
+in
+{
+  networking.firewall.allowedTCPPorts = [ 53 ];
+  networking.firewall.allowedUDPPorts = [ 53 ];
+
+  services.dnsmasq = {
+    enable = true;
+    servers = [
+      "1.1.1.1"
+      "8.8.8.8"
+      "8.8.4.4"
+    ];
+    extraConfig = ''
+      cache-size=10000
+      log-queries
+      local-ttl=300
+
+      conf-file=${blocklist}
+    '';
+  };
+}
--- a/nixos/garage.nix
+++ b/nixos/garage.nix
@ -0,0 +1,55 @@
+{ pkgs, lib, config, ... }: {
+  users.groups.garage = { };
+  users.users.garage = { isSystemUser = true; group = "garage"; };
+  age.secrets.garage_rpc_secret = {
+    file = ../secrets/garage_rpc_secret.age;
+    owner = "garage";
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    3900
+    3901
+  ];
+
+  # Not correctly passing mount bindings
+  systemd.services.garage.serviceConfig = {
+    ProtectHome = lib.mkForce false;
+    DynamicUser = false;
+  };
+
+  services.garage = {
+    enable = true;
+    package = pkgs.garage_2;
+    settings = {
+      data_dir = "/mnt/raid/garage/";
+      replication_factor = 1;
+      rpc_secret_file = config.age.secrets.garage_rpc_secret.path;
+      rpc_bind_addr = "0.0.0.0:3901";
+      bootstrap_peers = [ ];
+
+      rpc_public_addr = "heimdall.tsn:3901";
+
+      s3_api = {
+        api_bind_addr = "0.0.0.0:3900";
+        s3_region = "garage";
+        root_domain = ".s3.bertof.net";
+      };
+
+      s3_web = {
+        bind_addr = "0.0.0.0:3902";
+        root_domain = ".web.bertof.net";
+      };
+
+      # k2v_api = {
+      #   api_bind_addr = "[::]:3904";
+      # };
+
+      admin = {
+        api_bind_addr = "0.0.0.0:3903";
+        # metrics_token = "72ad105afc44f30c189b2505f5583d3ea9be26a3e0a4730d48381b1ae4b70074";
+        # admin_token = "05bf164fe1ce3ecc1dff8fb1e5b237331d24b109792be714738fa92b2d14213d";
+        # trace_sink = "http://localhost:4317";
+      };
+    };
+  };
+}
--- a/nixos/hyprland.nix
+++ b/nixos/hyprland.nix
@ -0,0 +1,27 @@
+{ config, ... }:
+{
+  programs.hyprland = {
+    enable = true;
+    # enableNvidiaPatches = builtins.elem "nvidia" config.services.xserver.videoDrivers; # removed in 24.x
+    xwayland.enable = true;
+  };
+
+  environment.sessionVariables = {
+    WLR_NO_HARDWARE_CURSORS = "1";
+    NIXOS_OZONE_WL = "1";
+  };
+
+  hardware = {
+    graphics.enable = true;
+    nvidia.modesetting.enable = builtins.elem "nvidia" config.services.xserver.videoDrivers;
+  };
+
+  services.pipewire.wireplumber.enable = true;
+  security.pam.services.hyprlock = { };
+
+  security.pam.services.swaylock = {
+    text = ''
+      auth include login
+    '';
+  };
+}
--- a/nixos/immich.nix
+++ b/nixos/immich.nix
@ -0,0 +1,13 @@
+{
+  services = {
+    immich = {
+      enable = true;
+      accelerationDevices = [ "/dev/dri/renderD128" ];
+      redis.enable = true;
+      openFirewall = true;
+      host = "::";
+    };
+    # immich-public-proxy = { enable = true; openFirewall = true; immichUrl = "http://localhost:2283"; };
+  };
+  users.users.immich.extraGroups = [ "video" "render" ];
+}
--- a/nixos/installer.nix
+++ b/nixos/installer.nix
@ -0,0 +1,14 @@
+{ config, ... }: {
+  services.openssh = {
+    enable = true;
+    openFirewall = true;
+    settings = {
+      # PermitRootLogin = "prohibit-password";
+      PasswordAuthentication = false;
+    };
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = config.users.users.bertof.openssh.authorizedKeys.keys;
+
+  system.stateVersion = "22.11";
+}
--- a/nixos/ip_forwarding.nix
+++ b/nixos/ip_forwarding.nix
@ -0,0 +1,6 @@
+{
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = true;
+    "net.ipv6.conf.all.forwarding" = true;
+  };
+}
--- a/nixos/k3s.nix
+++ b/nixos/k3s.nix
@ -0,0 +1,17 @@
+{
+  services.k3s = {
+    enable = true;
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      6443 # Kubernetes API
+    ];
+    allowedTCPPortRanges = [
+      {
+        from = 9000;
+        to = 15000;
+      }
+    ];
+  };
+}
--- a/nixos/kavita.nix
+++ b/nixos/kavita.nix
@ -0,0 +1,17 @@
+{ lib, config, ... }:
+{
+
+  age.secrets.kavita_token = {
+    file = ../secrets/kavita_token.age;
+    owner = "kavita";
+  };
+
+  services.kavita = {
+    enable = true;
+    tokenKeyFile = config.age.secrets.kavita_token.path;
+  };
+
+  networking.firewall.allowedTCPPorts = lib.optionals config.services.kavita.enable [
+    config.services.kavita.port
+  ];
+}
--- a/nixos/kdeconnect.nix
+++ b/nixos/kdeconnect.nix
@ -0,0 +1,7 @@
+{
+  # networking.firewall = {
+  #   allowedTCPPortRanges = [{ from = 1714; to = 1764; }];
+  #   allowedUDPPortRanges = [{ from = 1714; to = 1764; }];
+  # };
+  programs.kdeconnect.enable = true;
+}
--- a/nixos/mind.nix
+++ b/nixos/mind.nix
@ -0,0 +1,18 @@
+{
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "mfh" ];
+    ensureUsers = [
+      {
+        name = "bertof";
+        ensurePermissions = {
+          "DATABASE \"mfh\"" = "ALL PRIVILEGES";
+        };
+      }
+    ];
+  };
+
+  services.apache-kafka = {
+    enable = true;
+  };
+}
--- a/nixos/minio_local.nix
+++ b/nixos/minio_local.nix
@ -0,0 +1,13 @@
+{ config, ... }:
+{
+  age.secrets.minio = {
+    file = ../secrets/minio.age;
+    owner = "minio";
+  };
+
+  services.minio = {
+    enable = true;
+    rootCredentialsFile = config.age.secrets.minio.path;
+  };
+}
+
--- a/nixos/minio_server.nix
+++ b/nixos/minio_server.nix
@ -0,0 +1,16 @@
+{ config, ... }:
+{
+  age.secrets.minio = {
+    file = ../secrets/minio.age;
+    owner = "minio";
+  };
+
+  services.minio = {
+    enable = true;
+    dataDir = [
+      # "/var/lib/minio/data"
+      "/mnt/raid/minio/data/"
+    ];
+    rootCredentialsFile = config.age.secrets.minio.path;
+  };
+}
--- a/nixos/musa.nix
+++ b/nixos/musa.nix
@ -0,0 +1,21 @@
+{
+  networking.extraHosts = ''
+    172.20.28.150 airflow.musa.sesar.di.unimi.it
+    172.20.28.150 conjur.musa.sesar.di.unimi.it
+    172.20.28.150 harbor.musa.sesar.di.unimi.it
+    172.20.28.150 httpfs.musa.sesar.di.unimi.it
+    172.20.28.150 jupyterhub.musa.sesar.di.unimi.it
+    172.20.28.150 kerberos.musa.sesar.di.unimi.it
+    172.20.28.150 keycloak.musa.sesar.di.unimi.it
+    172.20.28.150 livy.musa.sesar.di.unimi.it
+    172.20.28.150 oauth2-proxy.musa.sesar.di.unimi.it
+    172.20.28.150 opensearch-dashboards.musa.sesar.di.unimi.it
+    172.20.28.150 opensearch.musa.sesar.di.unimi.it
+    172.20.28.150 phpldapadmin.musa.sesar.di.unimi.it
+    172.20.28.150 rancher.musa.sesar.di.unimi.it
+    172.20.28.150 ranger.musa.sesar.di.unimi.it
+    172.20.28.150 recon.musa.sesar.di.unimi.it
+    172.20.28.150 spark-history.musa.sesar.di.unimi.it
+    172.20.28.150 trino.musa.sesar.di.unimi.it
+  '';
+}
--- a/nixos/nextcloud.nix
+++ b/nixos/nextcloud.nix
@ -0,0 +1,91 @@
+{ pkgs, config, ... }:
+let
+  hosts = import ../hosts.nix;
+in
+{
+
+  age.secrets = {
+    nextcloud_admin_secret = {
+      file = ../secrets/nextcloud_admin_secret.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+    nextcloud_bucket_secret = {
+      file = ../secrets/nextcloud_bucket_secret.age;
+      owner = "nextcloud";
+      group = "nextcloud";
+    };
+  };
+
+  # services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
+  #   enableACME = true;
+  #   forceSSL = true;
+  # };
+
+  services.nextcloud = {
+    enable = true;
+    package = pkgs.nextcloud31;
+
+    hostName = "my-nextcloud.bertof.net";
+    maxUploadSize = "24G";
+    caching.apcu = true;
+
+    database.createLocally = true;
+
+    extraApps = {
+      inherit (config.services.nextcloud.package.packages.apps)
+        contacts
+        calendar
+        notes
+        # maps
+        # memories
+        tasks
+        # richdocuments
+        ;
+    };
+    appstoreEnable = true;
+    autoUpdateApps.enable = true;
+    settings = {
+
+      enabledPreviewProviders = [
+        "OC\\Preview\\BMP"
+        "OC\\Preview\\GIF"
+        "OC\\Preview\\JPEG"
+        "OC\\Preview\\Krita"
+        "OC\\Preview\\MarkDown"
+        "OC\\Preview\\MP3"
+        "OC\\Preview\\OpenDocument"
+        "OC\\Preview\\PNG"
+        "OC\\Preview\\TXT"
+        "OC\\Preview\\XBitmap"
+        "OC\\Preview\\HEIC" # Enable preview of HEIC/HEIF images (others are default)
+        "OC\\Preview\\EMF"
+      ];
+      trusted_proxies = [
+        hosts.tailscale.ipv4."baldur.tsn"
+        hosts.tailscale.ipv6."baldur.tsn"
+      ];
+      trusted_domains = [ "heimdall.tsn" ];
+      # overwriteprotocol = "http";
+    };
+    config = {
+      dbtype = "pgsql";
+      # extraTrustedDomains = [ "freya.tsn" ];
+      adminpassFile = config.age.secrets.nextcloud_admin_secret.path;
+      objectstore.s3 = {
+        enable = true;
+        bucket = "nextcloud";
+        verify_bucket_exists = true;
+        key = "eHYd9AS6TLHlACBX2fC7";
+        secretFile = config.age.secrets.nextcloud_bucket_secret.path;
+        hostname = "localhost";
+        port = 9000;
+        useSsl = false;
+        region = "us-east-1";
+        usePathStyle = true;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 ];
+}
--- a/nixos/ntfy.nix
+++ b/nixos/ntfy.nix
@ -0,0 +1,16 @@
+let
+  port = 7080;
+in
+{
+  services.ntfy-sh = {
+    enable = true;
+    settings = {
+      listen-http = ":${toString port}";
+      base-url = "https://ntfy.bertof.net";
+      behind-proxy = true;
+      auth-default-access = "deny-all";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ port ];
+}
--- a/nixos/ollama.nix
+++ b/nixos/ollama.nix
@ -0,0 +1,3 @@
+{
+  services.ollama.enable = true;
+}
--- a/nixos/pentablet.nix
+++ b/nixos/pentablet.nix
@ -0,0 +1,30 @@
+{ pkgs, ... }:
+
+let
+  drivers = pkgs.xp-pen-deco-01-v2-driver.overrideAttrs (_o: rec {
+    version = "3.2.3.230215-1";
+    src = pkgs.fetchzip {
+      urls = [
+        "https://download01.xp-pen.com/file/2023/03/XPPen-pentablet-${version}.x86_64.tar.gz"
+        "https://web.archive.org/web/20230424112207/https://download01.xp-pen.com/file/2023/03/XPPen-pentablet-${version}.x86_64.tar.gz"
+      ];
+      name = "xp-pen-deco-01-v2-driver-${version}.tar.gz";
+      sha256 = "sha256-CV4ZaGCFFcfy2J0O8leYgcyzFVwJQFQJsShOv9B7jfI=";
+    };
+  });
+in
+{
+  # udev rules
+  services.udev.extraRules = ''
+    KERNEL=="uinput",MODE:="0666",OPTIONS+="static_node=uinput"
+    SUBSYSTEMS=="usb",ATTRS{idVendor}=="28bd",MODE:="0666"
+  '';
+
+  # XP-Pen tablet driver
+  environment.systemPackages = [ drivers ];
+
+  # hardware.opentabletdriver = {
+  #   enable = true;
+  #   daemon.enable = true;
+  # };
+}
--- a/nixos/plasma6.nix
+++ b/nixos/plasma6.nix
@ -0,0 +1,13 @@
+{ pkgs, ... }: {
+  environment.plasma6.excludePackages = with pkgs.kdePackages; [
+    elisa
+    konsole
+    kate
+    spectacle
+  ];
+
+  services.desktopManager.plasma6 = {
+    enable = true;
+    enableQt5Integration = true;
+  };
+}
--- a/nixos/plymouth.nix
+++ b/nixos/plymouth.nix
@ -0,0 +1,19 @@
+{
+  boot.plymouth = {
+    enable = true;
+  };
+  boot = {
+    consoleLogLevel = 0;
+    initrd.verbose = false;
+    kernelParams = [
+      "quiet"
+      "splash"
+      "boot.shell_on_fail"
+      "loglevel=3"
+      "rd.systemd.show_status=false"
+      "rd.udev.log_level=3"
+      "udev.log_priority=3"
+    ];
+    loader.timeout = 0;
+  };
+}
--- a/nixos/pro_audio.nix
+++ b/nixos/pro_audio.nix
@ -0,0 +1,81 @@
+{
+  boot = {
+    # kernelModules = [ "snd-seq" "snd-rawmidi" ];
+    # kernel.sysctl = { "vm.swappiness" = 10; "fs.inotify.max_user_watches" = 524288; };
+    # kernelParams = [ "threadirq" ];
+
+    # kernelPatches = lib.singleton {
+    #   name = "pro_audio";
+    #   patch = null;
+    #   extraConfig = ''
+    #     PREEMPT_RT y
+    #     PREEMPT y
+    #     IOSCHED_DEADLINE y
+    #     DEFAULT_DEADLINE y
+    #     DEFAULT_IOSCHED "deadline"
+    #     HPET_TIMER y
+    #     CPU_FREQ n
+    #     TREE_RCU_TRACE n
+    #   '';
+    # };
+
+    # postBootCommands = ''
+    #   echo 2048 > /sys/class/rtc/rtc0/max_user_freq
+    #   echo 2048 > /proc/sys/dev/hpet/max-user-freq
+    #   # setpci -v -d *:* latency_timer=b0
+    #   # setpci -v -s $00:1b.0 latency_timer=ff
+    # '';
+    # The SOUND_CARD_PCI_ID can be obtained like so:
+    # $ lspci ¦ grep -i audio
+  };
+
+  # powerManagement.cpuFreqGovernor = "performance";
+
+  # fileSystems."/" = { options = "noatime errors=remount-ro"; };
+
+  security.pam.loginLimits = [
+    {
+      domain = "@audio";
+      item = "memlock";
+      type = "-";
+      value = "unlimited";
+    }
+    {
+      domain = "@audio";
+      item = "rtprio";
+      type = "-";
+      value = "99";
+    }
+    {
+      domain = "@audio";
+      item = "nofile";
+      type = "soft";
+      value = "99999";
+    }
+    {
+      domain = "@audio";
+      item = "nofile";
+      type = "hard";
+      value = "524288";
+    }
+  ];
+
+  # services = {
+  #   udev = {
+  #     packages = [ pkgs.ffado ]; # If you have a FireWire audio interface
+  #     extraRules = ''
+  #       KERNEL=="rtc0", GROUP="audio"
+  #       KERNEL=="hpet", GROUP="audio"
+  #     '';
+  #   };
+  #   cron.enable = false;
+  # };
+
+  # environment.shellInit = ''
+  #   export VST_PATH=/nix/var/nix/profiles/default/lib/vst:/var/run/current-system/sw/lib/vst:~/.vst
+  #   export LXVST_PATH=/nix/var/nix/profiles/default/lib/lxvst:/var/run/current-system/sw/lib/lxvst:~/.lxvst
+  #   export LADSPA_PATH=/nix/var/nix/profiles/default/lib/ladspa:/var/run/current-system/sw/lib/ladspa:~/.ladspa
+  #   export LV2_PATH=/nix/var/nix/profiles/default/lib/lv2:/var/run/current-system/sw/lib/lv2:~/.lv2
+  #   export DSSI_PATH=/nix/var/nix/profiles/default/lib/dssi:/var/run/current-system/sw/lib/dssi:~/.dssi
+  # '';
+}
--- a/nixos/rice.nix
+++ b/nixos/rice.nix
@ -0,0 +1,65 @@
+{ pkgs, config, lib, ... }:
+with config.nix-rice.lib;
+let
+  theme = kitty-themes.getThemeByName "Carbonfox";
+  inherit (config.nix-rice) rice;
+in
+{
+  nix-rice.config = {
+    colorPalette = rec {
+      normal = palette.defaultPalette // {
+        black = theme.color0;
+        red = theme.color1;
+        green = theme.color2;
+        yellow = theme.color3;
+        blue = theme.color4;
+        magenta = theme.color5;
+        cyan = theme.color6;
+        white = theme.color7;
+      };
+      bright = palette.brighten 10 normal // {
+        black = theme.color8;
+        red = theme.color9;
+        green = theme.color10;
+        yellow = theme.color11;
+        blue = theme.color12;
+        magenta = theme.color13;
+        cyan = theme.color14;
+        white = theme.color15;
+      };
+      dark = palette.darken 10 normal;
+      primary = {
+        inherit (theme) background foreground;
+        bright_foreground = color.brighten 10 theme.foreground;
+        dim_foreground = color.darken 10 theme.foreground;
+      };
+    } // theme;
+    font = {
+      normal = {
+        name = "Cantarell";
+        fc = "Cantarell";
+        package = pkgs.cantarell-fonts;
+        size = 10;
+      };
+      monospace = {
+        name = "CaskaydiaCove Nerd Font";
+        fc = "CaskaydiaMono NF";
+        package = pkgs.nerd-fonts.caskaydia-mono or (pkgs.nerdfonts.override { fonts = [ "CascadiaCode" ]; });
+        # package = pkgs.nerdfonts.override { fonts = [ "CascadiaCode" ]; };
+        # name = "FiraCode Nerd Font Mono";
+        # package = pkgs.nerdfonts.override { fonts = [ "FiraCode" ]; };
+        size = 10;
+      };
+    };
+    opacity = 0.95;
+  };
+
+  nixpkgs.overlays = lib.mkAfter [
+    (_self: super: {
+      wl-lockscreen = super.wl-lockscreen.override {
+        strPalette = palette.toRgbaShortHex rice.colorPalette;
+        font = rice.font.normal;
+      };
+    })
+  ];
+}
--- a/nixos/s3_cache_read.nix
+++ b/nixos/s3_cache_read.nix
@ -0,0 +1,4 @@
+{ config, ... }: {
+  age.secrets.s3_cache_read.file = ../secrets/s3_cache_read.age;
+  systemd.services.nix-daemon.serviceConfig.EnvironmentFile = config.age.secrets.s3_cache_read.path;
+}
--- a/nixos/s3_cache_write.nix
+++ b/nixos/s3_cache_write.nix
@ -0,0 +1,5 @@
+{ config, lib, ... }: {
+  age.secrets.s3_cache_write.file = ../secrets/s3_cache_write.age;
+  systemd.services.nix-daemon.serviceConfig.EnvironmentFile = lib.mkForce config.age.secrets.s3_cache_write.path;
+}
+
--- a/nixos/server/automatic-upgrade.nix
+++ b/nixos/server/automatic-upgrade.nix
@ -0,0 +1,10 @@
+{
+  system.autoUpgrade = {
+    enable = true;
+    flake = "gitlab:bertof/nix-dotfiles";
+    # dates = "daily"; # default 04:04
+    randomizedDelaySec = "45min";
+    # flags = [ "--refresh" ];
+    # rebootWindow = { upper = "06:00"; lower = "02:00"; };
+  };
+}
--- a/nixos/server/default.nix
+++ b/nixos/server/default.nix
@ -0,0 +1 @@
+{ imports = [ ./automatic-upgrade.nix ]; }
--- a/nixos/steam.nix
+++ b/nixos/steam.nix
@ -0,0 +1,44 @@
+{ pkgs, ... }: {
+  programs.steam = {
+    enable = true;
+
+    package = pkgs.steam.override {
+      # extraLibraries = pkgs: with pkgs; [
+      #   dconf.lib
+      #   gnome.gvfs
+      #   # icu
+      #   # libdrm
+      # ];
+      # extraPkgs = pkgs: with pkgs; [
+      #   # icu
+      # ];
+      # extraProfile = ''
+      #   export GSETTINGS_SCHEMA_DIR="${pkgs.gsettings-desktop-schemas}/share/gsettings-schemas/${pkgs.gsettings-desktop-schemas.name}/glib-2.0/schemas/"
+      # '';
+    };
+    extraPackages = [
+      pkgs.gamescope
+    ];
+    extraCompatPackages = [
+      pkgs.proton-ge-bin
+    ];
+    remotePlay.openFirewall = true;
+    extest.enable = true;
+  };
+
+  fonts.packages = [
+    pkgs.liberation_ttf
+    pkgs.wqy_zenhei
+  ];
+
+  # networking.firewall = {
+  #   allowedTCPPorts = [
+  #     27036
+  #     27037
+  #   ];
+  #   allowedUDPPorts = [
+  #     27031
+  #     27036
+  #   ];
+  # };
+}
--- a/nixos/torrentbox.nix
+++ b/nixos/torrentbox.nix
@ -0,0 +1,31 @@
+{ pkgs, ... }: {
+  services = {
+    bazarr = { enable = true; openFirewall = true; group = "users"; };
+    # jellyseerr = { enable = true; openFirewall = true; };
+    lidarr = { enable = true; openFirewall = true; group = "users"; };
+    ombi = { enable = true; openFirewall = true; };
+    prowlarr = { enable = true; openFirewall = true; };
+    radarr = { enable = true; openFirewall = true; group = "users"; };
+    readarr = { enable = true; openFirewall = true; group = "users"; };
+    sonarr = { enable = true; openFirewall = true; group = "users"; };
+
+    transmission = {
+      enable = true;
+      openFirewall = true;
+      group = "users";
+      package = pkgs.transmission_4;
+      settings.download-dir = "/mnt/raid/condiviso/Torrent";
+    };
+  };
+
+  systemd.services = {
+    bazarr.serviceConfig = { MemoryHigh = "600M"; MemoryMax = "2G"; };
+    lidarr.serviceConfig = { MemoryHigh = "600M"; MemoryMax = "2G"; };
+    ombi.serviceConfig = { MemoryHigh = "400M"; MemoryMax = "1G"; };
+    prowlarr.serviceConfig = { MemoryHigh = "600M"; MemoryMax = "2G"; };
+    radarr.serviceConfig = { MemoryHigh = "600M"; MemoryMax = "2G"; };
+    readarr.serviceConfig = { MemoryHigh = "600M"; MemoryMax = "2G"; };
+    sonarr.serviceConfig = { MemoryHigh = "600M"; MemoryMax = "2G"; };
+    transmission.serviceConfig = { MemoryHigh = "400M"; MemoryMax = "1G"; };
+  };
+}
--- a/nixos/users/bertof.nix
+++ b/nixos/users/bertof.nix
@ -0,0 +1,31 @@
+{ pkgs, ... }: {
+  users.users.bertof = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    extraGroups = [
+      "audio"
+      "dialout"
+      "docker"
+      "flashrom"
+      "input"
+      "kvm"
+      "libvirtd"
+      "network"
+      "networkmanager"
+      "tss"
+      "usb"
+      "video"
+      "wheel"
+    ];
+    openssh.authorizedKeys.keys = [
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC3W3Btk1qtLHU69aFwseDuKU6PJMA+NxVXJXiRNhDce bertof@odin"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7mcf8fbMo1eXqSJeVFWaweB+JOU+67dFuf8laZKZZG bertof@thor"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKT+D5QE4TkgoKw5IvSYpvnvIIRM87RBePHce1Aaz3xJ bertof@thor"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbG791lSOl8Rqoy+KkdKiOJnOMRg02+HZ/VrlrWMYAX bertof@baldur"
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFviqAN0S+wZ5BQRpWpmsrkduPox3L4C7iLlCOQk7+pE bertof@loki"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFWnGoScIwOUQurZx8j0Y18nxdUJ3/gNyP5vleKkS/00 bertof@sif"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKobKuuJCoQ7gj/NeE57wfSg/Qs4X3osw9xXook3PMAP bertof@extra"
+    ];
+  };
+  programs.zsh.enable = true;
+}
--- a/nixos/users/tiziano.nix
+++ b/nixos/users/tiziano.nix
@ -0,0 +1,10 @@
+{
+  users.users.tiziano = {
+    isNormalUser = true;
+    extraGroups = [ ];
+    openssh.authorizedKeys.keys = [
+      # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDUZQHsId/If3Gyp3ReUixOHTISHHKR8qIyZw3cg6NXr tiziano@loki"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBizLl/vBLgRpQiGCr2U5rLFkYEbOgQqC5IUVlV3PV37 turri@HPG5"
+    ];
+  };
+}
				`@ -0,0 +1 @@`
				`{ virtualisation.docker.autoPrune.enable = true; }`