about summary refs log tree commit diff
path: root/ops/nixos
diff options
context:
space:
mode:
authorVincent Ambo <mail@tazj.in>2020-06-13T20·52+0100
committertazjin <mail@tazj.in>2020-06-13T23·52+0000
commit268729083eb80c93aa402883085c37e32c8a08cf (patch)
tree0916bace8073d30976ec752bb9de8c19a06027ae /ops/nixos
parent9658e96a87178e972b656db0acf3219937013b88 (diff)
refactor(ops/nixos): Move my NixOS configurations to //users/tazjin r/941
NixOS modules move one level up because it's unlikely that //ops/nixos
will contain actual systems at this point (they're user-specific).

This is the first users folder, so it is also added to the root
readTree invocation for the repository.

Change-Id: I546c701145fa204b7ba7518a8a56a783588629e0
Reviewed-on: https://cl.tvl.fyi/c/depot/+/244
Reviewed-by: tazjin <mail@tazj.in>
Diffstat (limited to 'ops/nixos')
-rw-r--r--ops/nixos/.skip-subtree1
-rw-r--r--ops/nixos/README.md23
-rw-r--r--ops/nixos/camden/default.nix464
-rw-r--r--ops/nixos/default.nix47
-rw-r--r--ops/nixos/depot.nix (renamed from ops/nixos/modules/depot.nix)2
-rw-r--r--ops/nixos/dotfiles/config.fish40
-rw-r--r--ops/nixos/dotfiles/msmtprc16
-rw-r--r--ops/nixos/dotfiles/notmuch-config21
-rw-r--r--ops/nixos/dotfiles/offlineimaprc39
-rw-r--r--ops/nixos/frog/default.nix254
-rw-r--r--ops/nixos/hound.nix (renamed from ops/nixos/modules/hound.nix)0
-rw-r--r--ops/nixos/mail.nix77
-rw-r--r--ops/nixos/modules/.skip-subtree1
-rw-r--r--ops/nixos/monorepo-gerrit.nix (renamed from ops/nixos/modules/monorepo-gerrit.nix)0
-rw-r--r--ops/nixos/nugget/default.nix280
-rw-r--r--ops/nixos/smtprelay.nix (renamed from ops/nixos/modules/smtprelay.nix)0
-rw-r--r--ops/nixos/tvl-slapd/contents.ldif (renamed from ops/nixos/modules/tvl-slapd/contents.ldif)0
-rw-r--r--ops/nixos/tvl-slapd/default.nix (renamed from ops/nixos/modules/tvl-slapd/default.nix)0
-rw-r--r--ops/nixos/tvl-slapd/genpasswd.rb (renamed from ops/nixos/modules/tvl-slapd/genpasswd.rb)0
-rw-r--r--ops/nixos/v4l2loopback.nix (renamed from ops/nixos/modules/v4l2loopback.nix)0
20 files changed, 7 insertions, 1258 deletions
diff --git a/ops/nixos/.skip-subtree b/ops/nixos/.skip-subtree
new file mode 100644
index 000000000000..09520f8c831f
--- /dev/null
+++ b/ops/nixos/.skip-subtree
@@ -0,0 +1 @@
+NixOS modules are not readTree compatible.
diff --git a/ops/nixos/README.md b/ops/nixos/README.md
index fc90cb4b4301..595b4c3344c6 100644
--- a/ops/nixos/README.md
+++ b/ops/nixos/README.md
@@ -1,20 +1,7 @@
-NixOS configuration
-===================
+NixOS modules
+=============
 
-My NixOS configuration! It configures most of the packages I require
-on my systems, sets up Emacs the way I need and does a bunch of other
-interesting things.
+This folder contains various NixOS modules shared by our NixOS
+configurations.
 
-System configuration lives in folders for each machine and a custom
-fixed point evaluation (similar to standard NixOS module
-configuration) is used to combine configuration together.
-
-Building `ops.nixos.rebuilder` yields a script that will automatically
-build and activate the newest configuration based on the current
-hostname.
-
-## Configured hosts:
-
-* `frog` - weapon of mass computation at home
-* `nugget` - desktop computer at home
-* ~~`urdhva` - T470s~~ (currently with edef)
+It is not read by `readTree`.
diff --git a/ops/nixos/camden/default.nix b/ops/nixos/camden/default.nix
deleted file mode 100644
index 32d75147b7a1..000000000000
--- a/ops/nixos/camden/default.nix
+++ /dev/null
@@ -1,464 +0,0 @@
-# This file configures camden.tazj.in, my homeserver.
-{ depot, pkgs, lib, ... }:
-
-config: let
-  nixpkgs = import depot.third_party.nixpkgsSrc {
-    config.allowUnfree = true;
-  };
-
-  nginxRedirect = { from, to, acmeHost }: {
-    serverName = from;
-    useACMEHost = acmeHost;
-    forceSSL = true;
-
-    extraConfig = "return 301 https://${to}$request_uri;";
-  };
-in lib.fix(self: {
-  imports = [
-    ../modules/depot.nix
-    ../modules/hound.nix
-    ../modules/monorepo-gerrit.nix
-    ../modules/smtprelay.nix
-    ../modules/tvl-slapd/default.nix
-    "${pkgs.nixpkgsSrc}/nixos/modules/services/web-apps/gerrit.nix"
-  ];
-  depot = depot;
-
-  # camden is intended to boot unattended, despite having an encrypted
-  # root partition.
-  #
-  # The below configuration uses an externally connected USB drive
-  # that contains a LUKS key file to unlock the disk automatically at
-  # boot.
-  #
-  # TODO(tazjin): Configure LUKS unlocking via SSH instead.
-  boot = {
-    initrd = {
-      availableKernelModules = [
-        "ahci" "xhci_pci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci"
-        "rtsx_usb_sdmmc" "r8169"
-      ];
-
-      kernelModules = [ "dm-snapshot" ];
-
-      luks.devices.camden-crypt = {
-        fallbackToPassword = true;
-        device = "/dev/disk/by-label/camden-crypt";
-        keyFile = "/dev/sdb";
-        keyFileSize = 4096;
-      };
-    };
-
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-
-    cleanTmpDir = true;
-  };
-
-  fileSystems = {
-    "/" = {
-      device = "/dev/disk/by-label/camden-root";
-      fsType = "ext4";
-    };
-
-    "/home" = {
-      device = "/dev/disk/by-label/camden-home";
-      fsType = "ext4";
-    };
-
-    "/boot" = {
-      device = "/dev/disk/by-label/BOOT";
-      fsType = "vfat";
-    };
-  };
-
-  nix = {
-    maxJobs = lib.mkDefault 4;
-
-    nixPath = [
-      "depot=/home/tazjin/depot"
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
-    ];
-
-    trustedUsers = [ "root" "tazjin" ];
-
-    binaryCaches = [
-      "https://tazjin.cachix.org"
-    ];
-
-    binaryCachePublicKeys = [
-      "tazjin.cachix.org-1:IZkgLeqfOr1kAZjypItHMg1NoBjm4zX9Zzep8oRSh7U="
-    ];
-  };
-  nixpkgs.pkgs = nixpkgs;
-
-  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
-
-  networking = {
-    hostName = "camden";
-    interfaces.enp1s0.useDHCP = true;
-    interfaces.enp1s0.ipv6.addresses = [
-      {
-        address = "2a01:4b00:821a:ce02::5";
-        prefixLength = 64;
-      }
-    ];
-
-    firewall.enable = false;
-  };
-
-  time.timeZone = "UTC";
-
-  # System-wide application setup
-  programs.fish.enable = true;
-  programs.mosh.enable = true;
-
-  environment.systemPackages =
-    # programs from the depot
-    (with depot; [
-      fun.idual.script
-      fun.idual.setAlarm
-      third_party.pounce
-    ]) ++
-
-    # programs from nixpkgs
-    (with nixpkgs; [
-      bat
-      curl
-      direnv
-      emacs26-nox
-      gnupg
-      git
-      htop
-      jq
-      pass
-      pciutils
-      ripgrep
-    ]);
-
-  users = {
-    # Set up my own user for logging in and doing things ...
-    users.tazjin = {
-      isNormalUser = true;
-      uid = 1000;
-      extraGroups = [ "git" "wheel" ];
-      shell = nixpkgs.fish;
-    };
-
-    # Set up a user & group for general git shenanigans
-    groups.git = {};
-    users.git = {
-      group = "git";
-      isNormalUser = false;
-    };
-  };
-
-  # Services setup
-  services.openssh.enable = true;
-  services.haveged.enable = true;
-
-  # Join Tailscale into home network
-  services.tailscale.enable = true;
-
-  # Allow sudo-ing via the forwarded SSH agent.
-  security.pam.enableSSHAgentAuth = true;
-
-  # Run cgit for the depot. The onion here is nginx(thttpd(cgit)).
-  systemd.services.cgit = {
-    wantedBy = [ "multi-user.target" ];
-    script = "${depot.web.cgit-taz}/bin/cgit-launch";
-
-    serviceConfig = {
-      Restart = "on-failure";
-      User = "git";
-      Group = "git";
-    };
-  };
-
-  # Run honk as the ActivityPub server, using all the fancy systemd
-  # magic.
-  systemd.services.honk = {
-    wantedBy = [ "multi-user.target" ];
-    script = lib.concatStringsSep " " [
-      "${depot.third_party.honk}/bin/honk"
-      "-datadir /var/lib/honk"
-      "-viewdir ${depot.third_party.honk.src}"
-    ];
-
-    serviceConfig = {
-      Restart = "always";
-      DynamicUser = true;
-      StateDirectory = "honk";
-      WorkingDirectory = "/var/lib/honk";
-    };
-  };
-
-  # NixOS 20.03 broke nginx and I can't be bothered to debug it
-  # anymore, all solution attempts have failed, so here's a
-  # brute-force fix.
-  systemd.services.fix-nginx = {
-    script = "${nixpkgs.coreutils}/bin/chown -R nginx: /var/spool/nginx /var/cache/nginx";
-
-    serviceConfig = {
-      User = "root";
-      Type = "oneshot";
-    };
-  };
-
-  systemd.timers.fix-nginx = {
-    wantedBy = [ "multi-user.target" ];
-    timerConfig = {
-      OnCalendar = "minutely";
-    };
-  };
-
-  # Provision a TLS certificate outside of nginx to avoid
-  # nixpkgs#38144
-  security.acme = {
-    acceptTerms = true;
-    email = "mail@tazj.in";
-
-    certs."tazj.in" = {
-      user = "nginx";
-      group = "nginx";
-      webroot = "/var/lib/acme/acme-challenge";
-      extraDomains = {
-        "cs.tazj.in" = null;
-        "git.tazj.in" = null;
-        "www.tazj.in" = null;
-
-        # Local domains (for this machine only)
-        "camden.tazj.in" = null;
-      };
-      postRun = "systemctl reload nginx";
-    };
-
-    certs."tvl.fyi" = {
-      user = "nginx";
-      group = "nginx";
-      webroot = "/var/lib/acme/acme-challenge";
-      postRun = "systemctl reload nginx";
-      extraDomains = {
-        "cl.tvl.fyi" = null;
-        "code.tvl.fyi" = null;
-        "cs.tvl.fyi" = null;
-      };
-    };
-  };
-
-  # Forward logs to Google Cloud Platform
-  services.journaldriver = {
-    enable                 = true;
-    logStream              = "home";
-    googleCloudProject     = "tazjins-infrastructure";
-    applicationCredentials = "/etc/gcp/key.json";
-  };
-
-  # Serve a code search (hound) instance
-  services.depot.hound = {
-    enable = true;
-    title = "tazjin's depot";
-    repos.depot = {
-      url = "file:///var/lib/gerrit/git/depot.git";
-      vcs = "git";
-      url-pattern = {
-        base-url = "https://code.tvl.fyi/tree/{path}{anchor}";
-        anchor = "#n{line}";
-      };
-    };
-    repos.nixpkgs = {
-      url = "file:///var/git/nixpkgs";
-      vcs = "git";
-      url-pattern = {
-        base-url = "https://github.com/NixOS/nixpkgs/blob/${pkgs.nixpkgsCommit}/{path}{anchor}";
-        anchor = "#L{line}";
-      };
-    };
-  };
-
-  # Start a local SMTP relay to Gmail (used by gerrit)
-  services.depot.smtprelay = {
-    enable = true;
-    args = {
-      listen = ":2525";
-      remote_host = "smtp.gmail.com:587";
-      remote_auth = "plain";
-      remote_user = "tvlbot@tazj.in";
-    };
-  };
-
-  # serve my website(s)
-  services.nginx = {
-    enable = true;
-    enableReload = true;
-    package = with nixpkgs; nginx.override {
-      modules = [ nginxModules.rtmp ];
-    };
-
-    recommendedTlsSettings = true;
-    recommendedGzipSettings = true;
-    recommendedProxySettings = true;
-
-
-    appendConfig = ''
-      rtmp_auto_push on;
-      rtmp {
-        server {
-          listen 1935;
-          chunk_size 4000;
-
-          application tvl {
-            live on;
-
-            allow publish 88.98.195.213;
-            allow publish 10.0.1.0/24;
-            deny publish all;
-
-            allow play all;
-          }
-        }
-      }
-    '';
-
-    commonHttpConfig = ''
-      log_format json_combined escape=json
-      '{'
-          '"remote_addr":"$remote_addr",'
-          '"method":"$request_method",'
-          '"uri":"$request_uri",'
-          '"status":$status,'
-          '"request_size":$request_length,'
-          '"response_size":$body_bytes_sent,'
-          '"response_time":$request_time,'
-          '"referrer":"$http_referer",'
-          '"user_agent":"$http_user_agent"'
-      '}';
-
-      access_log syslog:server=unix:/dev/log,nohostname json_combined;
-    '';
-
-    virtualHosts.homepage = {
-      serverName = "tazj.in";
-      serverAliases = [ "camden.tazj.in" ];
-      default = true;
-      useACMEHost = "tazj.in";
-      root = depot.web.homepage;
-      forceSSL = true;
-
-      extraConfig = ''
-        ${depot.web.blog.oldRedirects}
-
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-
-        location ~* \.(webp|woff2)$ {
-          add_header Cache-Control "public, max-age=31536000";
-        }
-
-        location /blog/ {
-          alias ${depot.web.blog.rendered}/;
-
-          if ($request_uri ~ ^/(.*)\.html$) {
-            return 302 /$1;
-          }
-
-          try_files $uri $uri.html $uri/ =404;
-        }
-
-        location /blobs/ {
-          alias /var/www/blobs/;
-        }
-      '';
-    };
-
-    virtualHosts.tvl = {
-      serverName = "tvl.fyi";
-      useACMEHost = "tvl.fyi";
-      root = depot.web.tvl;
-      forceSSL = true;
-
-      extraConfig = ''
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
-
-        rewrite ^/builds/?$ https://builds.sr.ht/~tazjin/depot last;
-        rewrite ^/meet/?$ https://meet.google.com/mng-biyw-xbb last;
-
-        rewrite ^/monorepo-doc/?$ https://docs.google.com/document/d/1nnyByXcH0F6GOmEezNOUa2RFelpeRpDToBLYD_CtjWE/edit?usp=sharing last;
-
-        rewrite ^/irc/?$ ircs://chat.freenode.net:6697/##tvl last;
-
-        location ~* \.(webp|woff2)$ {
-          add_header Cache-Control "public, max-age=31536000";
-        }
-      '';
-    };
-
-    virtualHosts.cgit = {
-      serverName = "code.tvl.fyi";
-      useACMEHost = "tvl.fyi";
-      forceSSL = true;
-
-      extraConfig = ''
-        # Static assets must always hit the root.
-        location ~ ^/(favicon\.ico|cgit\.(css|png))$ {
-           proxy_pass http://localhost:2448;
-        }
-
-        # Everything else hits the depot directly.
-        location / {
-            proxy_pass http://localhost:2448/cgit.cgi/depot/;
-        }
-      '';
-    };
-
-    virtualHosts.hound = {
-      serverName = "cs.tvl.fyi";
-      useACMEHost = "tvl.fyi";
-      forceSSL = true;
-
-      extraConfig = ''
-        location / {
-          proxy_pass http://localhost:6080;
-        }
-      '';
-    };
-
-    virtualHosts.gerrit = {
-      serverName = "cl.tvl.fyi";
-      useACMEHost = "tvl.fyi";
-      forceSSL = true;
-
-      extraConfig = ''
-        location / {
-          proxy_pass http://localhost:4778;
-          proxy_set_header  X-Forwarded-For $remote_addr;
-          proxy_set_header  Host $host;
-        }
-      '';
-    };
-
-    virtualHosts.cgit-old = nginxRedirect {
-      from = "git.tazj.in";
-      to = "code.tvl.fyi";
-      acmeHost = "tazj.in";
-    };
-
-    virtualHosts.cs-old = nginxRedirect {
-      from = "cs.tazj.in";
-      to = "cs.tvl.fyi";
-      acmeHost = "tazj.in";
-    };
-  };
-
-  # Timer units that can be started with systemd-run to set my alarm.
-  systemd.user.services.light-alarm = {
-    script = "${depot.fun.idual.script}/bin/idualctl wakey";
-    postStart = "${pkgs.systemd}/bin/systemctl --user stop light-alarm.timer";
-    serviceConfig = {
-      Type = "oneshot";
-    };
-  };
-
-  system.stateVersion = "19.09";
-})
diff --git a/ops/nixos/default.nix b/ops/nixos/default.nix
deleted file mode 100644
index 6f0655f34e08..000000000000
--- a/ops/nixos/default.nix
+++ /dev/null
@@ -1,47 +0,0 @@
-{ depot, lib, ... }:
-
-let
-  inherit (builtins) foldl';
-
-  systemFor = configs: (depot.third_party.nixos {
-    configuration = lib.fix(config:
-      foldl' lib.recursiveUpdate {} (map (c: c config) configs)
-    );
-  }).system;
-
-  rebuilder = depot.third_party.writeShellScriptBin "rebuilder" ''
-    set -ue
-    if [[ $EUID -ne 0 ]]; then
-      echo "Oh no! Only root is allowed to rebuild the system!" >&2
-      exit 1
-    fi
-
-    case $HOSTNAME in
-    nugget)
-      echo "Rebuilding NixOS for //ops/nixos/nugget"
-      system=$(nix-build -E '(import <depot> {}).ops.nixos.nuggetSystem' --no-out-link)
-      ;;
-    camden)
-      echo "Rebuilding NixOS for //ops/nixos/camden"
-      system=$(nix-build -E '(import <depot> {}).ops.nixos.camdenSystem' --no-out-link)
-      ;;
-    frog)
-      echo "Rebuilding NixOS for //ops/nixos/frog"
-      system=$(nix-build -E '(import <depot> {}).ops.nixos.frogSystem' --no-out-link)
-      ;;
-    *)
-      echo "$HOSTNAME is not a known NixOS host!" >&2
-      exit 1
-      ;;
-    esac
-
-    nix-env -p /nix/var/nix/profiles/system --set $system
-    $system/bin/switch-to-configuration switch
-  '';
-in {
-  inherit rebuilder;
-
-  nuggetSystem = systemFor [ depot.ops.nixos.nugget ];
-  camdenSystem = systemFor [ depot.ops.nixos.camden ];
-  frogSystem = systemFor [ depot.ops.nixos.frog ];
-}
diff --git a/ops/nixos/modules/depot.nix b/ops/nixos/depot.nix
index 20220e9f57fe..2c1b71a2da9b 100644
--- a/ops/nixos/modules/depot.nix
+++ b/ops/nixos/depot.nix
@@ -4,7 +4,7 @@
 # It needs to be included and configured in each system like this:
 #
 # {
-#   imports = [ ../modules/depot.nix ];
+#   imports = [ "${depot.depotPath}/ops/nixos/depot.nix" ];
 #   inherit depot;
 # }
 { lib, ... }:
diff --git a/ops/nixos/dotfiles/config.fish b/ops/nixos/dotfiles/config.fish
deleted file mode 100644
index de2c99ae6007..000000000000
--- a/ops/nixos/dotfiles/config.fish
+++ /dev/null
@@ -1,40 +0,0 @@
-# Configure classic prompt
-set fish_color_user --bold blue
-set fish_color_cwd --bold white
-
-# Enable colour hints in VCS prompt:
-set __fish_git_prompt_showcolorhints yes
-set __fish_git_prompt_color_prefix purple
-set __fish_git_prompt_color_suffix purple
-
-# Fish configuration
-set fish_greeting ""
-set PATH $HOME/.local/bin $HOME/.cargo/bin $PATH
-
-# Editor configuration
-set -gx EDITOR "emacsclient"
-set -gx ALTERNATE_EDITOR "emacs -q -nw"
-set -gx VISUAL "emacsclient"
-
-# Miscellaneous
-eval (direnv hook fish)
-
-# Useful command aliases
-alias gpr 'git pull --rebase'
-alias gco 'git checkout'
-alias gf 'git fetch'
-alias gap 'git add -p'
-alias pbcopy 'xclip -selection clipboard'
-alias edit 'emacsclient -n'
-alias servedir 'nix-shell -p haskellPackages.wai-app-static --run warp'
-
-# Old habits die hard (also ls is just easier to type):
-alias ls 'exa'
-
-# Fix up nix-env & friends for Nix 2.0
-export NIX_REMOTE=daemon
-
-# Fix display of fish in emacs' term-mode:
-function fish_title
-  true
-end
diff --git a/ops/nixos/dotfiles/msmtprc b/ops/nixos/dotfiles/msmtprc
deleted file mode 100644
index 624b6a77fc4b..000000000000
--- a/ops/nixos/dotfiles/msmtprc
+++ /dev/null
@@ -1,16 +0,0 @@
-defaults
-
-port 587
-tls on
-tls_trust_file /etc/ssl/certs/ca-certificates.crt
-
-# Runbox mail
-account runbox
-from mail@tazj.in
-host mail.runbox.com
-auth on
-user mail@tazj.in
-passwordeval pass show general/runbox-tazjin
-
-# Use Runbox as default
-account default : runbox
diff --git a/ops/nixos/dotfiles/notmuch-config b/ops/nixos/dotfiles/notmuch-config
deleted file mode 100644
index a490774e635f..000000000000
--- a/ops/nixos/dotfiles/notmuch-config
+++ /dev/null
@@ -1,21 +0,0 @@
-# .notmuch-config - Configuration file for the notmuch mail system
-#
-# For more information about notmuch, see https://notmuchmail.org
-
-[database]
-path=/home/vincent/mail
-
-[user]
-name=Vincent Ambo
-primary_email=mail@tazj.in
-other_email=tazjin@gmail.com;
-
-[new]
-tags=unread;inbox;
-ignore=
-
-[search]
-exclude_tags=deleted;spam;draft;
-
-[maildir]
-synchronize_flags=true
diff --git a/ops/nixos/dotfiles/offlineimaprc b/ops/nixos/dotfiles/offlineimaprc
deleted file mode 100644
index 78315447e4bd..000000000000
--- a/ops/nixos/dotfiles/offlineimaprc
+++ /dev/null
@@ -1,39 +0,0 @@
-[general]
-accounts = tazjin, gmail
-
-[DEFAULT]
-ssl = yes
-sslcacertfile = /etc/ssl/certs/ca-certificates.crt
-
-# Private GMail account (old):
-[Account gmail]
-maxage = 90
-localrepository = gmail-local
-remoterepository = gmail-remote
-synclabels = yes
-
-[Repository gmail-local]
-type = GmailMaildir
-localfolders = ~/mail/gmail
-
-[Repository gmail-remote]
-type = Gmail
-remoteuser = tazjin@gmail.com
-remotepassfile = ~/.config/mail/gmail-pass
-folderfilter = lambda folder: folder == 'INBOX'
-
-# Main private account:
-[Account tazjin]
-localrepository = tazjin-local
-remoterepository = tazjin-remote
-
-[Repository tazjin-local]
-type = Maildir
-localfolders = ~/mail/tazjin
-
-[Repository tazjin-remote]
-type = IMAP
-remotehost = mail.runbox.com
-remoteuser = mail@tazj.in
-remotepassfile = ~/.config/mail/tazjin-pass
-auth_mechanisms = LOGIN
diff --git a/ops/nixos/frog/default.nix b/ops/nixos/frog/default.nix
deleted file mode 100644
index 72b1c9ed3612..000000000000
--- a/ops/nixos/frog/default.nix
+++ /dev/null
@@ -1,254 +0,0 @@
-{ depot, lib, ... }:
-
-config: let
-  nixpkgs = import depot.third_party.nixpkgsSrc {
-    config.allowUnfree = true;
-  };
-
-  lieer = depot.third_party.lieer {};
-
-  # add google-c-style here because other machines get it from, eh,
-  # elsewhere.
-  frogEmacs = (depot.tools.emacs.overrideEmacs(epkgs: epkgs ++ [
-    depot.third_party.emacsPackages.google-c-style
-  ]));
-in depot.lib.fix(self: {
-  # TODO(tazjin): v4l2loopback
-
-  boot = {
-    tmpOnTmpfs = true;
-    kernelModules = [ "kvm-amd" ];
-
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-
-    initrd = {
-      luks.devices.frog-crypt.device = "/dev/disk/by-label/frog-crypt";
-      availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
-      kernelModules = [ "dm-snapshot" ];
-    };
-
-    kernelPackages = nixpkgs.linuxPackages_latest;
-    kernel.sysctl = {
-      "kernel.perf_event_paranoid" = 1;
-    };
-  };
-
-  hardware = {
-    cpu.amd.updateMicrocode = true;
-    enableRedistributableFirmware = true;
-    pulseaudio.enable = true;
-    u2f.enable = true;
-    opengl = {
-      enable = true;
-      driSupport = true;
-    };
-  };
-
-  nix = {
-    maxJobs = 48;
-    nixPath = [
-      "depot=/depot"
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
-    ];
-  };
-
-  nixpkgs.pkgs = nixpkgs;
-
-  networking = {
-    hostName = "frog";
-    useDHCP = false;
-    interfaces.enp67s0.useDHCP = true;
-
-    # Don't use ISP's DNS servers:
-    nameservers = [
-      "8.8.8.8"
-      "8.8.4.4"
-    ];
-
-    firewall.enable = false;
-  };
-
-  # Generate an immutable /etc/resolv.conf from the nameserver settings
-  # above (otherwise DHCP overwrites it):
-  environment.etc."resolv.conf" = with lib; {
-    source = depot.third_party.writeText "resolv.conf" ''
-      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
-      options edns0
-    '';
-  };
-
-  time.timeZone = "Europe/London";
-
-  fileSystems = {
-    "/".device = "/dev/disk/by-label/frog-root";
-    "/boot".device = "/dev/disk/by-label/BOOT";
-    "/home".device = "/dev/disk/by-label/frog-home";
-  };
-
-  # Configure user account
-  users.extraUsers.tazjin = {
-    extraGroups = [ "wheel" "audio" ];
-    isNormalUser = true;
-    uid = 1000;
-    shell = nixpkgs.fish;
-  };
-
-  security.sudo = {
-    enable = true;
-    extraConfig = "wheel ALL=(ALL:ALL) SETENV: ALL";
-  };
-
-  fonts = {
-    fonts = with nixpkgs; [
-      corefonts
-      dejavu_fonts
-      jetbrains-mono
-      noto-fonts-cjk
-      noto-fonts-emoji
-    ];
-
-    fontconfig = {
-      hinting.enable = true;
-      subpixel.lcdfilter = "light";
-
-      defaultFonts = {
-        monospace = [ "JetBrains Mono" ];
-      };
-    };
-  };
-
-  # Configure location (Vauxhall, London) for services that need it.
-  location = {
-    latitude = 51.4819109;
-    longitude = -0.1252998;
-  };
-
-  programs.fish.enable = true;
-  programs.ssh.startAgent = true;
-
-  services.redshift.enable = true;
-  services.openssh.enable = true;
-  services.fstrim.enable = true;
-
-  # Required for Yubikey usage as smartcard
-  services.pcscd.enable = true;
-  services.udev.packages = [
-    nixpkgs.yubikey-personalization
-  ];
-
-  services.xserver = {
-    enable = true;
-    layout = "us";
-    xkbOptions = "caps:super";
-    exportConfiguration = true;
-    displayManager = {
-      # Give EXWM permission to control the session.
-      sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
-
-      lightdm.enable = true;
-      lightdm.greeters.gtk.clock-format = "%H·%M"; # TODO(tazjin): TZ?
-    };
-
-    windowManager.session = lib.singleton {
-      name = "exwm";
-      start = "${frogEmacs}/bin/tazjins-emacs";
-    };
-  };
-
-  # Do not restart the display manager automatically
-  systemd.services.display-manager.restartIfChanged = lib.mkForce false;
-
-  # clangd needs more than ~2GB in the runtime directory to start up
-  services.logind.extraConfig = ''
-    RuntimeDirectorySize=16G
-  '';
-
-  # Configure email setup
-  systemd.user.services.lieer-tazjin = {
-    description = "Synchronise mail@tazj.in via lieer";
-    script = "${lieer}/bin/gmi sync";
-
-    serviceConfig = {
-      WorkingDirectory = "%h/mail/account.tazjin";
-      Type = "oneshot";
-    };
-  };
-
-  systemd.user.timers.lieer-tazjin = {
-    wantedBy = [ "timers.target" ];
-
-    timerConfig = {
-      OnActiveSec = "1";
-      OnUnitActiveSec = "180";
-    };
-  };
-
-  environment.systemPackages =
-    # programs from the depot
-    (with depot; [
-      fun.idual.script
-      lieer
-      frogEmacs
-      ops.kontemplate
-      third_party.ffmpeg
-      third_party.git
-    ]) ++
-
-    # programs from nixpkgs
-    (with nixpkgs; [
-      age
-      bat
-      chromium
-      clang-manpages
-      clang-tools
-      clang_10
-      curl
-      direnv
-      dnsutils
-      emacs26 # mostly for emacsclient
-      exa
-      fd
-      gnupg
-      go
-      google-chrome
-      google-cloud-sdk
-      htop
-      hyperfine
-      i3lock
-      imagemagick
-      jq
-      kubectl
-      linuxPackages.perf
-      miller
-      msmtp
-      nix-prefetch-github
-      notmuch
-      openssh
-      openssl
-      pass
-      pavucontrol
-      pinentry
-      pinentry-emacs
-      pwgen
-      ripgrep
-      rr
-      rustup
-      scrot
-      spotify
-      steam
-      tokei
-      tree
-      unzip
-      vlc
-      xclip
-      yubico-piv-tool
-      yubikey-personalization
-      zoxide
-    ]);
-
-  # ... and other nonsense.
-  system.stateVersion = "20.03";
-})
diff --git a/ops/nixos/modules/hound.nix b/ops/nixos/hound.nix
index 690055bde3b6..690055bde3b6 100644
--- a/ops/nixos/modules/hound.nix
+++ b/ops/nixos/hound.nix
diff --git a/ops/nixos/mail.nix b/ops/nixos/mail.nix
deleted file mode 100644
index ba4ebfa06026..000000000000
--- a/ops/nixos/mail.nix
+++ /dev/null
@@ -1,77 +0,0 @@
-# This file configures offlineimap, notmuch and MSMTP.
-#
-# Some manual configuration is required the first time this is
-# applied:
-#
-# 1. Credential setup.
-# 2. Linking of MSMTP config (ln -s /etc/msmtprc ~/.msmtprc)
-# 3. Linking of notmuch config (ln -s /etc/notmuch-config ~/.notmuch-config)
-
-{ config, lib, pkgs, ... }:
-
-let offlineImapConfig = pkgs.writeText "offlineimaprc"
-  (builtins.readFile ./dotfiles/offlineimaprc);
-
-msmtpConfig = pkgs.writeText "msmtprc"
-  (builtins.readFile ./dotfiles/msmtprc);
-
-notmuchConfig = pkgs.writeText "notmuch-config"
-  (builtins.readFile ./dotfiles/notmuch-config);
-
-tagConfig = pkgs.writeText "notmuch-tags" ''
-  # Tag emacs-devel mailing list:
-  -inbox +emacs-devel -- to:emacs-devel@gnu.org OR cc:emacs-devel@gnu.org
-
-  # Tag nix-devel mailing list & discourse:
-  -inbox +nix-devel -- to:nix-devel@googlegroups.com OR from:nixos1@discoursemail.com
-
-  # Tag my own mail (from other devices) as sent:
-  -inbox +sent -- from:mail@tazj.in
-
-  # Drafts are always read, duh.
-  -unread -- tag:draft
-'';
-
-notmuchIndex = pkgs.writeShellScriptBin "notmuch-index" ''
-  echo "Indexing new mails in notmuch"
-
-  # Index new mail
-  ${pkgs.notmuch}/bin/notmuch new
-
-  # Apply tags
-  cat ${tagConfig} | ${pkgs.notmuch}/bin/notmuch tag --batch
-
-  echo "Done indexing new mails"
-'';
-in {
-  # Enable OfflineIMAP timer & service:
-  systemd.user.timers.offlineimap = {
-    description = "OfflineIMAP timer";
-    wantedBy    = [ "timers.target" ];
-
-    timerConfig = {
-      Unit       = "offlineimap.service";
-      OnCalendar = "*:0/2"; # every 2 minutes
-      Persistent = "true"; # persist timer state after reboots
-    };
-  };
-
-  systemd.user.services.offlineimap = {
-    description = "OfflineIMAP service";
-    path = with pkgs; [ pass notmuch ];
-
-    serviceConfig = {
-      Type            = "oneshot";
-      ExecStart       = "${pkgs.offlineimap}/bin/offlineimap -u syslog -o -c ${offlineImapConfig}";
-      ExecStartPost   = "${notmuchIndex}/bin/notmuch-index";
-      TimeoutStartSec = "2min";
-    };
-  };
-
-  # Link configuration files to /etc/ (from where they will be linked
-  # further):
-  environment.etc = {
-    "msmtprc".source = msmtpConfig;
-    "notmuch-config".source = notmuchConfig;
-  };
-}
diff --git a/ops/nixos/modules/.skip-subtree b/ops/nixos/modules/.skip-subtree
deleted file mode 100644
index 80d92f2eb485..000000000000
--- a/ops/nixos/modules/.skip-subtree
+++ /dev/null
@@ -1 +0,0 @@
-The files in this folder are NixOS modules, not readTree-importables.
diff --git a/ops/nixos/modules/monorepo-gerrit.nix b/ops/nixos/monorepo-gerrit.nix
index 58fbb8d206ac..58fbb8d206ac 100644
--- a/ops/nixos/modules/monorepo-gerrit.nix
+++ b/ops/nixos/monorepo-gerrit.nix
diff --git a/ops/nixos/nugget/default.nix b/ops/nixos/nugget/default.nix
deleted file mode 100644
index 7c9530072d41..000000000000
--- a/ops/nixos/nugget/default.nix
+++ /dev/null
@@ -1,280 +0,0 @@
-# This file configures nugget, my home desktop machine.
-{ depot, lib, ... }:
-
-config: let
-  nixpkgs = import depot.third_party.stableNixpkgsSrc {
-    config.allowUnfree = true;
-  };
-
-  unstable = import depot.third_party.nixpkgsSrc {};
-  lieer = (depot.third_party.lieer {});
-
-  # google-c-style is installed only on nugget because other
-  # machines get it from, eh, elsewhere.
-  nuggetEmacs = (depot.tools.emacs.overrideEmacs(epkgs: epkgs ++ [
-    depot.third_party.emacsPackages.google-c-style
-  ]));
-in depot.lib.fix(self: {
-  imports = [
-    ../modules/v4l2loopback.nix
-  ];
-
-  hardware = {
-    pulseaudio.enable = true;
-    cpu.intel.updateMicrocode = true;
-    u2f.enable = true;
-  };
-
-  boot = {
-    cleanTmpDir = true;
-    kernelModules = [ "kvm-intel" ];
-
-    loader = {
-      timeout = 3;
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = false;
-    };
-
-    initrd = {
-      luks.devices.nugget-crypt.device = "/dev/disk/by-label/nugget-crypt";
-      availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
-      kernelModules = [ "dm-snapshot" ];
-    };
-
-    kernel.sysctl = {
-      "kernel.perf_event_paranoid" = 1;
-    };
-  };
-
-  nix = {
-    package = depot.third_party.nix;
-    nixPath = [
-      "depot=/home/tazjin/depot"
-      "nixpkgs=${depot.third_party.nixpkgsSrc}"
-    ];
-  };
-
-  nixpkgs.pkgs = nixpkgs;
-
-  networking = {
-    hostName = "nugget";
-    useDHCP = false;
-    interfaces.eno1.useDHCP = true;
-    interfaces.wlp7s0.useDHCP = true;
-
-    # Don't use ISP's DNS servers:
-    nameservers = [
-      "8.8.8.8"
-      "8.8.4.4"
-    ];
-
-    # Open Chromecast-related ports & servedir
-    firewall.enable = false;
-    firewall.allowedTCPPorts = [ 4242 5556 5558 ];
-
-    # Connect to the WiFi to let the Chromecast work.
-    wireless.enable = true;
-    wireless.networks = {
-      "How do I computer?" = {
-        psk = "washyourface";
-      };
-    };
-  };
-
-  # Generate an immutable /etc/resolv.conf from the nameserver settings
-  # above (otherwise DHCP overwrites it):
-  environment.etc."resolv.conf" = with lib; {
-    source = depot.third_party.writeText "resolv.conf" ''
-      ${concatStringsSep "\n" (map (ns: "nameserver ${ns}") self.networking.nameservers)}
-      options edns0
-    '';
-  };
-
-  time.timeZone = "Europe/London";
-
-  environment.systemPackages =
-    # programs from the depot
-    (with depot; [
-      fun.idual.script
-      lieer
-      nuggetEmacs
-      ops.kontemplate
-      third_party.ffmpeg
-      third_party.git
-    ]) ++
-
-    # programs from nixpkgs
-    (with nixpkgs; [
-      age
-      bat
-      cachix
-      chromium
-      clang-manpages
-      clang-tools
-      clang_10
-      curl
-      direnv
-      dnsutils
-      exa
-      fd
-      gnupg
-      go
-      google-chrome
-      google-cloud-sdk
-      guile
-      htop
-      hyperfine
-      i3lock
-      imagemagick
-      jq
-      keybase-gui
-      kubectl
-      linuxPackages.perf
-      meson
-      miller
-      msmtp
-      nix-prefetch-github
-      notmuch
-      openssh
-      openssl
-      pass
-      pavucontrol
-      pinentry
-      pinentry-emacs
-      pwgen
-      ripgrep
-      rr
-      rustup
-      sbcl
-      scrot
-      spotify
-      steam
-      tokei
-      tree
-      unzip
-      vlc
-      xclip
-      yubico-piv-tool
-      yubikey-personalization
-    ]) ++
-
-    # programs from unstable nixpkgs
-    (with unstable; [
-      zoxide
-    ]);
-
-    fileSystems = {
-      "/".device = "/dev/disk/by-label/nugget-root";
-      "/boot".device = "/dev/disk/by-label/EFI";
-      "/home".device = "/dev/disk/by-label/nugget-home";
-    };
-
-    # Configure user account
-    users.extraUsers.tazjin = {
-      extraGroups = [ "wheel" "audio" ];
-      isNormalUser = true;
-      uid = 1000;
-      shell = nixpkgs.fish;
-    };
-
-    security.sudo = {
-      enable = true;
-      extraConfig = "wheel ALL=(ALL:ALL) SETENV: ALL";
-    };
-
-    fonts = {
-      fonts = with nixpkgs; [
-        corefonts
-        dejavu_fonts
-        jetbrains-mono
-        noto-fonts-cjk
-        noto-fonts-emoji
-      ];
-
-      fontconfig = {
-        hinting.enable = true;
-        subpixel.lcdfilter = "light";
-
-        defaultFonts = {
-          monospace = [ "JetBrains Mono" ];
-        };
-      };
-    };
-
-    # Configure location (Vauxhall, London) for services that need it.
-    location = {
-      latitude = 51.4819109;
-      longitude = -0.1252998;
-    };
-
-    programs.fish.enable = true;
-    programs.ssh.startAgent = true;
-
-    services.redshift.enable = true;
-    services.openssh.enable = true;
-    services.keybase.enable = true;
-
-    # Required for Yubikey usage as smartcard
-    services.pcscd.enable = true;
-    services.udev.packages = [
-      nixpkgs.yubikey-personalization
-    ];
-
-    services.xserver = {
-      enable = true;
-      layout = "us";
-      xkbOptions = "caps:super";
-      exportConfiguration = true;
-      videoDrivers = [ "nvidia" ];
-
-      displayManager = {
-        # Give EXWM permission to control the session.
-        sessionCommands = "${nixpkgs.xorg.xhost}/bin/xhost +SI:localuser:$USER";
-
-        lightdm.enable = true;
-        lightdm.greeters.gtk.clock-format = "%H·%M";
-      };
-
-      windowManager.session = lib.singleton {
-        name = "exwm";
-        start = "${nuggetEmacs}/bin/tazjins-emacs";
-      };
-    };
-
-    # Do not restart the display manager automatically
-    systemd.services.display-manager.restartIfChanged = lib.mkForce false;
-
-    # Configure email setup
-    systemd.user.services.lieer-tazjin = {
-      description = "Synchronise mail@tazj.in via lieer";
-      script = "${lieer}/bin/gmi sync";
-
-      serviceConfig = {
-        WorkingDirectory = "%h/mail/account.tazjin";
-        Type = "oneshot";
-      };
-    };
-
-    systemd.user.timers.lieer-tazjin = {
-      wantedBy = [ "timers.target" ];
-
-      timerConfig = {
-        OnActiveSec = "1";
-        OnUnitActiveSec = "180";
-      };
-    };
-
-    # Use Tailscale \o/
-    services.tailscale.enable = true;
-
-    # nugget has an SSD
-    services.fstrim.enable = true;
-
-    # clangd needs more than ~2GB in the runtime directory to start up
-    services.logind.extraConfig = ''
-      RuntimeDirectorySize=4G
-    '';
-
-    # ... and other nonsense.
-    system.stateVersion = "19.09";
-})
diff --git a/ops/nixos/modules/smtprelay.nix b/ops/nixos/smtprelay.nix
index ca960f5190a8..ca960f5190a8 100644
--- a/ops/nixos/modules/smtprelay.nix
+++ b/ops/nixos/smtprelay.nix
diff --git a/ops/nixos/modules/tvl-slapd/contents.ldif b/ops/nixos/tvl-slapd/contents.ldif
index 4ac5bcecdf01..4ac5bcecdf01 100644
--- a/ops/nixos/modules/tvl-slapd/contents.ldif
+++ b/ops/nixos/tvl-slapd/contents.ldif
diff --git a/ops/nixos/modules/tvl-slapd/default.nix b/ops/nixos/tvl-slapd/default.nix
index 294a6636d719..294a6636d719 100644
--- a/ops/nixos/modules/tvl-slapd/default.nix
+++ b/ops/nixos/tvl-slapd/default.nix
diff --git a/ops/nixos/modules/tvl-slapd/genpasswd.rb b/ops/nixos/tvl-slapd/genpasswd.rb
index 8f6f8d75842e..8f6f8d75842e 100644
--- a/ops/nixos/modules/tvl-slapd/genpasswd.rb
+++ b/ops/nixos/tvl-slapd/genpasswd.rb
diff --git a/ops/nixos/modules/v4l2loopback.nix b/ops/nixos/v4l2loopback.nix
index 636b2ff6cf27..636b2ff6cf27 100644
--- a/ops/nixos/modules/v4l2loopback.nix
+++ b/ops/nixos/v4l2loopback.nix