28 files changed, 329 insertions, 265 deletions

diff --git a/users/aspen/pkgs/cargo-hakari.nix b/users/aspen/pkgs/cargo-hakari.nix
deleted file mode 100644
index b6f4e7e40007..000000000000
--- a/users/aspen/pkgs/cargo-hakari.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ pkgs, ... }:
-
-with pkgs;
-
-rustPlatform.buildRustPackage rec {
-  pname = "cargo-hakari";
-  version = "0.9.13";
-
-  src = fetchFromGitHub {
-    owner = "facebookincubator";
-    repo = "cargo-guppy";
-    rev = "cargo-hakari-${version}";
-    sha256 = "11ds2zryxdd6rvszkpphb0xnfg7rqisg6kixrwyiydjrm5rdjg9d";
-  };
-
-  cargoSha256 = "0b2hjyak5v4m3g5zjk2q8bdb4iv3015qw1rmhpclv4cv48lcmdbb";
-
-  buildAndTestSubdir = "tools/cargo-hakari";
-
-  nativeBuildInputs = [
-    pkg-config
-  ];
-
-  buildInputs = [
-    openssl
-  ];
-}
diff --git a/users/aspen/pkgs/cargo-nextest.nix b/users/aspen/pkgs/cargo-nextest.nix
deleted file mode 100644
index dbf3bd7eef19..000000000000
--- a/users/aspen/pkgs/cargo-nextest.nix
+++ /dev/null
@@ -1,27 +0,0 @@
-{ pkgs, ... }:
-
-with pkgs;
-
-rustPlatform.buildRustPackage rec {
-  pname = "cargo-nextest";
-  version = "0.9.36";
-
-  src = fetchFromGitHub {
-    owner = "nextest-rs";
-    repo = "nextest";
-    rev = "cargo-nextest-${version}";
-    sha256 = "1g40r38bqmdhc0dy07pj27vkc64d3fw6v5z2vwn82xld2h9dg7w2";
-  };
-
-  cargoSha256 = "1g862azgkn3xk3v3chs8hv1b1prj1pq2vfzbhcx6ir9l00kv6gcv";
-
-  cargoTestFlags = [
-    "--"
-    "--skip"
-    "tests_integration::test_relocated_run"
-    "--skip"
-    "tests_integration::test_run"
-    "--skip"
-    "tests_integration::test_run_after_build"
-  ];
-}
diff --git a/users/aspen/secrets/bbbg.age b/users/aspen/secrets/bbbg.age
index ebc0df233898..379441b74f5c 100644
--- a/users/aspen/secrets/bbbg.age
+++ b/users/aspen/secrets/bbbg.age
Binary files differdiff --git a/users/aspen/secrets/buildkite-ssh-key.age b/users/aspen/secrets/buildkite-ssh-key.age
index d9587f11df4b..61ad416385c6 100644
--- a/users/aspen/secrets/buildkite-ssh-key.age
+++ b/users/aspen/secrets/buildkite-ssh-key.age
Binary files differdiff --git a/users/aspen/secrets/buildkite-token.age b/users/aspen/secrets/buildkite-token.age
index 320ee06c0937..5bd4923de34f 100644
--- a/users/aspen/secrets/buildkite-token.age
+++ b/users/aspen/secrets/buildkite-token.age
Binary files differdiff --git a/users/aspen/secrets/cloudflare.age b/users/aspen/secrets/cloudflare.age
index 4f42ee782165..c94fef706c4c 100644
--- a/users/aspen/secrets/cloudflare.age
+++ b/users/aspen/secrets/cloudflare.age
@@ -1,9 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 CpJBgQ AVkUs8tuzVlDq3FH/zRrBr5f4KR05fONM6iCluq6hyM
-feS2cxFowSWfDdUQjtmIiMc5338n805yownSZ/ZWfS8
--> ssh-ed25519 LfBFbQ F67irB+DYQ8WMhaFcO+3o0O0lJsf+tWFZ9cSGSuHgA8
-EKS4zRGUEgeldjxdx4sIsnorWHoeTlXa9LJtNf9lkAM
--> QvY:XSvC-grease 04
-pBnXsOF6qugcSBp+pw
---- +g65NbIxu6bVVerS93kYZpEO5ssUZfCD+sZMzOjDUdU
-R�T�maF[BÊ���0�a_&˕�=3dlzRVi�6-9��:����U.E���	����JΙ�����A�-�qྟ���|���}}a=�H�+]m��t����R���%9\��Jt��|1B�
\ No newline at end of file
+-> ssh-ed25519 CpJBgQ 5lJGEVwg5v6612p4iOoO+ShR5kLiQAG/7m2f6R6KLRc
+CvFJQChj9IssFIIvVCh6/qRPfdvLx72rf3aXBD4EAEo
+-> ssh-ed25519 LfBFbQ uqcGghDi2DOAJPD/7udNpdyU4NccMJSdh8mdhzEKNyU
+zT+oVqOOUvTGU8fl0X/kARGESerZfUEjW3F1g6ASlxk
+-> ssh-ed25519 GeE7sQ Ehb6kwx8irEbfeFy4gzK/oWmIZRdt/MEbPysJHVRsBA
+grBUiZAB9Iu37LEhNU8VBvf3jMjiO+QJfJn9dnZ3DI8
+--- Zb/3hWF4WXpQlGJ+0eB4P9ZI6uCdUv5s5n7BnEaKfZM
+1^��9��]��ጶt�e����)Gr�6.�\#��&��H&xh��M{D�i�^^���-k����5��ѽh�*�jn)���V��ޚ�G�{�g��
ze��Y��Ih]�G�
\ No newline at end of file
diff --git a/users/aspen/secrets/ddclient-password.age b/users/aspen/secrets/ddclient-password.age
index 8d25e3b539bd..3bbc2e51ffd3 100644
--- a/users/aspen/secrets/ddclient-password.age
+++ b/users/aspen/secrets/ddclient-password.age
Binary files differdiff --git a/users/aspen/secrets/secrets.nix b/users/aspen/secrets/secrets.nix
index 5bfb1c3eb08c..76126f811d02 100644
--- a/users/aspen/secrets/secrets.nix
+++ b/users/aspen/secrets/secrets.nix
@@ -7,8 +7,8 @@ in
 
 {
   "bbbg.age".publicKeys = [ grfn mugwump bbbg ];
-  "cloudflare.age".publicKeys = [ grfn mugwump ];
-  "ddclient-password.age".publicKeys = [ grfn mugwump ];
+  "cloudflare.age".publicKeys = [ grfn mugwump ogopogo ];
+  "ddclient-password.age".publicKeys = [ grfn ogopogo ];
   "buildkite-ssh-key.age".publicKeys = [ grfn mugwump ogopogo ];
   "buildkite-token.age".publicKeys = [ grfn mugwump ogopogo ];
   "windtunnel-bot-github-token.age".publicKeys = [ grfn mugwump ogopogo ];
diff --git a/users/aspen/secrets/windtunnel-bot-github-token.age b/users/aspen/secrets/windtunnel-bot-github-token.age
index daae99958276..39fd7cb3a476 100644
--- a/users/aspen/secrets/windtunnel-bot-github-token.age
+++ b/users/aspen/secrets/windtunnel-bot-github-token.age
@@ -1,11 +1,9 @@
 age-encryption.org/v1
--> ssh-ed25519 CpJBgQ YaZ2VHyXofn2qnxRrOYO4yPPu77BEPFq/cbnfa+5WAA
-VgJQoyJVxirvASD0aDsuzmbNJdIP0kpHa5b72Ri7kr8
--> ssh-ed25519 LfBFbQ cXXW3kQzZL7sU4heujIJGzvfpbX0toL2AgsJl5AZPEg
-mhkKn69c/QeCJhYAFgx/MsHrIrXim3OcjkZ/rrckVLs
--> ssh-ed25519 GeE7sQ /XcP3pWg+aKF1F0sPu6RpYv3Rfj2J/QI0yjg3Wgfjm0
-d+rsgbMlDJx0VrjD4/nO4UcM10hcrLxcPA3QlY1t7sQ
--> "0?-grease k}d?h6 |v
-7mV6AFUdCMCrkmLVQaWJPQ
---- I9Ls9AWMkSFCKw7y4pLoTkeGw7h5iROwXLuUm0nfuj8
-~�v�8�&����3\���.�%$��ɺ��t���Q�������͜}���,BE�h
w
96���?�U
\ No newline at end of file
+-> ssh-ed25519 CpJBgQ PiY6IidA+GRbpjL91BVe9UdejWvi02SRcijiMOjXcm4
+XegOhgjdEdzXtz31PsGVyOZ10gH6P82Q1/txZcSxjIY
+-> ssh-ed25519 LfBFbQ uqRF0nKMk1GrK+6pEBdmyHKu2ewDFlWwlKC+myey4gc
+dgnX4eprSolXxCDNoVmGzGK9xLEmtmeg/cJihD4/8sU
+-> ssh-ed25519 GeE7sQ ikAIyFR/qH1a+aa5mumiiDwa5o5aLsQeJKwQwMzgs1M
+8htzhM5t2VnjRBrC+VrL23f9chlQjVGzjxMaFB7Arrs
+--- Qm16HTo5wGUBKS0ly3OZDWp2etLyDS/zlxOHxPjS8PI
+��7��NY6�k|�p2�'��&�=�m��q`5�T� �N�9�N�����)RV�U-�•)��M���(%p�
\ No newline at end of file
diff --git a/users/aspen/system/home/machines/ogopogo.nix b/users/aspen/system/home/machines/ogopogo.nix
index 37396a5aa1be..38dace208411 100644
--- a/users/aspen/system/home/machines/ogopogo.nix
+++ b/users/aspen/system/home/machines/ogopogo.nix
@@ -13,7 +13,7 @@ in
     ../modules/games.nix
     ../modules/obs.nix
     ../modules/development/agda.nix
-    ../modules/development/readyset.nix
+    # ../modules/development/readyset.nix
     ../modules/development/ocaml.nix
   ] ++ (lib.optional (pathExists ../modules/private.nix) ../modules/private.nix);
 
diff --git a/users/aspen/system/home/machines/roswell.nix b/users/aspen/system/home/machines/roswell.nix
index 135477b12ddf..514f19caff17 100644
--- a/users/aspen/system/home/machines/roswell.nix
+++ b/users/aspen/system/home/machines/roswell.nix
@@ -11,7 +11,7 @@ in
     ../modules/development.nix
     ../modules/emacs.nix
     ../modules/vim.nix
-    ../modules/development/readyset.nix
+    # ../modules/development/readyset.nix
     ../modules/tmux.nix
   ] ++ (lib.optional (pathExists ../modules/private.nix) ../modules/private.nix);
 
@@ -34,7 +34,7 @@ in
     openssl
 
     # Nix things
-    nixfmt
+    nixfmt-classic
     nix-prefetch-github
     nixpkgs-review
     cachix
diff --git a/users/aspen/system/home/machines/yeren.nix b/users/aspen/system/home/machines/yeren.nix
index 9a7a561b5e62..54e79f950bce 100644
--- a/users/aspen/system/home/machines/yeren.nix
+++ b/users/aspen/system/home/machines/yeren.nix
@@ -11,7 +11,7 @@ in
     ../modules/common.nix
     ../modules/desktop.nix
     ../modules/development/agda.nix
-    ../modules/development/readyset.nix
+    # ../modules/development/readyset.nix
     ../modules/development/ocaml.nix
   ] ++ (lib.optional (pathExists ../modules/private.nix) ../modules/private.nix);
 
diff --git a/users/aspen/system/home/modules/common.nix b/users/aspen/system/home/modules/common.nix
index b51ae1c7db7e..5117187d6b98 100644
--- a/users/aspen/system/home/modules/common.nix
+++ b/users/aspen/system/home/modules/common.nix
@@ -43,7 +43,7 @@
     openssl
 
     # Nix things
-    nixfmt
+    nixfmt-classic
     nix-prefetch-github
     nixpkgs-review
     cachix
diff --git a/users/aspen/system/home/modules/development/rust.nix b/users/aspen/system/home/modules/development/rust.nix
index c4b20f231546..3c81e2398010 100644
--- a/users/aspen/system/home/modules/development/rust.nix
+++ b/users/aspen/system/home/modules/development/rust.nix
@@ -10,16 +10,16 @@ with lib;
 
   home.packages = with pkgs; [
     rustup
+
+    cargo-bloat
     cargo-edit
     cargo-expand
+    cargo-hakari
+    cargo-nextest
     cargo-udeps
-    cargo-bloat
     sccache
     evcxr
 
-    depot.users.aspen.pkgs.cargo-hakari
-    depot.users.aspen.pkgs.cargo-nextest
-
     # benchmarking+profiling
     cargo-criterion
     cargo-flamegraph
diff --git a/users/aspen/system/home/modules/email.nix b/users/aspen/system/home/modules/email.nix
index cb92c40cee89..a43e3ab5a68d 100644
--- a/users/aspen/system/home/modules/email.nix
+++ b/users/aspen/system/home/modules/email.nix
@@ -16,7 +16,7 @@ let
     personal = {
       primary = true;
       address = "root@gws.fyi";
-      aliases = [ "aspen@gws.fyi" "aspen@gws.fyi" ];
+      aliases = [ "aspen@gws.fyi" ];
       passEntry = "root-gws-msmtp";
     };
   };
diff --git a/users/aspen/system/system/machines/lusca.nix b/users/aspen/system/system/machines/lusca.nix
index 782d504aa90b..4a9202187dd0 100644
--- a/users/aspen/system/system/machines/lusca.nix
+++ b/users/aspen/system/system/machines/lusca.nix
@@ -10,6 +10,7 @@
     ../modules/sound.nix
     ../modules/tvl.nix
     ../modules/development.nix
+    ../modules/prometheus-exporter.nix
   ];
 
   networking.hostName = "lusca";
@@ -130,7 +131,7 @@
 
   hardware.sensor.iio.enable = true;
 
-  hardware.opengl.driSupport32Bit = true;
+  hardware.graphics.enable32Bit = true;
 
   # TPM
   security.tpm2 = {
diff --git a/users/aspen/system/system/machines/mugwump.nix b/users/aspen/system/system/machines/mugwump.nix
index 4cfa11713495..4b72a247601f 100644
--- a/users/aspen/system/system/machines/mugwump.nix
+++ b/users/aspen/system/system/machines/mugwump.nix
@@ -9,7 +9,6 @@ with lib;
     (depot.path.origSrc + "/ops/modules/prometheus-fail2ban-exporter.nix")
     (depot.path.origSrc + "/users/aspen/xanthous/server/module.nix")
     (depot.third_party.agenix.src + "/modules/age.nix")
-    depot.third_party.ddclient.module
   ];
 
   networking.hostName = "mugwump";
@@ -83,7 +82,6 @@ with lib;
     in
     {
       cloudflare.file = secret "cloudflare";
-      ddclient-password.file = secret "ddclient-password";
 
       buildkite-ssh-key = {
         file = secret "buildkite-ssh-key";
@@ -119,161 +117,9 @@ with lib;
     };
   };
 
-  services.grafana = {
-    enable = true;
-    dataDir = "/var/lib/grafana";
-
-    settings = {
-      server = {
-        http_port = 3000;
-        root_url = "https://metrics.gws.fyi";
-        domain = "metrics.gws.fyi";
-      };
-      analytics.reporting_enabled = false;
-    };
-
-    provision = {
-      enable = true;
-      datasources.settings.datasources = [{
-        name = "Prometheus";
-        type = "prometheus";
-        url = "http://localhost:9090";
-      }];
-    };
-  };
-
   security.acme.defaults.email = "root@gws.fyi";
   security.acme.acceptTerms = true;
 
-  services.nginx = {
-    enable = true;
-    statusPage = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedTlsSettings = true;
-    recommendedProxySettings = true;
-
-    virtualHosts = {
-      "metrics.gws.fyi" = {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
-        };
-      };
-    };
-  };
-
-  services.deprecated-ddclient = {
-    package = depot.third_party.ddclient;
-    enable = true;
-    domains = [ "home.gws.fyi" ];
-    interval = "1d";
-    zone = "gws.fyi";
-    protocol = "cloudflare";
-    username = "root@gws.fyi";
-    passwordFile = config.age.secretsDir + "/ddclient-password";
-    quiet = true;
-  };
-
-  security.acme.certs."metrics.gws.fyi" = {
-    dnsProvider = "cloudflare";
-    credentialsFile = config.age.secretsDir + "/cloudflare";
-    webroot = mkForce null;
-  };
-
-  services.prometheus = {
-    enable = true;
-    exporters = {
-      node = {
-        enable = true;
-        openFirewall = false;
-
-        enabledCollectors = [
-          "processes"
-          "systemd"
-          "tcpstat"
-          "wifi"
-        ];
-      };
-
-      nginx = {
-        enable = true;
-        openFirewall = true;
-        sslVerify = false;
-        constLabels = [ "host=mugwump" ];
-      };
-
-      blackbox = {
-        enable = true;
-        openFirewall = true;
-        configFile = pkgs.writeText "blackbox-exporter.yaml" (builtins.toJSON {
-          modules = {
-            https_2xx = {
-              prober = "http";
-              http = {
-                method = "GET";
-                fail_if_ssl = false;
-                fail_if_not_ssl = true;
-                preferred_ip_protocol = "ip4";
-              };
-            };
-          };
-        });
-      };
-    };
-
-    scrapeConfigs = [
-      {
-        job_name = "node";
-        scrape_interval = "5s";
-        static_configs = [{
-          targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
-        }];
-      }
-      {
-        job_name = "nginx";
-        scrape_interval = "5s";
-        static_configs = [{
-          targets = [ "localhost:${toString config.services.prometheus.exporters.nginx.port}" ];
-        }];
-      }
-      {
-        job_name = "xanthous_server";
-        scrape_interval = "1s";
-        static_configs = [{
-          targets = [ "localhost:${toString config.services.xanthous-server.metricsPort}" ];
-        }];
-      }
-      {
-        job_name = "blackbox";
-        metrics_path = "/probe";
-        params.module = [ "https_2xx" ];
-        scrape_interval = "5s";
-        static_configs = [{
-          targets = [
-            "https://gws.fyi"
-            "https://windtunnel.ci"
-            "https://app.windtunnel.ci"
-            "https://metrics.gws.fyi"
-          ];
-        }];
-        relabel_configs = [{
-          source_labels = [ "__address__" ];
-          target_label = "__param_target";
-        }
-          {
-            source_labels = [ "__param_target" ];
-            target_label = "instance";
-          }
-          {
-            target_label = "__address__";
-            replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
-          }];
-      }
-    ];
-  };
-
   services.xanthous-server.enable = true;
 
   virtualisation.docker = {
diff --git a/users/aspen/system/system/machines/ogopogo.nix b/users/aspen/system/system/machines/ogopogo.nix
index e80a0906dbf8..3d41a839e17b 100644
--- a/users/aspen/system/system/machines/ogopogo.nix
+++ b/users/aspen/system/system/machines/ogopogo.nix
@@ -11,6 +11,8 @@
     ../modules/tvl.nix
     ../modules/development.nix
     ../modules/wireshark.nix
+    ../modules/metrics.nix
+    ../modules/prometheus-exporter.nix
   ];
 
   networking.hostName = "ogopogo";
@@ -77,12 +79,13 @@
     videoDrivers = [ "nvidia" ];
     dpi = 100;
   };
-  hardware.opengl.enable = true;
+  hardware.graphics.enable = true;
   services.picom = {
     enable = true;
     vSync = true;
   };
-  hardware.opengl.driSupport32Bit = true;
+  hardware.graphics.enable32Bit = true;
+  hardware.nvidia.open = true;
 
   services.postgresql = {
     enable = true;
@@ -90,18 +93,32 @@
     authentication = "host all all 0.0.0.0/0 md5";
     dataDir = "/data/postgresql";
     package = pkgs.postgresql_15;
-    port = 5431;
     settings = {
       wal_level = "logical";
     };
   };
 
-  nix.settings.substituters = [ "ssh://grfn@172.16.0.5" ];
-  nix.settings.trusted-substituters = [ "ssh://grfn@172.16.0.5" ];
-  programs.ssh.knownHosts.mugwump = {
-    extraHostNames = [ "172.16.0.5" ];
-    publicKeyFile = pkgs.writeText "mugwump.pub" ''
-      ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFE2fxPgWO+zeQoLBTgsgxP7Vg7QNHlrQ+Rb3fHFTomB
-    '';
+  # ddclient
+  age.secrets =
+    let
+      secret = name: depot.users.aspen.secrets."${name}.age";
+    in
+    {
+      ddclient-password.file = secret "ddclient-password";
+    };
+
+  services.ddclient = {
+    enable = true;
+    domains = [ "home.gws.fyi" ];
+    interval = "1d";
+    zone = "gws.fyi";
+    protocol = "cloudflare";
+    username = "root@gws.fyi";
+    passwordFile = config.age.secretsDir + "/ddclient-password";
+    quiet = true;
+  }
+  # TODO(aspen): Remove when upgrading past 4.0.0
+  // lib.optionalAttrs (lib.versionOlder pkgs.ddclient.version "4.0.0") {
+    ssl = false;
   };
 }
diff --git a/users/aspen/system/system/machines/yeren.nix b/users/aspen/system/system/machines/yeren.nix
index 653f0cd44cd5..4b563df635aa 100644
--- a/users/aspen/system/system/machines/yeren.nix
+++ b/users/aspen/system/system/machines/yeren.nix
@@ -93,7 +93,7 @@
     sof-firmware
   ];
 
-  hardware.opengl.extraPackages = with pkgs; [
+  hardware.graphics.extraPackages = with pkgs; [
     vaapiIntel
     vaapiVdpau
     libvdpau-va-gl
@@ -118,7 +118,7 @@
     lightdm-greeter.fprintAuth = true;
   };
 
-  hardware.opengl.driSupport32Bit = true;
+  hardware.graphics.enable32Bit = true;
 
   hardware.pulseaudio.extraConfig = ''
     load-module module-remap-source source_name=KompleteAudio6_1 source_properties=device.description=KompleteAudio6Input1 master=alsa_input.usb-Native_Instruments_Komplete_Audio_6_458E0FFD-00.multichannel-input remix=no channels=1 master_channel_map=front-left channel_map=mono
diff --git a/users/aspen/system/system/modules/containers.nix b/users/aspen/system/system/modules/containers.nix
new file mode 100644
index 000000000000..587e7426b582
--- /dev/null
+++ b/users/aspen/system/system/modules/containers.nix
@@ -0,0 +1,12 @@
+{ config, lib, pkgs, ... }:
+
+{
+  virtualisation.podman = {
+    enable = true;
+    defaultNetwork.settings = { dns_enabled = true; };
+    dockerCompat = true;
+    dockerSocket.enable = true;
+  };
+
+  users.users.aspen.extraGroups = [ "docker" ];
+}
diff --git a/users/aspen/system/system/modules/development.nix b/users/aspen/system/system/modules/development.nix
index bd5e326b2ea6..6e96ae3c8e7f 100644
--- a/users/aspen/system/system/modules/development.nix
+++ b/users/aspen/system/system/modules/development.nix
@@ -1,8 +1,9 @@
 { config, lib, pkgs, ... }:
 
 {
-  virtualisation.docker.enable = true;
-  users.users.aspen.extraGroups = [ "docker" ];
+  imports = [
+    ./containers.nix
+  ];
 
   security.pam.loginLimits = [
     {
diff --git a/users/aspen/system/system/modules/laptop.nix b/users/aspen/system/system/modules/laptop.nix
index 89c880973d80..57b2bc5a45a9 100644
--- a/users/aspen/system/system/modules/laptop.nix
+++ b/users/aspen/system/system/modules/laptop.nix
@@ -20,4 +20,6 @@
     criticalPowerAction = "Hibernate";
     percentageAction = 3;
   };
+
+  services.libinput.touchpad.naturalScrolling = true;
 }
diff --git a/users/aspen/system/system/modules/metrics.nix b/users/aspen/system/system/modules/metrics.nix
new file mode 100644
index 000000000000..0abfb27eeeb5
--- /dev/null
+++ b/users/aspen/system/system/modules/metrics.nix
@@ -0,0 +1,197 @@
+{ depot, config, lib, pkgs, ... }:
+
+with lib;
+
+let
+  nodesToScrape = [
+    "ogopogo"
+    # "dobharchu"
+    "mugwump"
+    # "yeren"
+    "lusca"
+  ];
+
+  nodesRunningNginx = [
+    "ogopogo"
+    "mugwump"
+  ];
+
+  nodesRunningPostgres = [
+    "ogopogo"
+  ];
+
+  blackboxTargets = [
+    "https://gws.fyi"
+    "https://windtunnel.ci"
+    "https://app.windtunnel.ci"
+    "https://metrics.gws.fyi"
+  ];
+in
+{
+  imports = [
+    (depot.third_party.agenix.src + "/modules/age.nix")
+  ];
+
+  config = {
+    services.postgresql = {
+      ensureUsers = [{
+        name = config.services.grafana.settings.database.user;
+        ensureDBOwnership = true;
+      }];
+
+      ensureDatabases = [
+        config.services.grafana.settings.database.name
+      ];
+    };
+
+    services.grafana = {
+      enable = true;
+      dataDir = "/var/lib/grafana";
+
+      settings = {
+        server = {
+          http_port = 3000;
+          root_url = "https://metrics.gws.fyi";
+          domain = "metrics.gws.fyi";
+        };
+        analytics.reporting_enabled = false;
+
+        database = {
+          type = "postgres";
+          user = "grafana";
+          name = "grafana";
+          host = "/run/postgresql";
+        };
+      };
+
+      provision = {
+        enable = true;
+        datasources.settings.datasources = [{
+          name = "Prometheus";
+          type = "prometheus";
+          url = "http://localhost:9090";
+        }];
+      };
+    };
+
+    security.acme.defaults.email = "root@gws.fyi";
+    security.acme.acceptTerms = true;
+
+    services.nginx = {
+      enable = true;
+      statusPage = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      recommendedProxySettings = true;
+
+      virtualHosts = {
+        "metrics.gws.fyi" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
+          };
+        };
+      };
+    };
+
+    age.secrets = {
+      cloudflare.file = depot.users.aspen.secrets."cloudflare.age";
+    };
+
+    security.acme.certs."metrics.gws.fyi" = {
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secretsDir + "/cloudflare";
+      webroot = mkForce null;
+    };
+
+    services.prometheus = {
+      enable = true;
+      retentionTime = "30d";
+      exporters = {
+        blackbox = {
+          enable = true;
+          openFirewall = true;
+          configFile = pkgs.writeText "blackbox-exporter.yaml" (builtins.toJSON {
+            modules = {
+              https_2xx = {
+                prober = "http";
+                http = {
+                  method = "GET";
+                  fail_if_ssl = false;
+                  fail_if_not_ssl = true;
+                  preferred_ip_protocol = "ip4";
+                };
+              };
+            };
+          });
+        };
+      };
+
+      scrapeConfigs = [
+        {
+          job_name = "node";
+          scrape_interval = "5s";
+          static_configs =
+            map
+              (node: {
+                targets = [ "${node}:${toString config.services.prometheus.exporters.node.port}" ];
+                labels.node = node;
+              })
+              nodesToScrape;
+        }
+        {
+          job_name = "nginx";
+          scrape_interval = "5s";
+          static_configs =
+            map
+              (node: {
+                targets = [ "${node}:${toString config.services.prometheus.exporters.nginx.port}" ];
+                labels.node = node;
+              })
+              nodesRunningNginx;
+        }
+        {
+          job_name = "postgres";
+          scrape_interval = "5s";
+          static_configs =
+            map
+              (node: {
+                targets = [ "${node}:${toString config.services.prometheus.exporters.postgres.port}" ];
+                labels.node = node;
+              })
+              nodesRunningPostgres;
+        }
+        {
+          job_name = "blackbox";
+          metrics_path = "/probe";
+          params.module = [ "https_2xx" ];
+          scrape_interval = "5s";
+          static_configs = [{
+            targets = [
+              "https://gws.fyi"
+              "https://windtunnel.ci"
+              "https://app.windtunnel.ci"
+              "https://metrics.gws.fyi"
+            ];
+          }];
+          relabel_configs = [
+            {
+              source_labels = [ "__address__" ];
+              target_label = "__param_target";
+            }
+            {
+              source_labels = [ "__param_target" ];
+              target_label = "instance";
+            }
+            {
+              target_label = "__address__";
+              replacement = "localhost:${toString config.services.prometheus.exporters.blackbox.port}";
+            }
+          ];
+        }
+      ];
+    };
+  };
+}
diff --git a/users/aspen/system/system/modules/prometheus-exporter.nix b/users/aspen/system/system/modules/prometheus-exporter.nix
new file mode 100644
index 000000000000..2916fc70ef96
--- /dev/null
+++ b/users/aspen/system/system/modules/prometheus-exporter.nix
@@ -0,0 +1,31 @@
+{ config, lib, pkgs, ... }:
+
+with lib;
+
+{
+  services.prometheus.exporters = {
+    node = {
+      enable = true;
+      openFirewall = false;
+
+      enabledCollectors = [
+        "processes"
+        "systemd"
+        "tcpstat"
+        "wifi"
+      ];
+    };
+
+    nginx = mkIf config.services.nginx.enable {
+      enable = true;
+      openFirewall = true;
+      sslVerify = false;
+      constLabels = [ "host=${config.networking.hostName}" ];
+    };
+
+    postgres = mkIf config.services.postgresql.enable {
+      enable = true;
+      runAsLocalSuperUser = true;
+    };
+  };
+}
diff --git a/users/aspen/system/system/modules/sound.nix b/users/aspen/system/system/modules/sound.nix
index 07a67a1ec43b..c97e19f9b2f8 100644
--- a/users/aspen/system/system/modules/sound.nix
+++ b/users/aspen/system/system/modules/sound.nix
@@ -2,8 +2,8 @@
 
 {
   # Enable sound.
-  sound.enable = true;
   hardware.pulseaudio.enable = true;
+  services.pipewire.enable = false;
 
   environment.systemPackages = with pkgs; [
     pulseaudio-ctl
diff --git a/users/aspen/system/system/modules/xserver.nix b/users/aspen/system/system/modules/xserver.nix
index f78edb207e9d..fca49ab9cca0 100644
--- a/users/aspen/system/system/modules/xserver.nix
+++ b/users/aspen/system/system/modules/xserver.nix
@@ -5,12 +5,11 @@
     enable = true;
     xkb.layout = "us";
 
-    libinput.enable = true;
-
-    displayManager = {
-      defaultSession = "none+i3";
-    };
 
     windowManager.i3.enable = true;
   };
+
+  services.displayManager.defaultSession = "none+i3";
+
+  services.libinput.enable = true;
 }
diff --git a/users/aspen/web/index.org b/users/aspen/web/index.org
index 4be79fd79772..109f3a77a08c 100644
--- a/users/aspen/web/index.org
+++ b/users/aspen/web/index.org
@@ -11,22 +11,36 @@ my name is aspen smith and i'm a software engineer and musician.
 
 * work
 
-most recently, i worked on database internals at [[https://readyset.io/][readyset]], an incrementally
+i'm currently a software engineer at jane street.
+
+previously, i worked on database internals at [[https://readyset.io/][readyset]], an incrementally
 maintained, partially stateful materialized view maintenance system for sql
 that's wire-compatible with postgresql and mysql, based on [[https://github.com/mit-pdos/noria][noria]].
 
 * projects
 
-- [[https://windtunnel.ci/][windtunnel]], a continuous benchmarking software-as-a-service currently accepting early alpha users (send me an email if you want to try it out!)
-- [[https://cs.tvl.fyi/depot/-/tree/users/aspen/achilles][achilles]], a compiler for (what I plan to become) a dependently typed, low-level functional programming language targeting LLVM
-- [[https://github.com/glittershark/org-clubhouse][org-clubhouse]], an emacs package for lightweight integration between [[https://orgmode.org/][org-mode]] and [[https://clubhouse.io/][the clubhouse project management tool]]
-- [[https://cs.tvl.fyi/depot/-/tree/users/aspen/xanthous][xanthous]], a terminal roguelike in haskell that I work on intermittently and exclusively for fun
+- [[https://windtunnel.ci/][windtunnel]], a continuous benchmarking software-as-a-service currently
+  accepting early alpha users (send me an email if you want to try it out!)
+- [[https://tvix.dev/][tvix]], a project to reimplement nix in rust with a focus on better performance,
+  maintainability, and extensibility. i'm a committer to the project, and mostly
+  focus on the implementation of the language evaluator.
+- [[https://cs.tvl.fyi/depot/-/tree/users/aspen/achilles][achilles]], a compiler for (what I plan to become) a dependently typed,
+  low-level functional programming language targeting LLVM
+- [[https://cs.tvl.fyi/depot/-/tree/users/aspen/xanthous][xanthous]], a terminal roguelike in haskell that I work on intermittently and
+  exclusively for fun
 
 * music
 
 - https://sacrosanct.bandcamp.com/, a post-rock project with a [[https://bandcamp.com/h34rken][friend of mine]]
 - [[https://soundcloud.com/missingggg][my current soundcloud]], releasing instrumental music under the name *missing*
 - i play bass in [[https://goodcry.band][good cry]], a rock band based in brooklyn
+- my friend [[https://tasshin.com/][tasshin]] and i wrote, recorded and made music videos for 6 songs
+  together:
+  - [[https://www.youtube.com/watch?v=uX11-ClOf5k&list=PLXcbtcE8U1zcQsIWV7uzz-fUm2o9ggSbW&index=5][u're welcome bro]]
+  - [[https://www.youtube.com/watch?v=i1ZNdzkkJe4&list=PLXcbtcE8U1zcQsIWV7uzz-fUm2o9ggSbW&index=4]["cool"]]
+  - [[https://www.youtube.com/watch?v=5GOciie5Pjk&list=PLXcbtcE8U1zcQsIWV7uzz-fUm2o9ggSbW&index=3][being love]]
+  - [[https://www.youtube.com/watch?v=ew-rhBQmGpY&list=PLXcbtcE8U1zcQsIWV7uzz-fUm2o9ggSbW&index=2][gonna]]
+  - [[https://www.youtube.com/watch?v=GJBTaH2EozQ&list=PLXcbtcE8U1zcQsIWV7uzz-fUm2o9ggSbW&index=1][love like there's no tomorrow]]
 - you can also find a log of all the music I listen to [[https://www.last.fm/user/wildgriffin45][on last.fm]]
 
 * contact
diff --git a/users/aspen/web/orgExportHTML.nix b/users/aspen/web/orgExportHTML.nix
index aac4e32e7ac5..3a8e35f22d17 100644
--- a/users/aspen/web/orgExportHTML.nix
+++ b/users/aspen/web/orgExportHTML.nix
@@ -51,7 +51,7 @@ runCommand outName { inherit src; } ''
       --kill
     rm file.org
     substitute file.html "$2" \
-      --replace '<title>&lrm;</title>' ""
+      --replace-quiet '<title>&lrm;</title>' ""
     rm file.html
   }