zfs-replicate needs zfs in its path

flake.lock

@@ -7,32 +7,48 @@
         ]
       },
       "locked": {
-        "lastModified": 1726989464,
-        "narHash": "sha256-Vl+WVTJwutXkimwGprnEtXc/s/s8sMuXzqXaspIGlwM=",
+        "lastModified": 1739757849,
+        "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "2f23fa308a7c067e52dfcc30a0758f47043ec176",
+        "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
         "type": "github"
       },
       "original": {
         "owner": "nix-community",
-        "ref": "release-24.05",
+        "ref": "release-24.11",
         "repo": "home-manager",
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1736441705,
+        "narHash": "sha256-OL7leZ6KBhcDF3nEKe4aZVfIm6xQpb1Kb+mxySIP93o=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "8870dcaff63dfc6647fb10648b827e9d40b0a337",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1728328465,
-        "narHash": "sha256-a0a0M1TmXMK34y3M0cugsmpJ4FJPT/xsblhpiiX1CXo=",
+        "lastModified": 1740865531,
+        "narHash": "sha256-h00vGIh/jxcGl8aWdfnVRD74KuLpyY3mZgMFMy7iKIc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "1bfbbbe5bbf888d675397c66bfdb275d0b99361c",
+        "rev": "5ef6c425980847c78a80d759abc476e941a9bf42",
         "type": "github"
       },
       "original": {
         "owner": "nixos",
-        "ref": "nixos-24.05",
+        "ref": "nixos-24.11",
         "repo": "nixpkgs",
         "type": "github"
       }
@@ -40,17 +56,19 @@
     "root": {
       "inputs": {
         "home-manager": "home-manager",
+        "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
-        "unstable": "unstable"
+        "unstable": "unstable",
+        "update": "update"
       }
     },
     "unstable": {
       "locked": {
-        "lastModified": 1728241625,
-        "narHash": "sha256-yumd4fBc/hi8a9QgA9IT8vlQuLZ2oqhkJXHPKxH/tRw=",
+        "lastModified": 1755186698,
+        "narHash": "sha256-wNO3+Ks2jZJ4nTHMuks+cxAiVBGNuEBXsT29Bz6HASo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "c31898adf5a8ed202ce5bea9f347b1c6871f32d1",
+        "rev": "fbcf476f790d8a217c3eab4e12033dc4a0f6d23c",
         "type": "github"
       },
       "original": {
@@ -59,6 +77,22 @@
         "repo": "nixpkgs",
         "type": "github"
       }
+    },
+    "update": {
+      "locked": {
+        "lastModified": 1751274312,
+        "narHash": "sha256-/bVBlRpECLVzjV19t5KMdMFWSwKLtb5RyXdjz3LJT+g=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "50ab793786d9de88ee30ec4e4c24fb4236fc2674",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-24.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -2,26 +2,49 @@
   description = "NixOS configuration";
 
   inputs = {
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-24.11";
+    update.url = "github:nixos/nixpkgs/nixos-24.11";
     unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixos-hardware.url = "github:NixOS/nixos-hardware/master";
     home-manager = {
-      url = "github:nix-community/home-manager/release-24.05";
+      url = "github:nix-community/home-manager/release-24.11";
       inputs.nixpkgs.follows = "nixpkgs";
     };
   };
 
-  outputs = inputs@{ nixpkgs, home-manager, unstable, ... }:
+  outputs = { nixpkgs, home-manager, unstable, update, nixos-hardware, ... }:
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
-      unstablePkgs = unstable.legacyPackages.${system};
+      unstablePkgs = import unstable { inherit system; config.allowUnfree = true; };
+      updatePkgs = import update { inherit system; config.allowUnfree = true; };
     in {
       nixosConfigurations = {
         sandy = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
-          specialArgs = { inherit unstablePkgs ; };
+          specialArgs = { inherit unstablePkgs updatePkgs nixos-hardware; };
           modules = [
-            ./configuration.nix
+            ./hosts/sandy/configuration.nix
+            home-manager.nixosModules.home-manager
+            {
+              home-manager = {
+                useGlobalPkgs = true;
+                useUserPackages = true;
+                users.nshields = import ./home.nix;
+                extraSpecialArgs = {
+                  inherit unstablePkgs;
+                };
+              };
+            }
+          ];
+        };
+
+        axl = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          specialArgs = { inherit unstablePkgs updatePkgs nixos-hardware; };
+          modules = [
+            { nixpkgs.overlays = [ (import ./overlays/zfs-replicate.nix pkgs) ]; }
+            ./hosts/axl/configuration.nix
             home-manager.nixosModules.home-manager
             {
               home-manager = {

home.nix

@@ -1,7 +1,7 @@
 { config, pkgs, unstablePkgs, ... }: {
   targets.genericLinux.enable = true;
   home = {
-    stateVersion = "23.11";
+    stateVersion = "24.11";
     file = {
       ".local/bin" = { source = ./scripts; };
     };

hosts/axl/configuration.nix

@@ -0,0 +1,73 @@
+{ config, pkgs, updatePkgs, unstablePkgs, nixos-hardware, ... }:
+let
+  keys = import ../../ssh-keys.nix;
+in
+{
+  imports = [
+    ../common/configuration.nix
+    ../common/vnc.nix
+    ./hardware-configuration.nix
+  ];
+
+  networking = {
+    hostId = "7be305c3";
+    hostName = "axl";
+    networkmanager.enable = true;
+  };
+
+  programs.nm-applet.enable = true;
+
+  users.users.nshields = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    description = "Nikolai Shields";
+    extraGroups = [ "lp" "docker" "networkmanager" "wheel" "podman" ];
+    openssh.authorizedKeys.keys = keys.nshields;
+  };
+
+  users.users.benson = {
+    isNormalUser = true;
+    shell = pkgs.bash;
+    description = "Benson Chu";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = keys.benson;
+  };
+
+  # users.users.hodgson = {
+  #   isNormalUser = true;
+  #   shell = pkgs.zsh;
+  #   description = "[Ralph] Peter Hodgson";
+  #   extraGroups = [ "lp" "wheel" ];
+  #   openssh.authorizedKeys.keys = keys.hodgson;
+  # };
+
+  users.users.peter = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    description = "Peter Hodgson";
+    extraGroups = [ "lp" "wheel" "input" ];
+    openssh.authorizedKeys.keys = keys.hodgson;
+  };
+
+  users.users.zander = {
+    isNormalUser = true;
+    shell = pkgs.bash;
+    description = "Alexander Thannhauser";
+    extraGroups = [ "lp" "wheel" "input" ];
+    openssh.authorizedKeys.keys = keys.zander;
+  };
+
+  system.autoUpgrade = {
+    enable = true;
+    flake = "/home/benson/peter-nixos";
+    flags = [
+      "--update-input"
+      "unstable"
+      "-L" # print build logs
+    ];
+    dates = "02:00";
+    randomizedDelaySec = "45min";
+  };
+
+  system.stateVersion = "24.11"; # Did you read the comment?
+}

hosts/axl/hardware-configuration.nix

@@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "zpool/root";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "zpool/nix";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/var" =
+    { device = "zpool/var";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/home/peter" =
+    { device = "zpool/home/peter";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2882-CD45";
+      fsType = "vfat";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/6469740d-a7fb-4f97-8e96-fb3469a54b64"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/common/configuration.nix

@@ -1,18 +1,8 @@
-{ config, pkgs, unstablePkgs, ... }:
-let
-  keys = import ./ssh-keys.nix;
-in
+{ config, pkgs, updatePkgs, unstablePkgs, nixos-hardware, ... }:
 {
   imports = [
-    ./hardware-configuration.nix
   ];
 
-  networking = {
-    hostId = "7be305c3";
-    hostName = "sandy";
-    networkmanager.enable = true;
-  };
-
   boot.loader = {
     systemd-boot.enable = true;
     efi.canTouchEfiVariables = true;
@@ -38,7 +28,7 @@ in
   nixpkgs.config.allowUnfree = true;
 
   nix = {
-    package = pkgs.nixFlakes;
+    package = pkgs.nixVersions.stable;
     extraOptions = ''
       experimental-features = nix-command flakes
     '';
@@ -47,9 +37,28 @@ in
   programs.zsh.enable = true;
 
   services = {
-    openssh.enable = true;
+    openssh = {
+      enable = true;
+      settings = {
+        X11Forwarding = true;
+      };
+    };
     tailscale.enable = true;
-    zfs.autoSnapshot.enable = true;
+
+    zfs = {
+      # zfs set com.sun:auto-snapshot=true DATASET
+      autoSnapshot.enable = true;
+
+      autoReplication = {
+        enable = true;
+        host = "atlantis.basilisk-prometheus.ts.net";
+        username = "peter";
+        localFilesystem = "zpool";
+        remoteFilesystem = "pool/tenants/axl";
+        identityFilePath = "/home/peter/.ssh/id_ed25519";
+      };
+    };
+
     hardware.bolt.enable = true;
     nscd.enable = true;
     blueman.enable = true;
@@ -71,13 +80,20 @@ in
       enable = true;
       displayManager.lightdm.enable = true;
       displayManager.startx.enable = true;
-      desktopManager.plasma5.enable = true;
+      # desktopManager.plasma5.enable = true;
       desktopManager.mate.enable = true;
-      displayManager.defaultSession = "plasmawayland";
-      displayManager.autoLogin.enable = true;
-      displayManager.autoLogin.user = "hodgson";
-      layout = "us";
-      xkbVariant = "";
+      xkb = {
+        layout = "us";
+        variant = "";
+      };
+    };
+
+    displayManager = {
+      defaultSession = "mate";
+      autoLogin = {
+        enable = true;
+        user = "peter";
+      };
     };
 
     # emacs = {
@@ -88,7 +104,7 @@ in
 
     avahi = {
       enable = true;
-      nssmdns = true;
+      nssmdns4 = true;
       openFirewall = true;
       publish = {
         enable = true;
@@ -108,9 +124,10 @@ in
         gutenprint
       ];
     };
+
+    fwupd.enable = true;
   };
 
-  sound.enable = true;
   hardware = {
     pulseaudio.enable = false;
     printers = {
@@ -132,33 +149,10 @@ in
     sudo.wheelNeedsPassword = false;
   };
 
-  users.users.nshields = {
-    isNormalUser = true;
-    shell = pkgs.zsh;
-    description = "Nikolai Shields";
-    extraGroups = [ "lp" "docker" "networkmanager" "wheel" "podman" ];
-    openssh.authorizedKeys.keys = keys.nshields;
-  };
-
-  users.users.benson = {
-    isNormalUser = true;
-    shell = pkgs.zsh;
-    description = "Benson Chu";
-    extraGroups = [ "wheel" ];
-    openssh.authorizedKeys.keys = keys.benson;
-  };
-
-  users.users.hodgson = {
-    isNormalUser = true;
-    shell = pkgs.zsh;
-    description = "Peter Hodgson";
-    extraGroups = [ "lp" "wheel" ];
-    openssh.authorizedKeys.keys = keys.hodgson;
-  };
-
   environment.systemPackages = with pkgs; [
-    gnome.gnome-tweaks
-    gnome.networkmanager-openconnect
+    # why are these here anyway?
+    # gnome.gnome-tweaks
+    # gnome.networkmanager-openconnect
     nss
     htop
     sssd
@@ -168,7 +162,7 @@ in
     glibc
     glib
     openconnect
-    libsForQt5.plasma-thunderbolt
+    # libsForQt5.plasma-thunderbolt
 
     # essential
     git
@@ -177,6 +171,9 @@ in
     tmux
     unstablePkgs.signal-desktop
     gcc
+    tree
+    file
+    bind
 
     # emacs dependencies
     ispell
@@ -186,10 +183,12 @@ in
     libtool
 
     # browsers
-    google-chrome
-    firefox
+    updatePkgs.google-chrome
+    updatePkgs.firefox
     lynx
-    chromium
+    updatePkgs.chromium
+    unstablePkgs.zoom-us
+    audacity
 
     # networking
     curl
@@ -197,14 +196,18 @@ in
     nmap
     bind
 
+    # notes
+    obsidian
+
     # Other
     racket
     ruby
+    vlc
     (python311.withPackages (pythonPackages: with pythonPackages; [
       urwid
     ]))
 
-    (pkgs.callPackage ./mfcl2690dw/default.nix { })
+    (pkgs.callPackage ../../mfcl2690dw/default.nix { })
 
     tigervnc
   ];
@@ -216,6 +219,4 @@ in
   networking.hosts = {
     "10.0.0.142" = ["BRWBCF4D445BCC3.local"];
   };
-
-  system.stateVersion = "23.11"; # Did you read the comment?
 }

hosts/common/vnc.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+{
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 5900 ];
+  };
+
+  environment.shellAliases = {
+    startvnc = "x0vncserver -PasswordFile=$HOME/.vnc/passwd -rfbport=5900 -AcceptSetDesktopSize=0";
+  };
+}

hosts/sandy/configuration.nix

@@ -0,0 +1,61 @@
+{ config, pkgs, updatePkgs, unstablePkgs, nixos-hardware, ... }:
+let
+  keys = import ../../ssh-keys.nix;
+in
+{
+  imports = [
+    ../common/configuration.nix
+    ./hardware-configuration.nix
+    nixos-hardware.nixosModules.framework-11th-gen-intel
+  ];
+
+  boot.kernelPackages = pkgs.linuxPackages_6_12;
+
+  networking = {
+    hostId = "7be305c3";
+    hostName = "sandy";
+    networkmanager.enable = true;
+  };
+
+  users.users.nshields = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    description = "Nikolai Shields";
+    extraGroups = [ "lp" "docker" "networkmanager" "wheel" "podman" ];
+    openssh.authorizedKeys.keys = keys.nshields;
+  };
+
+  users.users.benson = {
+    isNormalUser = true;
+    shell = pkgs.bash;
+    description = "Benson Chu";
+    extraGroups = [ "wheel" ];
+    openssh.authorizedKeys.keys = keys.benson;
+  };
+
+  users.users.hodgson = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    description = "[Ralph] Peter Hodgson";
+    extraGroups = [ "lp" "wheel" ];
+    openssh.authorizedKeys.keys = keys.hodgson;
+  };
+
+  users.users.peter = {
+    isNormalUser = true;
+    shell = pkgs.zsh;
+    description = "Peter Hodgson";
+    extraGroups = [ "lp" "wheel" "input" ];
+    openssh.authorizedKeys.keys = keys.hodgson;
+  };
+
+  users.users.zander = {
+    isNormalUser = true;
+    shell = pkgs.bash;
+    description = "Alexander Thannhauser";
+    extraGroups = [ "lp" "wheel" "input" ];
+    openssh.authorizedKeys.keys = keys.zander;
+  };
+
+  system.stateVersion = "24.11"; # Did you read the comment?
+}

overlays/zfs-replicate-env-fix.patch

@@ -0,0 +1,74 @@
+diff --git a/zfs/replicate/filesystem/create.py b/zfs/replicate/filesystem/create.py
+index 0349159..f98831c 100644
+--- a/zfs/replicate/filesystem/create.py
++++ b/zfs/replicate/filesystem/create.py
+@@ -50,4 +50,4 @@ def create(filesystem: FileSystem, ssh_command: str) -> None:
+
+
+ def _create(filesystem: str) -> str:
+-    return f"/usr/bin/env - zfs create -o readonly=on {filesystem}"
++    return f"/usr/bin/env zfs create -o readonly=on {filesystem}"
+diff --git a/zfs/replicate/filesystem/destroy.py b/zfs/replicate/filesystem/destroy.py
+index 7e590d5..dd1b75a 100644
+--- a/zfs/replicate/filesystem/destroy.py
++++ b/zfs/replicate/filesystem/destroy.py
+@@ -21,4 +21,4 @@ def destroy(filesystem: FileSystem, ssh_command: str) -> None:
+
+
+ def _destroy(filesystem: FileSystem) -> str:
+-    return f"/usr/bin/env - zfs destroy -r '{filesystem}'"
++    return f"/usr/bin/env zfs destroy -r '{filesystem}'"
+diff --git a/zfs/replicate/filesystem/list.py b/zfs/replicate/filesystem/list.py
+index 5e892e6..f33e11e 100644
+--- a/zfs/replicate/filesystem/list.py
++++ b/zfs/replicate/filesystem/list.py
+@@ -42,7 +42,7 @@ def list(  # pylint: disable=W0622
+ def _list(filesystem: FileSystem) -> str:
+     options = ["-H", "-o name,readonly", "-t filesystem,volume", "-r"]
+
+-    return f"/usr/bin/env - zfs list {' '.join(options)} '{filesystem.name}'"
++    return f"/usr/bin/env zfs list {' '.join(options)} '{filesystem.name}'"
+
+
+ def _filesystems(zfs_list_output: bytes) -> List[FileSystem]:
+diff --git a/zfs/replicate/snapshot/destroy.py b/zfs/replicate/snapshot/destroy.py
+index a2558b1..2a92360 100644
+--- a/zfs/replicate/snapshot/destroy.py
++++ b/zfs/replicate/snapshot/destroy.py
+@@ -21,4 +21,4 @@ def destroy(snapshot: Snapshot, ssh_command: str) -> None:
+
+
+ def _destroy(snapshot: Snapshot) -> str:
+-    return f"/usr/bin/env - zfs destroy '{snapshot.filesystem.name}@{snapshot.name}'"
++    return f"/usr/bin/env zfs destroy '{snapshot.filesystem.name}@{snapshot.name}'"
+diff --git a/zfs/replicate/snapshot/list.py b/zfs/replicate/snapshot/list.py
+index 033f6ee..c29abac 100644
+--- a/zfs/replicate/snapshot/list.py
++++ b/zfs/replicate/snapshot/list.py
+@@ -45,7 +45,7 @@ def _list(filesystem: FileSystem, recursive: bool) -> str:  # pylint: disable=W0
+     if not recursive:
+         options.append("-d 1")
+
+-    return f"/usr/bin/env - zfs list {' '.join(options)} '{filesystem.name}'"
++    return f"/usr/bin/env zfs list {' '.join(options)} '{filesystem.name}'"
+
+
+ def _snapshots(zfs_list_output: bytes) -> List[Snapshot]:
+diff --git a/zfs/replicate/snapshot/send.py b/zfs/replicate/snapshot/send.py
+index 9ebe9f2..20e4c08 100644
+--- a/zfs/replicate/snapshot/send.py
++++ b/zfs/replicate/snapshot/send.py
+@@ -62,9 +62,9 @@ def _send(
+     if previous is not None:
+         options.append(f"-i '{previous.filesystem.name}@{previous.name}'")
+
+-    return f"/usr/bin/env - zfs send {' '.join(options)} '{current.filesystem.name}@{current.name}'"
++    return f"/usr/bin/env zfs send {' '.join(options)} '{current.filesystem.name}@{current.name}'"
+
+
+ def _receive(remote: FileSystem, current: Snapshot, decompress_command: str) -> str:
+     destination = filesystem.remote_dataset(remote, current.filesystem)
+-    return f"{decompress_command}/usr/bin/env - zfs receive -F -d '{destination.name}'"
++    return f"{decompress_command}/usr/bin/env zfs receive -F -d '{destination.name}'"
+--
+2.51.2

overlays/zfs-replicate.nix

@@ -0,0 +1,12 @@
+pkgs:
+final: prev: {
+  zfs-replicate = prev.zfs-replicate.overrideAttrs (oldAttrs: {
+    patches = (oldAttrs.patches or []) ++ [
+      ./zfs-replicate-env-fix.patch
+    ];
+
+    makeWrapperArgs = (oldAttrs.makeWrapperArgs or []) ++ [
+      "--prefix" "PATH" ":" "${pkgs.lib.makeBinPath [ pkgs.zfs ]}"
+    ];
+  });
+}

ssh-keys.nix

@@ -26,4 +26,8 @@
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKtQOHXIfltnEVMxgHlxgUNB/o6Bey6vdMWtwSfo+U4q"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG90xfsjQSCH/nKyXlBujpJshZHb9yWzqDH8fLKKl9T2"
   ];
+
+  zander = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDG5Ktw21eX+iWQh0WcU3BUDO7RFwmKCqv39vhC4DdRKfRqCpG8nsv6xPJv9cnPauYLHYmlaJImf6ugejHtD4GrLjhFp2RD8U85TxbqZIKs2bMgqxCb+APeY9QVv0osw8YSoM6NjbgJbzAf9Va3h7ONYJU/Q0qEFip6bIQtDti26/iTi5EgoLWXIkgNL4QRxneC3JZ7Nh6vRNxfv8rXxGl50hgKLNg7eqw+INebk2+Pt0zifnJsgsKPmtiJwKih1+rGnHokk46I7ap/YiZJJiVIbEiGJCHd++qCnu+nsmkJw8TCw73xSkceC8hvtlAvi65+IQ+CLMZCQFz+99Lkq2+/Oe08xVdq9EZCeyL4baIUDpZSS5si7vFWDCIeFQpzSAGrpJzxCNie2ZO1K9lU1687OpcmkCrpmK9V9GxCJWc6LEDnk2Oz8BErFU5GzYsZQcnQ0jjYF5ZiFYXsuepziXtb05995qUSjBC8xgxCW98xMiimNuNelmpuatzI1csIPNU= zander@computer"
+  ];
 }

sunshine.nix

@@ -0,0 +1,39 @@
+{ config, pkgs, updatePkgs, unstablePkgs, ... }:
+{
+  systemd.user.services.sunshine = {
+    description = "Sunshine self-hosted game stream host for Moonlight";
+    wantedBy = ["graphical-session.target"];
+    partOf   = ["graphical-session.target"];
+    startLimitBurst = 5;
+    startLimitIntervalSec = 500;
+    serviceConfig = {
+      ExecStart = "${config.security.wrapperDir}/sunshine";
+      Restart = "on-failure";
+      RestartSec = "5s";
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    pkgs.sunshine
+    pkgs.moonlight-qt
+  ];
+
+  security.wrappers.sunshine = {
+    owner = "root";
+    group = "root";
+    capabilities = "cap_sys_admin+p";
+    source = "${pkgs.sunshine}/bin/sunshine";
+  };
+
+  services.avahi.publish.enable = true;
+  services.avahi.publish.userServices = true;
+
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [ 47984 47989 47990 48010 ];
+    allowedUDPPortRanges = [
+      { from = 47998; to = 48010; }
+      #{ from = 8000; to = 8010; }
+    ];
+  };
+}