11 files changed, 242 insertions, 215 deletions
diff --git a/system-profiles/bcachefs.nix b/system-profiles/bcachefs.nix
new file mode 100644
index 00000000..65de9f7e
--- /dev/null
+++ b/system-profiles/bcachefs.nix
@@ -0,0 +1,7 @@
+{ config, pkgs, ... } : {
+  config = {
+    boot.supportedFilesystems = [ "bcachefs" ];
+    environment.systemPackages = with pkgs; [ bcachefs-tools ];
+  };
+}
diff --git a/system-profiles/build-server/clients/sif/private b/system-profiles/build-server/clients/sif/private
index 11a4bcbc..b8414951 100644
--- a/system-profiles/build-server/clients/sif/private
+++ b/system-profiles/build-server/clients/sif/private
@@ -7,19 +7,17 @@
                "hc_vault": null,
                "age": [
                        {
-                                "recipient": "age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d",
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
-                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1c2cveXlHRC80NitqUHAy\nTGpDZU1POXVqUVZGUENwaXA2UzNRUG5IdWpNCjl2Nnl6S3dqbzA4VGp5OUYzVnBP\nR21tVTRSMHdhUVdHUGZ5MzNVWGMyTGsKLS0tIDR6UW5rTjBqSXZieUpZd3NMSWNl\nWW1xTDRtbWpxQTdDSlVwcnJBUmtlb0kKY3ArjYsxohdmy+fJDY65jgvUea73ECdC\nmro/2A+vpSsFGijCKoHnXL7/gcwBk7mY7tai9sjNdvam1BvrmkdPJQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMjlsN3Uvbm9rUE1JZEtZ\ndmxiQVZsa3NmVUZiTXdVcm9tSmZ6ZHFvLzNVClRYL2g0bjJXbFJlaklaU1FKSXlE\nSmpteks2ZzZ4OGlvMlk3NFpUdjVDeFkKLS0tIE9JZkhYSVJSSXVOT3hpMjYxSDdx\nSE1lNDVtY2Nxd1h4aWloR3c5MmtwblUKmaWYEjW6S+SUS8bUK3ul6qhAXMYfar/P\nsm3BXbRJKrHa1AbUANnEivthA2vkE84GQceH+9TFvUDbjVbrqYIRUQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXUWR5aVlzUzErdmJjS0M5\nWjFUSDJqQTV5bkxWbG1zZHQzQ0I3Vjk0QlU4CjBEem5UbkpOb3BLd1M0emV5VHV6\nR2Y5dlo4WW5qNy9mR0ZiWU45OXVQQlUKLS0tIFNlZ1VheFZzTTJUaUw4NG1NN2sy\nbWRmR2tva0Y2b2k4UktMZzBaSU8rSFkKRNn8s2OM3JtEPlGub5mUxfinx6fSlc6w\ndt7PThAt7yazz/YYpZEoju+4xwdzD+KzLrEGgPtkfekZPXmcmx6vjw==\n-----END AGE ENCRYPTED FILE-----\n"
                        }
                ],
                "lastmodified": "2021-09-27T18:11:41Z",
                "mac": "ENC[AES256_GCM,data:LeLaxKnUhMpXXlxiZaRw3pKnd8tzcd8I9CwO2SRuzvzo/Bi8cBHq7IrJUmG6PWrTHhwTEI2Ul4DEF4PygRZybjRYUEVLbnKqYGPf4P0nZPhBBH6Ogpdc0o2C1t7A+HIka99A75oXx81k0bEaj6WuqgtPpOA6JhirCyOCJ7xDQE0=,iv:5XNCFDirM1NzS56AVDiJxP+4IuSMComezM+1pD6rayc=,tag:8ECDILhztr3NAVl0RhiwfQ==,type:str]",
-                "pgp": [
+                "pgp": null,
-                        {
-                                "created_at": "2023-01-30T10:58:12Z",
-                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAAIyaBar/+e4YSSPS9eelsVpjzXf5kBSh1W3EgOZjblAw\nuIKrr4Qds/bgFHSoKZtzC6U8fbMddn6ua+tlguj8m5GCihUF0PgvtMb7tvZO0mGV\n0l4BrRfRDAr7THk5C1JCF2pWOpgyMVZP3X4kBt7Adbtg7HBSP/VVnRqlUUdwGAom\nt5q7Q+jdGrFdhoVczocAwUkypWF3GhGmAxAwAr9WgQWo3ruWBAcqFsbOSFhC5EQE\n=bfnH\n-----END PGP MESSAGE-----\n",
-                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-                        }
-                ],
                "unencrypted_suffix": "_unencrypted",
                "version": "3.7.1"
        }
diff --git a/system-profiles/core/default.nix b/system-profiles/core/default.nix
index 0859d707..c2c821b7 100644
--- a/system-profiles/core/default.nix
+++ b/system-profiles/core/default.nix
@@ -74,7 +74,7 @@ in {
              };
          in foldr (def: mergeConfig def.value) {};
      };
-      description = mdDoc ''
+      description = ''
        The configuration of the Nix Packages collection.  (For
        details, see the Nixpkgs documentation.)  It allows you to set
        package configuration options.
@@ -91,96 +91,113 @@ in {
    };
  };
-  config = {
+  config = foldr recursiveUpdate {} ([
-    networking.hostName = hostName;
+    {
-    system.configurationRevision = mkIf (flake ? rev) flake.rev;
+      networking.hostName = hostName;
+      system.configurationRevision = mkIf (flake ? rev) flake.rev;
-    nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
+      nixpkgs.pkgs = import (flakeInputs.${config.nixpkgs.flakeInput}.outPath + "/pkgs/top-level") {
-      overlays = attrValues flake.overlays;
+        overlays = attrValues flake.overlays;
-      config = config.nixpkgs.externalConfig;
+        config = config.nixpkgs.externalConfig;
-      localSystem = config.nixpkgs.system;
+        localSystem = config.nixpkgs.system;
-    };
+      };
-    nix = {
+      nix = {
-      package = pkgs.nixUnstable;
+        package = if builtins.hasAttr "latest" pkgs.nixVersions then pkgs.nixVersions.latest else pkgs.nixUnstable;
-      settings = {
+        settings = {
-        sandbox = true;
+          sandbox = true;
-        allowed-users = [ "*" ];
+          allowed-users = [ "*" ];
-        trusted-users = [ "root" "@wheel" ];
+          trusted-users = [ "root" "@wheel" ];
-        experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
+          experimental-features = ["nix-command" "flakes" "auto-allocate-uids" "cgroups"];
-        auto-allocate-uids = true;
+          auto-allocate-uids = true;
-        use-cgroups = true;
+          use-cgroups = true;
-        use-xdg-base-directories = true;
+          use-xdg-base-directories = true;
-        flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
+          flake-registry = "${flakeInputs.flake-registry}/flake-registry.json";
+        };
+        nixPath = [
+          "nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
+            mkdir $out
+            ln -s ${./nixpkgs.nix} $out/default.nix
+            ln -s /run/nixpkgs/lib $out/lib
+          ''}"
+        ];
+        registry =
+          let override = { self = "nixos"; };
+          in mapAttrs' (inpName: inpFlake: nameValuePair
+            (override.${inpName} or inpName)
+            { flake = inpFlake; } ) flakeInputs;
      };
-      nixPath = [
-        "nixpkgs=${pkgs.runCommand "nixpkgs" {} ''
+      systemd.tmpfiles.rules = [
-          mkdir $out
+        "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
-          ln -s ${./nixpkgs.nix} $out/default.nix
+        "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
-          ln -s /run/nixpkgs/lib $out/lib
+          with builtins;
+          attrValues (import
+            (
+              let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
+              fetchTarball {
+                url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
+                sha256 = lock.nodes.flake-compat.locked.narHash;
+              }
+            )
+            { src = ${flake}; }
+          ).defaultNix.overlays
        ''}"
+        "L+ /etc/nixos - - - - ${flake}"
      ];
-      registry =
-        let override = { self = "nixos"; };
-        in mapAttrs' (inpName: inpFlake: nameValuePair
-          (override.${inpName} or inpName)
-          { flake = inpFlake; } ) flakeInputs;
-    };
-    systemd.tmpfiles.rules = [
-      "L+ /run/nixpkgs - - - - ${flakeInputs.nixpkgs.outPath}"
-      "L+ /run/nixpkgs-overlays.nix - - - - ${pkgs.writeText "overlays.nix" ''
-        with builtins;
-        attrValues (import
-          (
-            let lock = fromJSON (readFile ${flake + "/flake.lock"}); in
-            fetchTarball {
-              url = "https://github.com/edolstra/flake-compat/archive/''${lock.nodes.flake-compat.locked.rev}.tar.gz";
-              sha256 = lock.nodes.flake-compat.locked.narHash;
-            }
-          )
-          { src = ${flake}; }
-        ).defaultNix.overlays
-      ''}"
-    ];
-    users.mutableUsers = false;
-    # documentation.nixos.includeAllModules = true; # incompatible with home-manager (build fails)
+      users.mutableUsers = false;
-    home-manager = {
+      documentation.nixos = {
-      useGlobalPkgs = true; # Otherwise home-manager would only work impurely
+        includeAllModules = true;
-      useUserPackages = false;
+        options.warningsAreErrors = false;
-      backupFileExtension = "bak";
+      };
-    };
-    sops = mkIf hasSops {
+      home-manager = {
-      age = {
+        useGlobalPkgs = true; # Otherwise home-manager would only work impurely
-        keyFile = "/var/lib/sops-nix/key.txt";
+        useUserPackages = false;
-        generateKey = false;
+        backupFileExtension = "bak";
-        sshKeyPaths = [];
      };
-      gnupg = {
-        home = null;
+      sops = mkIf hasSops {
-        sshKeyPaths = [];
+        age = {
+          keyFile = "/var/lib/sops-nix/key.txt";
+          generateKey = false;
+          sshKeyPaths = [];
+        };
+        gnupg = {
+          home = null;
+          sshKeyPaths = [];
+        };
      };
-    };
-    programs.git = {
+      programs.git = {
-      enable = true;
+        enable = true;
-      lfs.enable = true;
+        lfs.enable = true;
+      };
+      environment.systemPackages = with pkgs; [ git-annex scutiger ];
+    }
+  ] ++ (optional (options ? system.switch.enableNg) {
+    system.switch = lib.mkDefault {
+      enable = false;
+      enableNg = true;
    };
-    environment.systemPackages = with pkgs; [ git-annex scutiger ];
+  })
+  ++ (optional (options ? system.etc) {
-    system.activationScripts.symlink-flake = ''
+    boot.initrd.systemd.enable = lib.mkDefault true;
-      if test -L /etc/nixos; then
+    system.etc.overlay.enable = lib.mkDefault true;
-        ln -nsf ${flake} /etc/nixos
+    systemd.sysusers.enable = lib.mkDefault true;
-      elif test -d /etc/nixos && rmdir --ignore-fail-on-non-empty /etc/nixos; then
-        ln -s ${flake} /etc/nixos
+    # Random perl remnants
-      fi
+    system.disableInstallerTools = lib.mkDefault true;
-    '';
+    programs.less.lessopen = lib.mkDefault null;
-  };
+    programs.command-not-found.enable = lib.mkDefault false;
+    boot.enableContainers = lib.mkDefault false;
+    boot.loader.grub.enable = lib.mkDefault false;
+    environment.defaultPackages = lib.mkDefault [ ];
+    documentation.info.enable = lib.mkDefault false;
+  }));
 }
diff --git a/system-profiles/initrd-ssh/module.nix b/system-profiles/initrd-ssh/module.nix
index 2e75a8c4..db973b72 100644
--- a/system-profiles/initrd-ssh/module.nix
+++ b/system-profiles/initrd-ssh/module.nix
@@ -15,7 +15,7 @@ in
    enable = mkOption {
      type = types.bool;
      default = false;
-      description = lib.mdDoc ''
+      description = ''
        Start SSH service during initrd boot. It can be used to debug failing
        boot on a remote server, enter pasphrase for an encrypted partition etc.
        Service is killed when stage-1 boot is finished.
@@ -28,7 +28,7 @@ in
    port = mkOption {
      type = types.port;
      default = 22;
-      description = lib.mdDoc ''
+      description = ''
        Port on which SSH initrd service should listen.
      '';
    };
@@ -36,7 +36,7 @@ in
    shell = mkOption {
      type = types.str;
      default = "/bin/ash";
-      description = lib.mdDoc ''
+      description = ''
        Login shell of the remote user. Can be used to limit actions user can do.
      '';
    };
@@ -48,7 +48,7 @@ in
        "/etc/secrets/initrd/ssh_host_rsa_key"
        "/etc/secrets/initrd/ssh_host_ed25519_key"
      ];
-      description = lib.mdDoc ''
+      description = ''
        Specify SSH host keys to import into the initrd.
        To generate keys, use
@@ -80,7 +80,7 @@ in
      type = types.listOf types.str;
      default = config.users.users.root.openssh.authorizedKeys.keys;
      defaultText = literalExpression "config.users.users.root.openssh.authorizedKeys.keys";
-      description = lib.mdDoc ''
+      description = ''
        Authorized keys for the root user on initrd.
      '';
    };
@@ -88,7 +88,7 @@ in
    extraConfig = mkOption {
      type = types.lines;
      default = "";
-      description = lib.mdDoc "Verbatim contents of {file}`sshd_config`.";
+      description = "Verbatim contents of {file}`sshd_config`.";
    };
  };
diff --git a/system-profiles/networkmanager.nix b/system-profiles/networkmanager.nix
index 0fc25619..bc5fd5ff 100644
--- a/system-profiles/networkmanager.nix
+++ b/system-profiles/networkmanager.nix
@@ -10,10 +10,7 @@ with lib;
        dhcp = "internal";
        dns = mkForce "dnsmasq";
        logLevel = "INFO";
-        extraConfig = ''
+        settings.connectivity.url = "https://online.yggdrasil.li";
-          [connectivity]
-          uri=https://online.yggdrasil.li
-        '';
      };
    };
diff --git a/system-profiles/nfsroot.nix b/system-profiles/nfsroot.nix
index 4323765b..1cd930d9 100644
--- a/system-profiles/nfsroot.nix
+++ b/system-profiles/nfsroot.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, lib, flake, flakeInputs, ... }:
+{ config, options, pkgs, lib, flake, flakeInputs, ... }:
 with lib;
@@ -14,99 +14,111 @@ in {
      storeDevice = mkOption {
        type = types.str;
        default = "nfsroot:nix-store";
+        description = "Nix store device";
      };
      registrationUrl = mkOption {
        type = types.str;
        default = "http://nfsroot/nix-registration";
+        description = "Url of nix store registrations";
      };
    };
    system.build = {
-      storeContents = mkOption {};
+      storeContents = mkOption {
+        description = "Contents of nix store";
+      };
    };
  };
-  config = {
+  config = foldr recursiveUpdate {} ([
-    # Don't build the GRUB menu builder script, since we don't need it
+    {
-    # here and it causes a cyclic dependency.
+      # Don't build the GRUB menu builder script, since we don't need it
-    boot.loader.grub.enable = false;
+      # here and it causes a cyclic dependency.
+      boot.loader.grub.enable = false;
-    # !!! Hack - attributes expected by other modules.
-    environment.systemPackages = [ pkgs.grub2_efi ]
+      # !!! Hack - attributes expected by other modules.
-      ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
+      environment.systemPackages = [ pkgs.grub2_efi ]
-          then []
+        ++ (if pkgs.stdenv.hostPlatform.system == "aarch64-linux"
-          else [ pkgs.grub2 pkgs.syslinux ]);
+            then []
+            else [ pkgs.grub2 pkgs.syslinux ]);
-    # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
-    # image) to make this a live CD.
+      # In stage 1, mount a tmpfs on top of /nix/store (the squashfs
-    fileSystems."/nix/.ro-store" = mkImageMediaOverride
+      # image) to make this a live CD.
-      { fsType = "nfs4";
+      fileSystems."/nix/.ro-store" = mkImageMediaOverride
-        device = cfg.storeDevice;
+        { fsType = "nfs4";
-        options = [ "ro" ];
+          device = cfg.storeDevice;
-        neededForBoot = true;
+          options = [ "ro" ];
-      };
+          neededForBoot = true;
+        };
+      fileSystems."/nix/.rw-store" = mkImageMediaOverride
+        { fsType = "tmpfs";
+          options = [ "mode=0755" ];
+          neededForBoot = true;
+        };
+      fileSystems."/nix/store" = mkImageMediaOverride
+        { fsType = "overlay";
+          device = "overlay";
+          options = [
+            "lowerdir=/nix/.ro-store"
+            "upperdir=/nix/.rw-store/store"
+            "workdir=/nix/.rw-store/work"
+          ];
+          depends = [
+            "/nix/.ro-store"
+            "/nix/.rw-store/store"
+            "/nix/.rw-store/work"
+          ];
+        };
+      nix.settings.use-sqlite-wal = false;
+      boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
+      boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
+      services.rpcbind.enable = mkImageMediaOverride false;
+      boot.initrd.network.enable = true;
+      boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
+      boot.initrd.postMountCommands = ''
+        mkdir -p /mnt-root/etc/
+        cp /etc/resolv.conf /mnt-root/etc/resolv.conf
+      '';
+      networking.useDHCP = true;
+      networking.resolvconf.enable = false;
+      networking.dhcpcd.persistent = true;
-    fileSystems."/nix/.rw-store" = mkImageMediaOverride
-      { fsType = "tmpfs";
-        options = [ "mode=0755" ];
-        neededForBoot = true;
-      };
-    fileSystems."/nix/store" = mkImageMediaOverride
+      system.build.storeContents = [config.system.build.toplevel];
-      { fsType = "overlay";
-        device = "overlay";
-        options = [
-          "lowerdir=/nix/.ro-store"
-          "upperdir=/nix/.rw-store/store"
-          "workdir=/nix/.rw-store/work"
-        ];
-        depends = [
-          "/nix/.ro-store"
-          "/nix/.rw-store/store"
-          "/nix/.rw-store/work"
-        ];
-      };
-    nix.settings.use-sqlite-wal = false;
+      system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
+        #!ipxe
-    boot.initrd.availableKernelModules = [ "nfs" "nfsv4" "overlay" ];
+        # Use the cmdline variable to allow the user to specify custom kernel params
-    boot.initrd.supportedFilesystems = [ "nfs" "nfsv4" "overlay" ];
+        # when chainloading this script from other iPXE scripts like netboot.xyz
-    services.rpcbind.enable = mkImageMediaOverride false;
+        kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
+        initrd initrd
-    boot.initrd.network.enable = true;
+        boot
-    boot.initrd.network.flushBeforeStage2 = false; # otherwise nfs doesn't work
-    boot.initrd.postMountCommands = ''
-      mkdir -p /mnt-root/etc/
-      cp /etc/resolv.conf /mnt-root/etc/resolv.conf
-    '';
-    networking.useDHCP = true;
-    networking.resolvconf.enable = false;
-    networking.dhcpcd.persistent = true;
-    system.build.storeContents = [config.system.build.toplevel];
-    system.build.netbootIpxeScript = pkgs.writeTextDir "netboot.ipxe" ''
-      #!ipxe
-      # Use the cmdline variable to allow the user to specify custom kernel params
-      # when chainloading this script from other iPXE scripts like netboot.xyz
-      kernel ${pkgs.stdenv.hostPlatform.linux-kernel.target} init=${config.system.build.toplevel}/init initrd=initrd ${toString config.boot.kernelParams} ''${cmdline}
-      initrd initrd
-      boot
-    '';
-    boot.postBootCommands =
-      ''
-        # After booting, register the contents of the Nix store on NFS
-        # in the Nix database in the tmpfs.
-        ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
-        # nixos-rebuild also requires a "system" profile and an
-        # /etc/NIXOS tag.
-        touch /etc/NIXOS
-        ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
      '';
-  };
+      boot.postBootCommands =
+        ''
+          # After booting, register the contents of the Nix store on NFS
+          # in the Nix database in the tmpfs.
+          ${pkgs.curl}/bin/curl ${escapeShellArg cfg.registrationUrl} | ${config.nix.package.out}/bin/nix-store --load-db
+          # nixos-rebuild also requires a "system" profile and an
+          # /etc/NIXOS tag.
+          touch /etc/NIXOS
+          ${config.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set /run/current-system
+        '';
+      boot.initrd.systemd.enable = false;
+    }
+  ] ++ (optional (options ? system.etc) {
+    system.etc.overlay.enable = false;
+  }) ++ (optional (options ? system.sysusers) {
+    systemd.sysusers.enable = false;
+  }));
 }
diff --git a/system-profiles/openssh/host-keys/sif.yaml b/system-profiles/openssh/host-keys/sif.yaml
index bc66c1a2..ca904535 100644
--- a/system-profiles/openssh/host-keys/sif.yaml
+++ b/system-profiles/openssh/host-keys/sif.yaml
@@ -6,28 +6,26 @@ sops:
    azure_kv: []
    hc_vault: []
    age:
-        - recipient: age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d
+        - recipient: age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsMzdPNTFsSmJtVzIrV2c3
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLL1N1YlVlaTRLblhNS2ZN
-            aG9HbVo0Y0F2ZkRaclhuTlR1b0prVnVpSDNzCkxweHkwYnVaVnFLQWJkVmw2cExD
+            TW5VTHhBTHVHN3RMWjFYQzhmRTNneVU1THhzCmlaWlhMTzNGVENsdG03TzVHM0s1
-            VEh2TU9NUzJkRzBlQnpUR09sUkY1RHMKLS0tIDhsWkh3OXRrY3JDaXR5b2ZzWWhN
+            K1lEcFBQZm8zTW9uelppRXd6dEJvZFkKLS0tIGVSem1nd1Y0VHdRWUc1UVEyZHc5
-            MWVzNlBTa0xkZDZrMWdsU0lvemVRb0kKbTUwFHMXZqbVdKqBWSa0B81ymVGqS7G3
+            UEVlc3BKVTFlbkhMZ2doZzhSOGNVZk0K+xn79UxArLoDo9+Ek0Hi/mUJf974OIIZ
-            ZhchZZpZdQcKMQ/I/rkvJqFstuOuEHYvUWeKz04zL3W2BuMp/TwOXQ==
+            g/hDK+e8ZtKyIhXYmH0CXYzZNpwhf2qegYoj7gZLOL2IIWxGdfytgg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBWDFNWEpUV1cxbjlpOHBG
+            L010cW5tNXcrYXpoNUpYb1VuSFo5L2g2eVVVCkJCWFVtMW1zMlAvbEdXYVZoSnFF
+            dG1ucmgwdGtNVm1SL0ZJTUNUdWFXSVEKLS0tIER6bFRMK2lxZ0JRc1p1T09xOTVv
+            c2NKR0dyOGNpUUtTYlArd3hUbHk4T28KxHufhcZOHj94zoQANPvbYrprCSFZ9crx
+            IMA8NSi2i9evmxjaZwYQBJGMbmwgLmBTssY8sRl1vj17WqnwImyajA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2021-01-02T19:05:26Z"
    mac: ENC[AES256_GCM,data:yJGzs0W0R+b6WPkUaQc9cxeTBBEXot0ffUAG77Of88kREFsD5ams9qEDCs8LhPhMtLSH5L8bqMLF28n2w6d9gf41NDBl/oj+XTJE26c4D+MWF2A0fqTvwv1l3524TfavVU8iur0bCbytNfcHSZ3zCQAYElswOGupO+K0Y3hwKKI=,iv:jHSgQV6Jg2Yckp8G0Z23Ny74ZQxZ/+C/neXKrEWUVak=,tag:DhOr2cVhIq8i4JAO+fdXxA==,type:str]
-    pgp:
+    pgp: []
-        - created_at: "2023-01-30T10:57:39Z"
-          enc: |
-            -----BEGIN PGP MESSAGE-----
-            hF4DXxoViZlp6dISAQdANv2DNGghv2Kh8xkNTxD7zLoo9CA0wg3QKJ6MHIFfDyMw
-            v6VzYeLDETRzJnqbmNrUD4iumJJfLUsbiBdCFNYsuiGgwrzRKLRyFYZ/vU6WGetm
-            0l4BK8qWw4Te7oRdHymqckpf9G6elyM+5z7ZDVqcFp8frmKJexP3e95UJU4I0rOj
-            MM6S/XcDsMVdxDo9hliZ1t6aTiBizqpBCK+YK6SrQ+OuoS5PSpSqfq2w5sLIDGiJ
-            =cLdo
-            -----END PGP MESSAGE-----
-          fp: 30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51
    unencrypted_suffix: _unencrypted
    version: 3.6.1
diff --git a/system-profiles/openssh/host-moduli/sif b/system-profiles/openssh/host-moduli/sif
index 334d23ff..4a3fb612 100644
--- a/system-profiles/openssh/host-moduli/sif
+++ b/system-profiles/openssh/host-moduli/sif
@@ -7,19 +7,17 @@
                "hc_vault": null,
                "age": [
                        {
-                                "recipient": "age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d",
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
-                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBacUpEWGR2Q3pwekRiYllz\nSWlsbG9rWjFCMlRZd2lXNkI5QmNZekFrRUhjCmxDamlwK09EMjFoaC9IR0hTZnFN\nOXJpYkg5clVvVDBabGQvSzhTRHZ2Z0kKLS0tIDYyTXJIRUV5TTdnbllTTUVhemV6\nVFlxaXBZUTYyNlUwRk9YWlA3NDZRakUKYHKZf7bYI4xm2plyI4QFGzMJMnQ1Nipu\nbR6jbSnHJTaYCJLUZTa0lVcrHBdbHK5gjV0tWOjAkG7z/PUXc8oInA==\n-----END AGE ENCRYPTED FILE-----\n"
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlUUJHZ3ptcXp2MEhSWHcv\nVERwVFU5Nm5qUzQ3MmVEUkZKVEcyODByRFhjCnFoUkgwZUN0TlRSeEpwdFFDbnZO\ndTNqQUt2ZEdUZ1phNGlUMEdwTmVsUE0KLS0tIGRWcWxDMEdiQTc5cytpU0pQWjFL\nd1RtUTJaWE1BNW12WmtHZUlIeDNIR0UKpzNAosrkXu79h2fbbttrfKu3d3mmmul7\nUM3Xk7A0CSq3AlcU8FLgig/Q0to9oAO21CAy93N6vUHGidQGBbJtMg==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVMjJkMXRuWlhRdDRtV3BJ\nOHllRUZWdXhTakZrM3pVNHNSVEtMWXpQSmlrCmVjVWcrT1dsQW9yeXYvVG1ZTUVK\nRnRjd2ZhSEo5b01aSmlqeVA1bEYwa3MKLS0tIG1NNmJTWWFNUnE3TDlIcUtnbmZm\namd0R2ovcHBUQllpd2pTTXlZQm9mQjAK+gYUNtg0p0crA9+lCrsWzx+QA/faNavs\nNodfjmYsUiNArJVkHsdl5a5mPx2ZVs4mqinniVGJXxnM4IwWwMmrwA==\n-----END AGE ENCRYPTED FILE-----\n"
                        }
                ],
                "lastmodified": "2021-12-15T15:25:47Z",
                "mac": "ENC[AES256_GCM,data:21q8E/Ngod7Yp2eqtJXlXuYnxfDiWI4xvNGGX1kqVwj+4/7xUOHh9ieCBNrbJsF5q4HEHom9XIrMJBbDzqcNq0vlyw/KdYKP68bKUEQsaQh38tRgYpAnpRdXCOtzsfP8mTX2uIZasHM16HHLNkEo6K/poGxUMUdf1xrBnhOIwes=,iv:vFfGnkEkn6+UiFni1wGQexdB6I2VXmt7ZgMkXT1mDU4=,tag:f3f9PY8mF+CG2KnOL60n0g==,type:str]",
-                "pgp": [
+                "pgp": null,
-                        {
-                                "created_at": "2023-01-30T10:58:08Z",
-                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdA6BH/4ATbobDju0iNWQyZrkXSAiXzj5JI+5rHFWCoJGkw\nmTl6Z+ztLz6lq/07WTDcmbwaxe9G9bvgiAy5/DBzLdBhBFpYb9CYK5zg4l5hBchA\n0l4B1gS8DB8WLlCwDECr9TwEvF/GE9IPU/tXL4/Gw8ELsiXFFfJbpQo67AfJFZyq\nBbzlLi22Wiqrs1TycFPDMBEb7s1uD5hRYgNxgrBiZN7HGI9AWAx0FIMIWnMddxBv\n=FTc3\n-----END PGP MESSAGE-----\n",
-                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-                        }
-                ],
                "unencrypted_suffix": "_unencrypted",
                "version": "3.7.1"
        }
diff --git a/system-profiles/rebuild-machines/ssh/sif/private b/system-profiles/rebuild-machines/ssh/sif/private
index 47c6f5e3..333d284d 100644
--- a/system-profiles/rebuild-machines/ssh/sif/private
+++ b/system-profiles/rebuild-machines/ssh/sif/private
@@ -7,19 +7,17 @@
                "hc_vault": null,
                "age": [
                        {
-                                "recipient": "age1ure0athvtnaqqw48pe0y3upqdzmkaen9h70yggd9va4hva6avd8qqm6s4d",
+                                "recipient": "age1rmmhetcmllq0ahl5qznlr0eya2zdxwl9h6y5wnl97d2wtyx5t99sm2u866",
-                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKeElJa2JFRHoxcy8zL24x\nYVdkRUVmb25ZYXBmaCtOZG52MzYybFcxUkNFCmJlU0swY0tTSFlPRnQyaTVjTDFW\ndTF1RE5wRDFXNDdOWnJWSWtOY3haYjQKLS0tIDZwU2xiSUttTHNGclN6YitiUmtE\na2hBTzJSWVJoYnhiUWpURVZQQ2ZFeU0KzftYJbiS284NdmxHpFSiqiZSem4qhAOU\nhdZKbLhtiuoZbTfDqcgyfjh8CZ+TULRGIFD5Jl7N18MXhGql+BY0qQ==\n-----END AGE ENCRYPTED FILE-----\n"
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTenRpcXYzYVBBYVBYdVl1\nWnJsc2NNSko5UlhuanM2MXJHbjM5Q3NvSmdFCndUK2lQYW1oRVI0cWlhK0cyTlVH\nZE4yVi8yMkRyaU5kUFNmZjV3dkFQOFUKLS0tIFRNaGp0aXFVVTRvek5LNWlldTM4\nbkE5dUQ1cGVxMFlzano2c2M5RkQrYWcKb2+b5c+D7UCFXPFKyU/Rx8HAQNAt7AQE\nTg8tKPOTdpEWp969BS5KQ4rhvJWjH1nUVo12eA6u/yAtGPTkdZLaqw==\n-----END AGE ENCRYPTED FILE-----\n"
+                        },
+                        {
+                                "recipient": "age1fj65apkhfkrwyv5tx6zcs9nkjg8267fy733qph30sc7zfn7vapjqkd5kne",
+                                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Q2c1emRxczBPS2p0bStr\nc1FWcHdCTU9FenRkZStvWTgySmg1Wm1GVVNvCkYzQjZyL09vbjd2bEVCNFhRUXBh\nekhVZkU3dmhaWFFUS0w4OVh3RjNINVUKLS0tIDF4Q0JHWmN1eUg4d0NxUjFSZmh5\nbUYvYlFpbXlUd2tOT0hrR2E4NzIrR0kKmtXSuM2+CI4hPQ1kqq2LFF9vMk9fQ5Iq\nTAT6UhiSMda7Av9ZL4MI+KQUxSbnSBm/RmDyZYuiz5giIoRAwWT/BQ==\n-----END AGE ENCRYPTED FILE-----\n"
                        }
                ],
                "lastmodified": "2021-06-06T15:05:54Z",
                "mac": "ENC[AES256_GCM,data:Cf8WbqV4bqkg+W84hRSjMsrqzV7QZqAJeU/DrlN94NRaLDbayXK/kbxz9gMWY6Eyv3D70ulc75EBojZF1SXfk/WpDHpVJ4DEizb28oIfE4x88MmQ7ZJuskqXQaFa4MohJVQ/7ukr9bTjNMm7RFtq+yNKkIy6mj2YBk6BYsPgwic=,iv:kq+FpwQEWJo18QEEqG1uZ3uJ1MpklqN7Oaj0fPw8/0k=,tag:FYHLHjzeD+28KHD7x5JwGA==,type:str]",
-                "pgp": [
+                "pgp": null,
-                        {
-                                "created_at": "2023-01-30T10:58:10Z",
-                                "enc": "-----BEGIN PGP MESSAGE-----\n\nhF4DXxoViZlp6dISAQdAoV2p3twYsmVqs8zC/TxZzLuuPS3ElbJA+rIZdrZj5mUw\nc0Kzc9WxaJidh/1lx5FN3wNC7qe+jAhpOVmgrWt9oMVoFXutXGSXu+aFi2jk3AM4\n0l4Bz1nkRfku/MLer7zbJPFe+FrIiOxZOvakES7SnAci6nWUn/yaUNJl6R18tbLA\nJ71CF5TzpQaRYeR3a3EfAgQaZiTX8KJrlUSnCl9eNphgQVbgB05eRI74O40tQb7k\n=X6e2\n-----END PGP MESSAGE-----\n",
-                                "fp": "30D3453B8CD02FE2A3E7C78C0FB536FB87AE8F51"
-                        }
-                ],
                "unencrypted_suffix": "_unencrypted",
                "version": "3.7.1"
        }
diff --git a/system-profiles/tmpfs-root.nix b/system-profiles/tmpfs-root.nix
index d0b3be76..23939c2e 100644
--- a/system-profiles/tmpfs-root.nix
+++ b/system-profiles/tmpfs-root.nix
@@ -1,5 +1,7 @@
 { ... }: {
  config = {
+    # system.etc.overlay.enable = true;
    fileSystems."/" = {
      fsType = "tmpfs";
      options = [ "mode=0755" ];
diff --git a/system-profiles/zfs.nix b/system-profiles/zfs.nix
index db742801..148cbb7b 100644
--- a/system-profiles/zfs.nix
+++ b/system-profiles/zfs.nix
@@ -3,7 +3,7 @@
    boot = {
      kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
      supportedFilesystems = [ "zfs" ];
-      zfs.enableUnstable = true;
+      zfs.package = pkgs.zfs_unstable;
    };
    environment.systemPackages = with pkgs; [ httm ];