feat: made some node stable, and npins update

2024-12-05 17:03:42 +01:00 · 2024-12-05 17:03:42 +01:00 · 015f66b649
commit 015f66b649
parent 03ecc71631
24 changed files with 1230 additions and 1123 deletions
--- a/hive.nix
+++ b/hive.nix
@ -3,27 +3,58 @@ let
  users = import ./users;
  sources = import ./npins;
  inherit (import sources.nix-patches { patchFile = ./patches; }) mkNixpkgsSrc;
-  inherit
-    (import (mkNixpkgsSrc {
-      src = sources.nixpkgs;
+
+  unstable = {
+    nixpkgs = import (mkNixpkgsSrc {
+      src = sources.nixpkgs-unstable;
      version = "unstable";
-    }) { })
-    lib
-    ;
+    }) { };
+    home-manager = "${sources.home-manager-unstable}/nixos";
+    nixvim = import sources.nixvim-unstable;
+  };
+  stable = {
+    nixpkgs = import (mkNixpkgsSrc {
+      src = sources.nixpkgs-stable;
+      version = "stable";
+    }) { };
+    home-manager = "${sources.home-manager-stable}/nixos";
+    nixvim = import sources.nixvim-stable;
+  };
+  inherit (unstable.nixpkgs) lib;
+
+  nodes = lib.mapAttrs' (name: _: {
+    name = lib.removeSuffix ".nix" name;
+    value = import ./machines/${name};
+  }) (builtins.readDir ./machines);
+
+  nodes-meta = lib.mapAttrs (_: n: n.meta) nodes;
 in
 {
-  meta = {
-    nixpkgs = mkNixpkgsSrc {
-      src = sources.nixpkgs;
-      version = "unstable";
-    };
-    nodeNixpkgs."kat-mail-test" = mkNixpkgsSrc {
-      src = sources.nixpkgs;
-      version = "betamail";
-    };
+  meta = rec {
+    inherit (unstable) nixpkgs;
    specialArgs = {
      inherit mods users sources;
+      meta = nodes-meta;
+      versions = {
+        inherit unstable stable;
+      };
    };
+    nodeNixpkgs = lib.mapAttrs (
+      _: node:
+      lib.foldl (
+        pkgs: patch:
+        import (mkNixpkgsSrc {
+          src = pkgs;
+          version = patch;
+        }) { }
+      ) (if node.unstable then unstable else stable).nixpkgs (node.nixPatches or [])
+    ) nodes-meta;
+    nodeSpecialArgs = lib.mapAttrs (name: node: {
+      inherit (node) unstable;
+      self-version = (if node.unstable then unstable else stable) // {
+        nixpkgs = nodeNixpkgs."${name}";
+      };
+    }) nodes-meta;
  };
  defaults =
    {
@ -35,7 +66,4 @@ in
      networking.hostName = name;
    };
 }
-// lib.mapAttrs' (name: _: {
-  name = lib.removeSuffix ".nix" name;
-  value = import ./machines/${name};
-}) (builtins.readDir ./machines)
+// lib.mapAttrs (_: n: n.config) nodes
--- a/kat/default.nix
+++ b/kat/default.nix
@ -3,6 +3,7 @@
  config,
  pkgs,
  sources,
+  self-version,
  ...
 }:
 with lib;
@ -11,7 +12,7 @@ with lib;
    ./users
    ./proxies
    ./root.nix
-    "${sources.home-manager}/nixos"
+    self-version.home-manager
    "${sources.disko}/module.nix"
  ];
  options.kat = {
--- a/kat/users/default.nix
+++ b/kat/users/default.nix
@ -1,4 +1,4 @@
-{ config, sources, pkgs, ... }:
+{ config, pkgs, self-version, ... }:
 let
  zsh = import ./zsh.nix;
 in
@ -9,14 +9,14 @@ in
      imports = [
        zsh.user
        ./neovim.nix
-        (import sources.nixvim).homeManagerModules.nixvim
+        self-version.nixvim.homeManagerModules.nixvim
      ];
      # options.kat = {
      #   ssh = mkEnableOption "ssh configuration";
      # };
      config = {
        home = {
-          stateVersion = config.system.stateVersion;
+          inherit (config.system) stateVersion;
          packages = [ pkgs.rlwrap ];
        };
      };
--- a/machines/kat-betamail/configuration.nix
+++ b/machines/kat-betamail/configuration.nix
@ -0,0 +1,147 @@
+{
+  nodes,
+  sources,
+  ssh-keys,
+  ...
+}:
+let
+  host = "catvayor.sh";
+in
+{
+  deployment = {
+    targetHost = "betamail.kat";
+    tags = [ "kat-vms" ];
+  };
+  imports = [
+    "${sources.nixos-mailserver}"
+    ./hardware-configuration.nix
+    ./disks.nix
+    ./modo.nix
+  ];
+
+  users.users.root.openssh.authorizedKeys.keys = ssh-keys.sylvain;
+
+  kat = {
+    fqdn = "betamail.katvayor.net";
+    wireguardPubKey = "Znj451+hGJcPV1zFgpRMA8hg8edmUInA5zBtYBUuL3k=";
+    proxies = {
+      ip = "192.168.122.3";
+      aliases = [ "catvayor.sh" ];
+      open-tcp = [
+        {
+          internal = 22;
+          external = 22002;
+        }
+        25
+        465
+        993
+      ];
+    };
+  };
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelParams = [ "console=ttyS0" ];
+  };
+
+  systemd.network = {
+    networks = {
+      "10-enp1s0" = {
+        name = "enp1s0";
+        address = [
+          "192.168.122.3/24"
+          "fe80::3/64"
+        ];
+        routes = [
+          {
+            Destination = "10.42.0.2/32";
+            Gateway = "192.168.122.1";
+          }
+        ];
+        dns = [ "192.168.122.1" ];
+      };
+      "50-wg0" = {
+        name = "wg0";
+        address = [ "10.42.2.1/16" ];
+        routes = [
+          {
+            Gateway = "10.42.0.2";
+          }
+        ];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = "/wg/private.key";
+        };
+
+        wireguardPeers = [
+          {
+            Endpoint = "10.42.0.2:1194";
+            AllowedIPs = [
+              "0.0.0.0/0"
+            ];
+            PersistentKeepalive = 20;
+            PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey;
+          }
+        ];
+      };
+    };
+  };
+
+  networking = {
+    useDHCP = false;
+    firewall.enable = false;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+  };
+  services = {
+    openssh.enable = true;
+    qemuGuest.enable = true;
+    getty.autologinUser = "root";
+    nginx = {
+      enable = true;
+      virtualHosts."catvayor.sh".enableACME = true;
+      virtualHosts."betamail.katvayor.net" = {
+        enableACME = true;
+        addSSL = true;
+        locations."/" = {
+          recommendedProxySettings = true;
+          proxyPass = "http://localhost:8000/";
+        };
+      };
+    };
+  };
+
+  mailserver = {
+    enable = true;
+    fqdn = "betamail.katvayor.net";
+    domains = [ host ];
+
+    loginAccounts = {
+      "root@${host}" = {
+        catchAll = [ host ];
+        aliases = builtins.genList (id: "user${toString id}@${host}") 10 ++ [
+          "moderators@${host}"
+          "daemon@${host}"
+        ];
+        hashedPassword = "$2b$05$FoCVDECXYG0KXPigPuIZtuNFiviwSg8RuXx0FbnzC7ZRp.Mz8VWOe";
+      };
+    };
+
+    certificateScheme = "acme";
+  };
+
+  system.stateVersion = "23.11";
+}
--- a/machines/kat-betamail/default.nix
+++ b/machines/kat-betamail/default.nix
@ -1,147 +1,7 @@
 {
-  nodes,
-  sources,
-  ssh-keys,
-  ...
-}:
-let
-  host = "catvayor.sh";
-in
-{
-  deployment = {
-    targetHost = "betamail.kat";
-    tags = [ "kat-vms" ];
+  meta = {
+    unstable = false;
+    pkgsPatches = [ "betamail" ];
  };
-  imports = [
-    "${sources.nixos-mailserver}"
-    ./hardware-configuration.nix
-    ./disks.nix
-    ./modo.nix
-  ];
-
-  users.users.root.openssh.authorizedKeys.keys = ssh-keys.sylvain;
-
-  kat = {
-    fqdn = "betamail.katvayor.net";
-    wireguardPubKey = "Znj451+hGJcPV1zFgpRMA8hg8edmUInA5zBtYBUuL3k=";
-    proxies = {
-      ip = "192.168.122.3";
-      aliases = [ "catvayor.sh" ];
-      open-tcp = [
-        {
-          internal = 22;
-          external = 22002;
-        }
-        25
-        465
-        993
-      ];
-    };
-  };
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    kernelParams = [ "console=ttyS0" ];
-  };
-
-  systemd.network = {
-    networks = {
-      "10-enp1s0" = {
-        name = "enp1s0";
-        address = [
-          "192.168.122.3/24"
-          "fe80::3/64"
-        ];
-        routes = [
-          {
-            Destination = "10.42.0.2/32";
-            Gateway = "192.168.122.1";
-          }
-        ];
-        dns = [ "192.168.122.1" ];
-      };
-      "50-wg0" = {
-        name = "wg0";
-        address = [ "10.42.2.1/16" ];
-        routes = [
-          {
-            Gateway = "10.42.0.2";
-          }
-        ];
-      };
-    };
-    netdevs = {
-      "50-wg0" = {
-        netdevConfig = {
-          Name = "wg0";
-          Kind = "wireguard";
-        };
-        wireguardConfig = {
-          PrivateKeyFile = "/wg/private.key";
-        };
-
-        wireguardPeers = [
-          {
-            Endpoint = "10.42.0.2:1194";
-            AllowedIPs = [
-              "0.0.0.0/0"
-            ];
-            PersistentKeepalive = 20;
-            PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey;
-          }
-        ];
-      };
-    };
-  };
-
-  networking = {
-    useDHCP = false;
-    firewall.enable = false;
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "root@katvayor.net";
-  };
-  services = {
-    openssh.enable = true;
-    qemuGuest.enable = true;
-    getty.autologinUser = "root";
-    nginx = {
-      enable = true;
-      virtualHosts."catvayor.sh".enableACME = true;
-      virtualHosts."betamail.katvayor.net" = {
-        enableACME = true;
-        addSSL = true;
-        locations."/" = {
-          recommendedProxySettings = true;
-          proxyPass = "http://localhost:8000/";
-        };
-      };
-    };
-  };
-
-  mailserver = {
-    enable = true;
-    fqdn = "betamail.katvayor.net";
-    domains = [ host ];
-
-    loginAccounts = {
-      "root@${host}" = {
-        catchAll = [ host ];
-        aliases = builtins.genList (id: "user${toString id}@${host}") 10 ++ [
-          "moderators@${host}"
-          "daemon@${host}"
-        ];
-        hashedPassword = "$2b$05$FoCVDECXYG0KXPigPuIZtuNFiviwSg8RuXx0FbnzC7ZRp.Mz8VWOe";
-      };
-    };
-
-    certificateScheme = "acme";
-  };
-
-  system.stateVersion = "23.11";
+  config = import ./configuration.nix;
 }
--- a/machines/kat-degette/configuration.nix
+++ b/machines/kat-degette/configuration.nix
@ -0,0 +1,91 @@
+{
+  lib,
+  ssh-keys,
+  ...
+}:
+{
+  deployment = {
+    targetHost = "degette.kat";
+    tags = [ "kat-vms" ];
+  };
+
+  imports = [ ./hardware-configuration.nix ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelParams = [ "console=ttyS0" ];
+  };
+
+  kat = {
+    fqdn = "degette.katvayor.net";
+    proxies = {
+      ip = "192.168.122.2";
+      open-tcp = [
+        {
+          internal = 22;
+          external = 22000;
+        }
+      ];
+    };
+  };
+
+  systemd.network.enable = lib.mkForce false;
+  networking = {
+    useNetworkd = lib.mkForce false;
+    interfaces."enp1s0" = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "192.168.122.2";
+          prefixLength = 24;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "fe80::2";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "192.168.122.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp1s0";
+    };
+    nameservers = [
+      "192.168.122.1"
+      "fe80::1%enp1s0"
+    ];
+  };
+
+  services = {
+    openssh.enable = true;
+    qemuGuest.enable = true;
+    getty.autologinUser = "root";
+    nginx = {
+      enable = true;
+      virtualHosts."degette.katvayor.net" = {
+        enableACME = true;
+        addSSL = true;
+        locations."/" = {
+          recommendedProxySettings = true;
+          proxyPass = "http://localhost:8000/";
+        };
+      };
+    };
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = with ssh-keys; sylvain ++ gaby;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+  };
+
+  networking.firewall.enable = false;
+
+  system.stateVersion = "23.11";
+}
--- a/machines/kat-degette/default.nix
+++ b/machines/kat-degette/default.nix
@ -1,91 +1,4 @@
 {
-  lib,
-  ssh-keys,
-  ...
-}:
-{
-  deployment = {
-    targetHost = "degette.kat";
-    tags = [ "kat-vms" ];
-  };
-
-  imports = [ ./hardware-configuration.nix ];
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    kernelParams = [ "console=ttyS0" ];
-  };
-
-  kat = {
-    fqdn = "degette.katvayor.net";
-    proxies = {
-      ip = "192.168.122.2";
-      open-tcp = [
-        {
-          internal = 22;
-          external = 22000;
-        }
-      ];
-    };
-  };
-
-  systemd.network.enable = lib.mkForce false;
-  networking = {
-    useNetworkd = lib.mkForce false;
-    interfaces."enp1s0" = {
-      useDHCP = false;
-      ipv4.addresses = [
-        {
-          address = "192.168.122.2";
-          prefixLength = 24;
-        }
-      ];
-      ipv6.addresses = [
-        {
-          address = "fe80::2";
-          prefixLength = 64;
-        }
-      ];
-    };
-    defaultGateway = "192.168.122.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "enp1s0";
-    };
-    nameservers = [
-      "192.168.122.1"
-      "fe80::1%enp1s0"
-    ];
-  };
-
-  services = {
-    openssh.enable = true;
-    qemuGuest.enable = true;
-    getty.autologinUser = "root";
-    nginx = {
-      enable = true;
-      virtualHosts."degette.katvayor.net" = {
-        enableACME = true;
-        addSSL = true;
-        locations."/" = {
-          recommendedProxySettings = true;
-          proxyPass = "http://localhost:8000/";
-        };
-      };
-    };
-  };
-
-  users.users.root.openssh.authorizedKeys.keys = with ssh-keys; sylvain ++ gaby;
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "root@katvayor.net";
-  };
-
-  networking.firewall.enable = false;
-
-  system.stateVersion = "23.11";
+  meta.unstable = false;
+  config = import ./configuration.nix;
 }
--- a/machines/kat-iso.nix
+++ b/machines/kat-iso.nix
@ -1,44 +1,48 @@
 {
-  pkgs,
-  modulesPath,
-  lib,
-  ...
-}:
-{
-  deployment = {
-    allowLocalDeployment = false;
-    targetHost = null;
-  };
+  meta.unstable = true;
+  config =
+    {
+      pkgs,
+      modulesPath,
+      lib,
+      ...
+    }:
+    {
+      deployment = {
+        allowLocalDeployment = false;
+        targetHost = null;
+      };

-  imports = [
-    (modulesPath + "/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix")
-  ];
+      imports = [
+        (modulesPath + "/installer/cd-dvd/installation-cd-minimal-new-kernel-no-zfs.nix")
+      ];

-  boot = {
-    supportedFilesystems = {
-      bcachefs = true;
-      zfs = lib.mkForce false;
+      boot = {
+        supportedFilesystems = {
+          bcachefs = true;
+          zfs = lib.mkForce false;
+        };
+        kernelParams = [ "console=ttyS0" ];
+        kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+      };
+
+      networking = {
+        networkmanager.enable = true;
+        wireless.enable = false;
+      };
+      console.keyMap = "fr";
+
+      environment.systemPackages = with pkgs; [
+        perl
+        git
+      ];
+      programs.zsh.enable = true;
+      services = {
+        openssh.enable = true;
+        qemuGuest.enable = true;
+        getty.autologinUser = lib.mkForce "root";
+      };
+
+      system.stateVersion = lib.mkForce "24.11";
    };
-    kernelParams = [ "console=ttyS0" ];
-    kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
-  };
-
-  networking = {
-    networkmanager.enable = true;
-    wireless.enable = false;
-  };
-  console.keyMap = "fr";
-
-  environment.systemPackages = with pkgs; [
-    perl
-    git
-  ];
-  programs.zsh.enable = true;
-  services = {
-    openssh.enable = true;
-    qemuGuest.enable = true;
-    getty.autologinUser = lib.mkForce "root";
-  };
-
-  system.stateVersion = lib.mkForce "24.11";
 }
--- a/machines/kat-kexec.nix
+++ b/machines/kat-kexec.nix
@ -1,44 +1,48 @@
 {
-  pkgs,
-  lib,
-  sources,
-  ...
-}:
-{
-  deployment = {
-    allowLocalDeployment = false;
-    targetHost = null;
-  };
+  meta.unstable = true;
+  config =
+    {
+      pkgs,
+      lib,
+      sources,
+      ...
+    }:
+    {
+      deployment = {
+        allowLocalDeployment = false;
+        targetHost = null;
+      };

-  imports = [
-    "${sources.nixos-images}/nix/kexec-installer/module.nix"
-  ];
+      imports = [
+        "${sources.nixos-images}/nix/kexec-installer/module.nix"
+      ];

-  boot = {
-    kernelParams = [ "console=ttyS0" ];
-    kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
-    supportedFilesystems = {
-      bcachefs = true;
-      zfs = lib.mkForce false;
+      boot = {
+        kernelParams = [ "console=ttyS0" ];
+        kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+        supportedFilesystems = {
+          bcachefs = true;
+          zfs = lib.mkForce false;
+        };
+      };
+
+      networking = {
+        networkmanager.enable = false;
+        wireless.enable = false;
+      };
+      console.keyMap = "fr";
+
+      environment.systemPackages = with pkgs; [
+        perl
+        git
+      ];
+      programs.zsh.enable = true;
+      services = {
+        openssh.enable = true;
+        qemuGuest.enable = true;
+        getty.autologinUser = lib.mkForce "root";
+      };
+
+      system.stateVersion = lib.mkForce "24.11";
    };
-  };
-
-  networking = {
-    networkmanager.enable = false;
-    wireless.enable = false;
-  };
-  console.keyMap = "fr";
-
-  environment.systemPackages = with pkgs; [
-    perl
-    git
-  ];
-  programs.zsh.enable = true;
-  services = {
-    openssh.enable = true;
-    qemuGuest.enable = true;
-    getty.autologinUser = lib.mkForce "root";
-  };
-
-  system.stateVersion = lib.mkForce "24.11";
 }
--- a/machines/kat-manah/configuration.nix
+++ b/machines/kat-manah/configuration.nix
@ -0,0 +1,109 @@
+{
+  pkgs,
+  nodes,
+  ...
+}:
+{
+  deployment.targetHost = "manah.kat";
+
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernel.sysctl."net.ipv4.ip_forward" = true;
+    kernelModules = [
+      "kvm-intel"
+      "kvm-amd"
+    ];
+  };
+
+  kat = {
+    fqdn = "manah.katvayor.net";
+    proxies = {
+      ip = "10.42.0.1";
+      open-tcp = [
+        9000
+        9500
+      ];
+      redirects = [
+        "kat-orchid"
+        "kat-son"
+        "kat-www"
+        "kat-degette"
+        "kat-betamail"
+      ];
+    };
+    wireguardPubKey = "2rMQV5fyBhl7t/0j70iPOfEr/lAWQfLXQKMwtzaXxnM=";
+  };
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "50-wg0" = {
+        name = "wg0";
+        address = [ "10.42.0.1/16" ];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          PrivateKeyFile = "/etc/wg/private.key";
+        };
+
+        wireguardPeers = [
+          {
+            Endpoint = "watcher.katvayor.net:1194";
+            AllowedIPs = [
+              "10.42.0.2/32"
+            ];
+            PersistentKeepalive = 20;
+            PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey;
+          }
+        ];
+      };
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    dnsmasq
+    tcpdump
+  ];
+
+  programs.virt-manager.enable = true;
+  virtualisation.libvirtd = {
+    enable = true;
+    qemu.vhostUserPackages = [ pkgs.virtiofsd ];
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+  };
+
+  services = {
+    openssh.enable = true;
+    weechat = {
+      enable = true;
+      binary = "${pkgs.weechat}/bin/weechat-headless";
+    };
+  };
+
+  networking.firewall = {
+    allowedTCPPorts = [
+      9000
+      9500
+      53
+    ];
+    allowedUDPPorts = [ 67 ];
+  };
+  system.stateVersion = "23.11";
+}
--- a/machines/kat-manah/default.nix
+++ b/machines/kat-manah/default.nix
@ -1,109 +1,4 @@
 {
-  pkgs,
-  nodes,
-  ...
-}:
-{
-  deployment.targetHost = "manah.kat";
-
-  imports = [
-    ./hardware-configuration.nix
-  ];
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    kernel.sysctl."net.ipv4.ip_forward" = true;
-    kernelModules = [
-      "kvm-intel"
-      "kvm-amd"
-    ];
-  };
-
-  kat = {
-    fqdn = "manah.katvayor.net";
-    proxies = {
-      ip = "10.42.0.1";
-      open-tcp = [
-        9000
-        9500
-      ];
-      redirects = [
-        "kat-orchid"
-        "kat-son"
-        "kat-www"
-        "kat-degette"
-        "kat-betamail"
-      ];
-    };
-    wireguardPubKey = "2rMQV5fyBhl7t/0j70iPOfEr/lAWQfLXQKMwtzaXxnM=";
-  };
-
-  systemd.network = {
-    enable = true;
-    networks = {
-      "50-wg0" = {
-        name = "wg0";
-        address = [ "10.42.0.1/16" ];
-      };
-    };
-    netdevs = {
-      "50-wg0" = {
-        netdevConfig = {
-          Name = "wg0";
-          Kind = "wireguard";
-        };
-        wireguardConfig = {
-          PrivateKeyFile = "/etc/wg/private.key";
-        };
-
-        wireguardPeers = [
-          {
-            Endpoint = "watcher.katvayor.net:1194";
-            AllowedIPs = [
-              "10.42.0.2/32"
-            ];
-            PersistentKeepalive = 20;
-            PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey;
-          }
-        ];
-      };
-    };
-  };
-
-  environment.systemPackages = with pkgs; [
-    dnsmasq
-    tcpdump
-  ];
-
-  programs.virt-manager.enable = true;
-  virtualisation.libvirtd = {
-    enable = true;
-    qemu.vhostUserPackages = [ pkgs.virtiofsd ];
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "root@katvayor.net";
-  };
-
-  services = {
-    openssh.enable = true;
-    weechat = {
-      enable = true;
-      binary = "${pkgs.weechat}/bin/weechat-headless";
-    };
-  };
-
-  networking.firewall = {
-    allowedTCPPorts = [
-      9000
-      9500
-      53
-    ];
-    allowedUDPPorts = [ 67 ];
-  };
-  system.stateVersion = "23.11";
+  meta.unstable = true;
+  config = import ./configuration.nix;
 }
--- a/machines/kat-orchid/configuration.nix
+++ b/machines/kat-orchid/configuration.nix
@ -0,0 +1,207 @@
+{
+  config,
+  lib,
+  pkgs,
+  kat-path,
+  ssh-keys,
+  sources,
+  self-version,
+  ...
+}:
+{
+  deployment = {
+    targetHost = "orchid.kat";
+    tags = [ "kat-vms" ];
+  };
+  imports = [
+    ./hardware-configuration.nix
+    ./disks.nix
+  ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelParams = [ "console=ttyS0" ];
+  };
+
+  kat = {
+    fqdn = "orchid.katvayor.net";
+    proxies = {
+      ip = "192.168.122.6";
+      aliases = [
+        "simply-wise.fr"
+        "www.simply-wise.fr"
+      ];
+      open-tcp = [
+        {
+          internal = 22;
+          external = 22042;
+        }
+      ];
+    };
+  };
+
+  systemd.network.enable = lib.mkForce false;
+  networking = {
+    useNetworkd = lib.mkForce false;
+    firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+    interfaces."enp1s0" = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "192.168.122.6";
+          prefixLength = 24;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "fe80::6";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "192.168.122.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp1s0";
+    };
+    nameservers = [
+      "192.168.122.1"
+      "fe80::1%enp1s0"
+    ];
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+    certs."orchid.katvayor.net".extraDomainNames = [
+      "simply-wise.fr"
+      "www.simply-wise.fr"
+    ];
+  };
+  services = {
+    openssh.enable = true;
+    qemuGuest.enable = true;
+    getty.autologinUser = "root";
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "orchid.katvayor.net" = {
+          enableACME = true;
+          forceSSL = true;
+          locations = {
+            "/static/".alias = "/srv/orchid/";
+            "/" = {
+              recommendedProxySettings = true;
+              proxyPass = "https://192.168.123.2/";
+            };
+          };
+        };
+        "simply-wise.fr" = {
+          useACMEHost = "orchid.katvayor.net";
+          forceSSL = true;
+          serverAliases = [ "www.simply-wise.fr" ];
+          locations."/" = {
+            root = pkgs.runCommand "building" { } ''
+              mkdir -p $out
+              ln -nsf ${./building.html} $out/building.html
+            '';
+            extraConfig = ''
+              internal;
+              error_page 404 =503 /building.html;
+            '';
+          };
+        };
+      };
+    };
+  };
+  containers.wordpress =
+    let
+      inherit (config.security.acme) certs;
+    in
+    {
+      privateNetwork = true;
+      bindMounts.certs = {
+        hostPath = certs."orchid.katvayor.net".directory;
+        mountPoint = certs."orchid.katvayor.net".directory;
+        isReadOnly = true;
+      };
+      hostAddress = "192.168.123.1";
+      localAddress = "192.168.123.2";
+      autoStart = true;
+      specialArgs = {
+        inherit kat-path ssh-keys sources self-version;
+      };
+      config = {
+        imports = [ kat-path ];
+        kat.addArgs = false;
+        boot.kernel.enable = false;
+        systemd.network.enable = lib.mkForce false;
+        networking.firewall.allowedTCPPorts = [
+          80
+          443
+        ];
+        services = {
+          nginx = {
+            enable = true;
+            virtualHosts."orchid.katvayor.net" = {
+              addSSL = true;
+              sslCertificate = "${certs."orchid.katvayor.net".directory}/fullchain.pem";
+              sslCertificateKey = "${certs."orchid.katvayor.net".directory}/key.pem";
+              sslTrustedCertificate = "${certs."orchid.katvayor.net".directory}/chain.pem";
+            };
+          };
+          openssh.enable = true;
+          wordpress = {
+            webserver = "nginx";
+            sites."orchid.katvayor.net" = {
+              themes = {
+                inherit (pkgs.wordpressPackages.themes) twentytwentythree;
+              };
+            };
+          };
+        };
+        environment.systemPackages = [ pkgs.wp-cli ];
+        system.stateVersion = "24.11";
+      };
+    };
+  fileSystems."/home/orchid/content/www" = {
+    device = "/srv/orchid";
+    options = [ "bind" ];
+  };
+  systemd = {
+    tmpfiles.settings."10-srv-orchid"."/srv/orchid" = {
+      d = {
+        group = "users";
+        user = "orchid";
+      };
+      Z = {
+        group = "users";
+        user = "orchid";
+        mode = "0755";
+      };
+    };
+    timers.srv-tmpfiles = {
+      wantedBy = [ "timers.target" ];
+      timerConfig.OnCalendar = "*-*-* *:*:07..57/10";
+    };
+    services.srv-tmpfiles = {
+      path = [ pkgs.systemd ];
+      script = ''
+        systemd-tmpfiles --create --prefix=/srv
+      '';
+    };
+  };
+
+  users.users.orchid.isNormalUser = true;
+  home-manager.users.orchid = { };
+
+  system.stateVersion = "23.11";
+}
--- a/machines/kat-orchid/default.nix
+++ b/machines/kat-orchid/default.nix
@ -1,206 +1,4 @@
 {
-  config,
-  lib,
-  pkgs,
-  kat-path,
-  ssh-keys,
-  sources,
-  ...
-}:
-{
-  deployment = {
-    targetHost = "orchid.kat";
-    tags = [ "kat-vms" ];
-  };
-  imports = [
-    ./hardware-configuration.nix
-    ./disks.nix
-  ];
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    kernelParams = [ "console=ttyS0" ];
-  };
-
-  kat = {
-    fqdn = "orchid.katvayor.net";
-    proxies = {
-      ip = "192.168.122.6";
-      aliases = [
-        "simply-wise.fr"
-        "www.simply-wise.fr"
-      ];
-      open-tcp = [
-        {
-          internal = 22;
-          external = 22042;
-        }
-      ];
-    };
-  };
-
-  systemd.network.enable = lib.mkForce false;
-  networking = {
-    useNetworkd = lib.mkForce false;
-    firewall.allowedTCPPorts = [
-      80
-      443
-    ];
-    interfaces."enp1s0" = {
-      useDHCP = false;
-      ipv4.addresses = [
-        {
-          address = "192.168.122.6";
-          prefixLength = 24;
-        }
-      ];
-      ipv6.addresses = [
-        {
-          address = "fe80::6";
-          prefixLength = 64;
-        }
-      ];
-    };
-    defaultGateway = "192.168.122.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "enp1s0";
-    };
-    nameservers = [
-      "192.168.122.1"
-      "fe80::1%enp1s0"
-    ];
-  };
-
-  nixpkgs.config.allowUnfree = true;
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "root@katvayor.net";
-    certs."orchid.katvayor.net".extraDomainNames = [
-      "simply-wise.fr"
-      "www.simply-wise.fr"
-    ];
-  };
-  services = {
-    openssh.enable = true;
-    qemuGuest.enable = true;
-    getty.autologinUser = "root";
-    nginx = {
-      enable = true;
-      virtualHosts = {
-        "orchid.katvayor.net" = {
-          enableACME = true;
-          forceSSL = true;
-          locations = {
-            "/static/".alias = "/srv/orchid/";
-            "/" = {
-              recommendedProxySettings = true;
-              proxyPass = "https://192.168.123.2/";
-            };
-          };
-        };
-        "simply-wise.fr" = {
-          useACMEHost = "orchid.katvayor.net";
-          forceSSL = true;
-          serverAliases = [ "www.simply-wise.fr" ];
-          locations."/" = {
-            root = pkgs.runCommand "building" { } ''
-              mkdir -p $out
-              ln -nsf ${./building.html} $out/building.html
-            '';
-            extraConfig = ''
-              internal;
-              error_page 404 =503 /building.html;
-            '';
-          };
-        };
-      };
-    };
-  };
-  containers.wordpress =
-    let
-      inherit (config.security.acme) certs;
-    in
-    {
-      privateNetwork = true;
-      bindMounts.certs = {
-        hostPath = certs."orchid.katvayor.net".directory;
-        mountPoint = certs."orchid.katvayor.net".directory;
-        isReadOnly = true;
-      };
-      hostAddress = "192.168.123.1";
-      localAddress = "192.168.123.2";
-      autoStart = true;
-      specialArgs = {
-        inherit kat-path ssh-keys sources;
-      };
-      config = {
-        imports = [ kat-path ];
-        kat.addArgs = false;
-        boot.kernel.enable = false;
-        systemd.network.enable = lib.mkForce false;
-        networking.firewall.allowedTCPPorts = [
-          80
-          443
-        ];
-        services = {
-          nginx = {
-            enable = true;
-            virtualHosts."orchid.katvayor.net" = {
-              addSSL = true;
-              sslCertificate = "${certs."orchid.katvayor.net".directory}/fullchain.pem";
-              sslCertificateKey = "${certs."orchid.katvayor.net".directory}/key.pem";
-              sslTrustedCertificate = "${certs."orchid.katvayor.net".directory}/chain.pem";
-            };
-          };
-          openssh.enable = true;
-          wordpress = {
-            webserver = "nginx";
-            sites."orchid.katvayor.net" = {
-              themes = {
-                inherit (pkgs.wordpressPackages.themes) twentytwentythree;
-              };
-            };
-          };
-        };
-        environment.systemPackages = [ pkgs.wp-cli ];
-        system.stateVersion = "24.11";
-      };
-    };
-  fileSystems."/home/orchid/content/www" = {
-    device = "/srv/orchid";
-    options = [ "bind" ];
-  };
-  systemd = {
-    tmpfiles.settings."10-srv-orchid"."/srv/orchid" = {
-      d = {
-        group = "users";
-        user = "orchid";
-      };
-      Z = {
-        group = "users";
-        user = "orchid";
-        mode = "0755";
-      };
-    };
-    timers.srv-tmpfiles = {
-      wantedBy = [ "timers.target" ];
-      timerConfig.OnCalendar = "*-*-* *:*:07..57/10";
-    };
-    services.srv-tmpfiles = {
-      path = [ pkgs.systemd ];
-      script = ''
-        systemd-tmpfiles --create --prefix=/srv
-      '';
-    };
-  };
-
-  users.users.orchid.isNormalUser = true;
-  home-manager.users.orchid = { };
-
-  system.stateVersion = "23.11";
+  meta.unstable = false;
+  config = import ./configuration.nix;
 }
--- a/machines/kat-probook/configuration.nix
+++ b/machines/kat-probook/configuration.nix
@ -0,0 +1,154 @@
+{
+  pkgs,
+  nodes,
+  users,
+  ...
+}:
+{
+  deployment.allowLocalDeployment = true;
+
+  imports = [
+    ./hardware-configuration.nix
+    users.catvayor
+    ./router.nix
+  ];
+
+  fileSystems."/tmp" = {
+    fsType = "tmpfs";
+    device = "tmpfs";
+    options = [
+      "nosuid"
+      "nodev"
+      "relatime"
+      "size=12G"
+    ];
+  };
+  boot = {
+    kernel.sysctl."net.ipv4.ip_forward" = true;
+    binfmt.emulatedSystems = [ "aarch64-linux" ];
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  nix.settings.trusted-users = [
+    "root"
+    "@wheel"
+  ];
+  networking.networkmanager = {
+    enable = true;
+    unmanaged = [
+      "enp2s0"
+      "wg0"
+    ];
+  };
+  kat.wireguardPubKey = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4=";
+  systemd.network = {
+    wait-online.anyInterface = true;
+    networks = {
+      "50-wg0" = {
+        name = "wg0";
+        address = [
+          "10.10.10.13/24"
+          "10.42.1.1/16"
+        ];
+      };
+      "10-enp2s0" = {
+        name = "enp2s0";
+        DHCP = "ipv4";
+        networkConfig.IPv6AcceptRA = "yes";
+        dhcpV4Config.RouteMetric = 500;
+        dhcpV6Config.RouteMetric = 500;
+        ipv6AcceptRAConfig.RouteMetric = 500;
+      };
+    };
+    netdevs."50-wg0" = {
+      netdevConfig = {
+        Name = "wg0";
+        Kind = "wireguard";
+      };
+      wireguardConfig.PrivateKeyFile = "/wg/private.key";
+
+      wireguardPeers = [
+        {
+          AllowedIPs = [
+            "10.10.10.0/24"
+          ];
+          PublicKey = "CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=";
+          Endpoint = "129.199.129.76:1194";
+          PersistentKeepalive = 25;
+        }
+        {
+          AllowedIPs = [
+            "10.42.0.0/16"
+          ];
+          PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey;
+          Endpoint = "watcher.katvayor.net:1194";
+          PersistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  nixpkgs.config.allowUnfree = true;
+
+  security.rtkit.enable = true;
+  hardware.bluetooth = {
+    enable = true;
+    powerOnBoot = false;
+  };
+
+  environment.systemPackages = with pkgs; [ brightnessctl ];
+  fonts.packages = with pkgs; [
+    fira-code-nerdfont
+    font-awesome
+  ];
+
+  services = {
+    pipewire = {
+      enable = true;
+      alsa = {
+        enable = true;
+        support32Bit = true;
+      };
+      pulse.enable = true;
+    };
+    syncthing = {
+      enable = true;
+      systemService = true;
+      dataDir = "/home/catvayor";
+      user = "catvayor";
+      group = "users";
+      openDefaultPorts = true;
+      settings = {
+        folders."essentials" = {
+          path = "~/essentials";
+          id = "vgpwu-fk3ct";
+          devices = [
+            "katel"
+          ];
+        };
+        devices.katel.id = "DYOKK7J-HZAF5S7-FYTHQF5-UD5GJZ2-4JMV5I5-STUM3HG-5YM2JPR-LATJNAZ";
+      };
+    };
+  };
+
+  programs = {
+    steam.enable = true;
+    virt-manager.enable = true;
+    gnupg.agent = {
+      enable = true;
+      enableSSHSupport = true;
+    };
+  };
+
+  home-manager.users = {
+    "root".kat.neovim.lsp = true;
+    "catvayor".kat.neovim.lsp = true;
+  };
+
+  virtualisation.libvirtd.enable = true;
+
+  system.stateVersion = "23.11";
+}
--- a/machines/kat-probook/default.nix
+++ b/machines/kat-probook/default.nix
@ -1,154 +1,4 @@
 {
-  pkgs,
-  nodes,
-  users,
-  ...
-}:
-{
-  deployment.allowLocalDeployment = true;
-
-  imports = [
-    ./hardware-configuration.nix
-    users.catvayor
-    ./router.nix
-  ];
-
-  fileSystems."/tmp" = {
-    fsType = "tmpfs";
-    device = "tmpfs";
-    options = [
-      "nosuid"
-      "nodev"
-      "relatime"
-      "size=12G"
-    ];
-  };
-  boot = {
-    kernel.sysctl."net.ipv4.ip_forward" = true;
-    binfmt.emulatedSystems = [ "aarch64-linux" ];
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-  };
-
-  nix.settings.trusted-users = [
-    "root"
-    "@wheel"
-  ];
-  networking.networkmanager = {
-    enable = true;
-    unmanaged = [
-      "enp2s0"
-      "wg0"
-    ];
-  };
-  kat.wireguardPubKey = "zIHvCSzk5a94jvnXU4iscbp9RUGzbWpARDMRgHNtMl4=";
-  systemd.network = {
-    wait-online.anyInterface = true;
-    networks = {
-      "50-wg0" = {
-        name = "wg0";
-        address = [
-          "10.10.10.13/24"
-          "10.42.1.1/16"
-        ];
-      };
-      "10-enp2s0" = {
-        name = "enp2s0";
-        DHCP = "ipv4";
-        networkConfig.IPv6AcceptRA = "yes";
-        dhcpV4Config.RouteMetric = 500;
-        dhcpV6Config.RouteMetric = 500;
-        ipv6AcceptRAConfig.RouteMetric = 500;
-      };
-    };
-    netdevs."50-wg0" = {
-      netdevConfig = {
-        Name = "wg0";
-        Kind = "wireguard";
-      };
-      wireguardConfig.PrivateKeyFile = "/wg/private.key";
-
-      wireguardPeers = [
-        {
-          AllowedIPs = [
-            "10.10.10.0/24"
-          ];
-          PublicKey = "CzUK0RPHsoG9N1NisOG0u7xwyGhTZnjhl7Cus3X76Es=";
-          Endpoint = "129.199.129.76:1194";
-          PersistentKeepalive = 25;
-        }
-        {
-          AllowedIPs = [
-            "10.42.0.0/16"
-          ];
-          PublicKey = nodes.kat-watcher.config.kat.wireguardPubKey;
-          Endpoint = "watcher.katvayor.net:1194";
-          PersistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-
-  nixpkgs.config.allowUnfree = true;
-
-  security.rtkit.enable = true;
-  hardware.bluetooth = {
-    enable = true;
-    powerOnBoot = false;
-  };
-
-  environment.systemPackages = with pkgs; [ brightnessctl ];
-  fonts.packages = with pkgs; [
-    fira-code-nerdfont
-    font-awesome
-  ];
-
-  services = {
-    pipewire = {
-      enable = true;
-      alsa = {
-        enable = true;
-        support32Bit = true;
-      };
-      pulse.enable = true;
-    };
-    syncthing = {
-      enable = true;
-      systemService = true;
-      dataDir = "/home/catvayor";
-      user = "catvayor";
-      group = "users";
-      openDefaultPorts = true;
-      settings = {
-        folders."essentials" = {
-          path = "~/essentials";
-          id = "vgpwu-fk3ct";
-          devices = [
-            "katel"
-          ];
-        };
-        devices.katel.id = "DYOKK7J-HZAF5S7-FYTHQF5-UD5GJZ2-4JMV5I5-STUM3HG-5YM2JPR-LATJNAZ";
-      };
-    };
-  };
-
-  programs = {
-    steam.enable = true;
-    virt-manager.enable = true;
-    gnupg.agent = {
-      enable = true;
-      enableSSHSupport = true;
-    };
-  };
-
-  home-manager.users = {
-    "root".kat.neovim.lsp = true;
-    "catvayor".kat.neovim.lsp = true;
-  };
-
-  virtualisation.libvirtd.enable = true;
-
-  system.stateVersion = "23.11";
+  meta.unstable = true;
+  config = import ./configuration.nix;
 }
--- a/machines/kat-son/configuration.nix
+++ b/machines/kat-son/configuration.nix
@ -0,0 +1,80 @@
+{
+  lib,
+  ...
+}:
+{
+  deployment = {
+    targetHost = "son.kat";
+    tags = [ "kat-vms" ];
+  };
+
+  imports = [
+    ./hardware-configuration.nix
+    ./disks.nix
+  ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelParams = [ "console=ttyS0" ];
+  };
+
+  kat = {
+    fqdn = "son.katvayor.net";
+    proxies.ip = "192.168.122.5";
+  };
+
+  systemd.network.enable = lib.mkForce false;
+  networking = {
+    useNetworkd = lib.mkForce false;
+    interfaces."enp1s0" = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "192.168.122.5";
+          prefixLength = 24;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "fe80::5";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "192.168.122.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp1s0";
+    };
+    nameservers = [
+      "192.168.122.1"
+      "fe80::1%enp1s0"
+    ];
+  };
+
+  networking.firewall.enable = false;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+  };
+  services = {
+    openssh.enable = true;
+    qemuGuest.enable = true;
+    getty.autologinUser = "root";
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "son.katvayor.net" = {
+          enableACME = true;
+          addSSL = true;
+        };
+      };
+    };
+  };
+
+  system.stateVersion = "23.11";
+}
--- a/machines/kat-son/default.nix
+++ b/machines/kat-son/default.nix
@ -1,80 +1,4 @@
 {
-  lib,
-  ...
-}:
-{
-  deployment = {
-    targetHost = "son.kat";
-    tags = [ "kat-vms" ];
-  };
-
-  imports = [
-    ./hardware-configuration.nix
-    ./disks.nix
-  ];
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    kernelParams = [ "console=ttyS0" ];
-  };
-
-  kat = {
-    fqdn = "son.katvayor.net";
-    proxies.ip = "192.168.122.5";
-  };
-
-  systemd.network.enable = lib.mkForce false;
-  networking = {
-    useNetworkd = lib.mkForce false;
-    interfaces."enp1s0" = {
-      useDHCP = false;
-      ipv4.addresses = [
-        {
-          address = "192.168.122.5";
-          prefixLength = 24;
-        }
-      ];
-      ipv6.addresses = [
-        {
-          address = "fe80::5";
-          prefixLength = 64;
-        }
-      ];
-    };
-    defaultGateway = "192.168.122.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "enp1s0";
-    };
-    nameservers = [
-      "192.168.122.1"
-      "fe80::1%enp1s0"
-    ];
-  };
-
-  networking.firewall.enable = false;
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "root@katvayor.net";
-  };
-  services = {
-    openssh.enable = true;
-    qemuGuest.enable = true;
-    getty.autologinUser = "root";
-    nginx = {
-      enable = true;
-      virtualHosts = {
-        "son.katvayor.net" = {
-          enableACME = true;
-          addSSL = true;
-        };
-      };
-    };
-  };
-
-  system.stateVersion = "23.11";
+  meta.unstable = true;
+  config = import ./configuration.nix;
 }
--- a/machines/kat-watcher/configuration.nix
+++ b/machines/kat-watcher/configuration.nix
@ -0,0 +1,115 @@
+{
+  pkgs,
+  nodes,
+  ...
+}:
+{
+  deployment.targetHost = "watcher.kat";
+
+  imports = [
+    ./hardware-configuration.nix
+    ./disks.nix
+  ];
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      efiSupport = true;
+      efiInstallAsRemovable = true;
+    };
+    kernel.sysctl."net.ipv4.ip_forward" = true;
+  };
+
+  kat = {
+    wireguardPubKey = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg=";
+    fqdn = "watcher.katvayor.net";
+    proxies.redirects = [ "kat-manah" ];
+  };
+
+  networking = {
+    useDHCP = false;
+    firewall.allowedUDPPorts = [ 1194 ];
+    nftables = {
+      enable = true;
+      tables.nat = {
+        family = "ip";
+        content = ''
+          chain postrouting {
+            type nat hook postrouting priority 100;
+            ip saddr 10.42.0.0/16 masquerade
+          }
+        '';
+      };
+    };
+  };
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-ens3" = {
+        name = "ens3";
+        address = [
+          "51.83.69.54/32"
+          "2001:41d0:305:2100::5c52/56"
+        ];
+        routes = [
+          { Destination = "51.83.68.1/32"; }
+          {
+            Destination = "213.186.33.99/32";
+            Gateway = "51.83.68.1";
+          }
+          { Gateway = "51.83.68.1"; }
+          { Gateway = "2001:41d0:305:2100::1"; }
+        ];
+        dns = [ "213.186.33.99" ];
+      };
+      "50-wg0" = {
+        name = "wg0";
+        address = [ "10.42.0.2/16" ];
+      };
+    };
+    netdevs = {
+      "50-wg0" = {
+        netdevConfig = {
+          Name = "wg0";
+          Kind = "wireguard";
+        };
+        wireguardConfig = {
+          ListenPort = 1194;
+          PrivateKeyFile = "/etc/wg/private.key";
+        };
+
+        wireguardPeers = [
+          {
+            AllowedIPs = [
+              "10.42.0.1/32"
+            ];
+            PublicKey = nodes.kat-manah.config.kat.wireguardPubKey;
+          }
+          {
+            AllowedIPs = [
+              "10.42.1.1/32"
+            ];
+            PublicKey = nodes.kat-probook.config.kat.wireguardPubKey;
+          }
+          {
+            AllowedIPs = [
+              "10.42.2.1/32"
+            ];
+            PublicKey = nodes.kat-betamail.config.kat.wireguardPubKey;
+          }
+        ];
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+  };
+
+  environment.systemPackages = with pkgs; [ tcpdump ];
+
+  services.openssh.enable = true;
+
+  system.stateVersion = "23.11";
+}
--- a/machines/kat-watcher/default.nix
+++ b/machines/kat-watcher/default.nix
@ -1,115 +1,4 @@
 {
-  pkgs,
-  nodes,
-  ...
-}:
-{
-  deployment.targetHost = "watcher.kat";
-
-  imports = [
-    ./hardware-configuration.nix
-    ./disks.nix
-  ];
-
-  boot = {
-    loader.grub = {
-      enable = true;
-      efiSupport = true;
-      efiInstallAsRemovable = true;
-    };
-    kernel.sysctl."net.ipv4.ip_forward" = true;
-  };
-
-  kat = {
-    wireguardPubKey = "BgLBrWG7DRj2Gwoyj+vHZTjiB3gPEnwVcDFEQH/BYgg=";
-    fqdn = "watcher.katvayor.net";
-    proxies.redirects = [ "kat-manah" ];
-  };
-
-  networking = {
-    useDHCP = false;
-    firewall.allowedUDPPorts = [ 1194 ];
-    nftables = {
-      enable = true;
-      tables.nat = {
-        family = "ip";
-        content = ''
-          chain postrouting {
-            type nat hook postrouting priority 100;
-            ip saddr 10.42.0.0/16 masquerade
-          }
-        '';
-      };
-    };
-  };
-  systemd.network = {
-    enable = true;
-    networks = {
-      "10-ens3" = {
-        name = "ens3";
-        address = [
-          "51.83.69.54/32"
-          "2001:41d0:305:2100::5c52/56"
-        ];
-        routes = [
-          { Destination = "51.83.68.1/32"; }
-          {
-            Destination = "213.186.33.99/32";
-            Gateway = "51.83.68.1";
-          }
-          { Gateway = "51.83.68.1"; }
-          { Gateway = "2001:41d0:305:2100::1"; }
-        ];
-        dns = [ "213.186.33.99" ];
-      };
-      "50-wg0" = {
-        name = "wg0";
-        address = [ "10.42.0.2/16" ];
-      };
-    };
-    netdevs = {
-      "50-wg0" = {
-        netdevConfig = {
-          Name = "wg0";
-          Kind = "wireguard";
-        };
-        wireguardConfig = {
-          ListenPort = 1194;
-          PrivateKeyFile = "/etc/wg/private.key";
-        };
-
-        wireguardPeers = [
-          {
-            AllowedIPs = [
-              "10.42.0.1/32"
-            ];
-            PublicKey = nodes.kat-manah.config.kat.wireguardPubKey;
-          }
-          {
-            AllowedIPs = [
-              "10.42.1.1/32"
-            ];
-            PublicKey = nodes.kat-probook.config.kat.wireguardPubKey;
-          }
-          {
-            AllowedIPs = [
-              "10.42.2.1/32"
-            ];
-            PublicKey = nodes.kat-betamail.config.kat.wireguardPubKey;
-          }
-        ];
-      };
-    };
-  };
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "root@katvayor.net";
-  };
-
-  environment.systemPackages = with pkgs; [ tcpdump ];
-
-  services.openssh.enable = true;
-
-  system.stateVersion = "23.11";
+  meta.unstable = true;
+  config = import ./configuration.nix;
 }
--- a/machines/kat-www/configuration.nix
+++ b/machines/kat-www/configuration.nix
@ -0,0 +1,119 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  deployment = {
+    targetHost = "www.kat";
+    tags = [ "kat-vms" ];
+  };
+
+  imports = [
+    ./hardware-configuration.nix
+    ./disks.nix
+  ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+    kernelParams = [ "console=ttyS0" ];
+  };
+
+  kat = {
+    fqdn = "website.katvayor.net";
+    proxies = {
+      aliases = [
+        "www.katvayor.net"
+        "katvayor.net"
+        "netbox.katvayor.net"
+      ];
+      ip = "192.168.122.7";
+    };
+  };
+
+  systemd.network.enable = lib.mkForce false;
+  networking = {
+    useNetworkd = lib.mkForce false;
+    interfaces."enp1s0" = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "192.168.122.7";
+          prefixLength = 24;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "fe80::7";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = "192.168.122.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "enp1s0";
+    };
+    nameservers = [
+      "192.168.122.1"
+      "fe80::1%enp1s0"
+    ];
+  };
+
+  networking.firewall.enable = false;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "root@katvayor.net";
+    certs."website.katvayor.net".extraDomainNames = [ "netbox.katvayor.net" ];
+  };
+  services = {
+    openssh.enable = true;
+    qemuGuest.enable = true;
+    getty.autologinUser = "root";
+
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "website.katvayor.net" = {
+          serverAliases = [
+            "www.katvayor.net"
+            "katvayor.net"
+          ];
+          enableACME = true;
+          addSSL = true;
+          locations."/" = {
+            alias = "/var/lib/www/";
+            index = "index.html";
+          };
+        };
+        "netbox.katvayor.net" = {
+          useACMEHost = "website.katvayor.net";
+          addSSL = true;
+          locations = {
+            "/" = {
+              recommendedProxySettings = true;
+              proxyPass = "http://localhost:8001";
+            };
+            "/static/".alias = "${config.services.netbox.dataDir}/static/";
+          };
+        };
+      };
+    };
+
+    netbox = {
+      enable = true;
+      package = pkgs.netbox_4_1;
+      listenAddress = "127.0.0.1";
+      secretKeyFile = "${config.services.netbox.dataDir}/secret.key";
+    };
+  };
+
+  users.users.nginx.extraGroups = [ "netbox" ];
+
+  system.stateVersion = "23.11";
+}
--- a/machines/kat-www/default.nix
+++ b/machines/kat-www/default.nix
@ -1,119 +1,4 @@
 {
-  config,
-  lib,
-  pkgs,
-  ...
-}:
-{
-  deployment = {
-    targetHost = "www.kat";
-    tags = [ "kat-vms" ];
-  };
-
-  imports = [
-    ./hardware-configuration.nix
-    ./disks.nix
-  ];
-
-  boot = {
-    loader = {
-      systemd-boot.enable = true;
-      efi.canTouchEfiVariables = true;
-    };
-    kernelParams = [ "console=ttyS0" ];
-  };
-
-  kat = {
-    fqdn = "website.katvayor.net";
-    proxies = {
-      aliases = [
-        "www.katvayor.net"
-        "katvayor.net"
-        "netbox.katvayor.net"
-      ];
-      ip = "192.168.122.7";
-    };
-  };
-
-  systemd.network.enable = lib.mkForce false;
-  networking = {
-    useNetworkd = lib.mkForce false;
-    interfaces."enp1s0" = {
-      useDHCP = false;
-      ipv4.addresses = [
-        {
-          address = "192.168.122.7";
-          prefixLength = 24;
-        }
-      ];
-      ipv6.addresses = [
-        {
-          address = "fe80::7";
-          prefixLength = 64;
-        }
-      ];
-    };
-    defaultGateway = "192.168.122.1";
-    defaultGateway6 = {
-      address = "fe80::1";
-      interface = "enp1s0";
-    };
-    nameservers = [
-      "192.168.122.1"
-      "fe80::1%enp1s0"
-    ];
-  };
-
-  networking.firewall.enable = false;
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "root@katvayor.net";
-    certs."website.katvayor.net".extraDomainNames = [ "netbox.katvayor.net" ];
-  };
-  services = {
-    openssh.enable = true;
-    qemuGuest.enable = true;
-    getty.autologinUser = "root";
-
-    nginx = {
-      enable = true;
-      virtualHosts = {
-        "website.katvayor.net" = {
-          serverAliases = [
-            "www.katvayor.net"
-            "katvayor.net"
-          ];
-          enableACME = true;
-          addSSL = true;
-          locations."/" = {
-            alias = "/var/lib/www/";
-            index = "index.html";
-          };
-        };
-        "netbox.katvayor.net" = {
-          useACMEHost = "website.katvayor.net";
-          addSSL = true;
-          locations = {
-            "/" = {
-              recommendedProxySettings = true;
-              proxyPass = "http://localhost:8001";
-            };
-            "/static/".alias = "${config.services.netbox.dataDir}/static/";
-          };
-        };
-      };
-    };
-
-    netbox = {
-      enable = true;
-      package = pkgs.netbox_4_1;
-      listenAddress = "127.0.0.1";
-      secretKeyFile = "${config.services.netbox.dataDir}/secret.key";
-    };
-  };
-
-  users.users.nginx.extraGroups = [ "netbox" ];
-
-  system.stateVersion = "23.11";
+  meta.unstable = false;
+  config = import ./configuration.nix;
 }
--- a/npins/sources.json
+++ b/npins/sources.json
@ -15,7 +15,19 @@
      "url": "https://api.github.com/repos/nix-community/disko/tarball/v1.9.0",
      "hash": "0j76ar4qz320fakdii4659w5lww8wiz6yb7g47npywqvf2lbp388"
    },
-    "home-manager": {
+    "home-manager-stable": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "home-manager"
+      },
+      "branch": "release-24.11",
+      "revision": "62d536255879be574ebfe9b87c4ac194febf47c5",
+      "url": "https://github.com/nix-community/home-manager/archive/62d536255879be574ebfe9b87c4ac194febf47c5.tar.gz",
+      "hash": "0v9bsc6r2626kap2m12zxw47m4p2kpr4pjldr7wvgqq48vwd72cm"
+    },
+    "home-manager-unstable": {
      "type": "Git",
      "repository": {
        "type": "GitHub",
@ -23,9 +35,9 @@
        "repo": "home-manager"
      },
      "branch": "master",
-      "revision": "2f607e07f3ac7e53541120536708e824acccfaa8",
-      "url": "https://github.com/nix-community/home-manager/archive/2f607e07f3ac7e53541120536708e824acccfaa8.tar.gz",
-      "hash": "19w63qccz78v0spx03911z98w1bvlxvd07hb0ma14a4vdzi4ninj"
+      "revision": "65912bc6841cf420eb8c0a20e03df7cbbff5963f",
+      "url": "https://github.com/nix-community/home-manager/archive/65912bc6841cf420eb8c0a20e03df7cbbff5963f.tar.gz",
+      "hash": "026hmc30kkyd9ihpjd6cm1b22galdi164ardhmj5x5jcszhjx4r9"
    },
    "nix-patches": {
      "type": "GitRelease",
@ -49,9 +61,9 @@
        "repo": "nixos-images"
      },
      "branch": "main",
-      "revision": "16f7f3496167ff95a1ef823bf56309a5d42237e1",
-      "url": "https://github.com/nix-community/nixos-images/archive/16f7f3496167ff95a1ef823bf56309a5d42237e1.tar.gz",
-      "hash": "0nwpxajd6ny9qry58ch624ahr4nmsbkxq1m9ijqcwk8jx0cgv3vy"
+      "revision": "a5e3e9e083d607b8a780d69323148ac99c09787b",
+      "url": "https://github.com/nix-community/nixos-images/archive/a5e3e9e083d607b8a780d69323148ac99c09787b.tar.gz",
+      "hash": "1nacp8n3in0bv59jl3s8k3yhc3dv96dpfv9r508jjr35bvvgzx91"
    },
    "nixos-mailserver": {
      "type": "Git",
@ -65,13 +77,31 @@
      "url": "https://gitlab.com/api/v4/projects/simple-nixos-mailserver%2Fnixos-mailserver/repository/archive.tar.gz?sha=af7d3bf5daeba3fc28089b015c0dd43f06b176f2",
      "hash": "1j0r52ij5pw8b8wc5xz1bmm5idwkmsnwpla6smz8gypcjls860ma"
    },
-    "nixpkgs": {
+    "nixpkgs-stable": {
+      "type": "Channel",
+      "name": "nixos-24.11",
+      "url": "https://releases.nixos.org/nixos/24.11/nixos-24.11.710315.b681065d0919/nixexprs.tar.xz",
+      "hash": "0j2djx0mqp2hiq1w7sl5837mzgqrc3534257b9sdv8p5672gpbmv"
+    },
+    "nixpkgs-unstable": {
      "type": "Channel",
      "name": "nixpkgs-unstable",
-      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-24.11pre704822.85f7e662eda4/nixexprs.tar.xz",
-      "hash": "0dqlz0xqd3nn49hnx943y5sfqd7nmj25s6gi1pjm907j3vbgg47k"
+      "url": "https://releases.nixos.org/nixpkgs/nixpkgs-25.05pre716127.566e53c2ad75/nixexprs.tar.xz",
+      "hash": "182d5xq2w70znk61b8bn0cyq4jmp7vw239vmxbmsvv13zrjainbv"
    },
-    "nixvim": {
+    "nixvim-stable": {
+      "type": "Git",
+      "repository": {
+        "type": "GitHub",
+        "owner": "nix-community",
+        "repo": "nixvim"
+      },
+      "branch": "nixos-24.11",
+      "revision": "667b2a5f7a7925fb3247fd3201f4a9e0bcebcd48",
+      "url": "https://github.com/nix-community/nixvim/archive/667b2a5f7a7925fb3247fd3201f4a9e0bcebcd48.tar.gz",
+      "hash": "181fhbqfz4lqrpsg2c3hkn0d95s736wkhsrbcl0mndjgm3202bpb"
+    },
+    "nixvim-unstable": {
      "type": "Git",
      "repository": {
        "type": "GitHub",
@ -79,9 +109,9 @@
        "repo": "nixvim"
      },
      "branch": "main",
-      "revision": "aabbd60633947baba11db44df84f402edc241440",
-      "url": "https://github.com/nix-community/nixvim/archive/aabbd60633947baba11db44df84f402edc241440.tar.gz",
-      "hash": "1mkmz8mvydj4mbfqipywncf68i8dcnag088cr4xkp2z3h4ary0ap"
+      "revision": "38885227461de58a712362c1c484803d6c90a8b2",
+      "url": "https://github.com/nix-community/nixvim/archive/38885227461de58a712362c1c484803d6c90a8b2.tar.gz",
+      "hash": "1cyx21v1dm4r6n5y2d32wpzhxy534h8j79ws1wi2b6rlpcqasrkg"
    }
  },
  "version": 3
--- a/patches/default.nix
+++ b/patches/default.nix
@ -1,11 +1,15 @@
-rec {
-  unstable = [
+let
+  general = [
    {
      _type = "static";
      path = ./nginx-fallback.patch;
    }
  ];
-  betamail = unstable ++ [
+in
+{
+  unstable = general;
+  stable = general;
+  betamail = [
    {
      _type = "static";
      path = ./procmail_322.patch;
--- a/shell.nix
+++ b/shell.nix
@ -1,6 +1,6 @@
 let
  sources = import ./npins;
-  pkgs = import sources.nixpkgs { };
+  pkgs = import sources.nixpkgs-unstable { };
 in
 pkgs.mkShell {
  packages = with pkgs; [