From eb3f9e87435be5941278d819351bac0ece172051 Mon Sep 17 00:00:00 2001
From: seth <getchoo@tuta.io>
Date: Thu, 20 Apr 2023 22:10:21 -0400
Subject: move to my external lib

---
 flake.lock                                       |   6 +-
 flake.nix                                        |   9 +-
 hosts/_turret/default.nix                        |  38 +++++
 hosts/_turret/files/etc/config/dhcp              |  55 +++++++
 hosts/_turret/files/etc/config/dropbear          |   5 +
 hosts/_turret/files/etc/config/firewall          | 189 +++++++++++++++++++++++
 hosts/_turret/files/etc/config/https-dns-proxy   |  18 +++
 hosts/_turret/files/etc/config/luci              |  41 +++++
 hosts/_turret/files/etc/config/network           |  29 ++++
 hosts/_turret/files/etc/config/rpcd              |  10 ++
 hosts/_turret/files/etc/config/system            |  16 ++
 hosts/_turret/files/etc/config/ucitrack          |  56 +++++++
 hosts/_turret/files/etc/config/uhttpd            |  31 ++++
 hosts/_turret/files/etc/config/wireless          | Bin 0 -> 827 bytes
 hosts/_turret/files/etc/dropbear/authorized_keys |   1 +
 hosts/default.nix                                |  31 +++-
 hosts/glados-wsl/default.nix                     |   3 +-
 hosts/glados/default.nix                         |  10 +-
 hosts/turret/default.nix                         |  38 -----
 hosts/turret/files/etc/config/dhcp               |  55 -------
 hosts/turret/files/etc/config/dropbear           |   5 -
 hosts/turret/files/etc/config/firewall           | 189 -----------------------
 hosts/turret/files/etc/config/https-dns-proxy    |  18 ---
 hosts/turret/files/etc/config/luci               |  41 -----
 hosts/turret/files/etc/config/network            |  29 ----
 hosts/turret/files/etc/config/rpcd               |  10 --
 hosts/turret/files/etc/config/system             |  16 --
 hosts/turret/files/etc/config/ucitrack           |  56 -------
 hosts/turret/files/etc/config/uhttpd             |  31 ----
 hosts/turret/files/etc/config/wireless           | Bin 827 -> 0 bytes
 hosts/turret/files/etc/dropbear/authorized_keys  |   1 -
 lib/default.nix                                  |  16 --
 lib/host.nix                                     |  44 ------
 lib/user.nix                                     |  35 -----
 users/_secrets/rootPassword.age                  | Bin 0 -> 365 bytes
 users/_secrets/secrets.nix                       |   6 +
 users/_secrets/sethPassword.age                  |   9 ++
 users/default.nix                                |   6 +-
 users/secrets/rootPassword.age                   | Bin 365 -> 0 bytes
 users/secrets/secrets.nix                        |   6 -
 users/secrets/sethPassword.age                   |   9 --
 users/seth/home.nix                              |   8 +-
 42 files changed, 555 insertions(+), 621 deletions(-)
 create mode 100644 hosts/_turret/default.nix
 create mode 100644 hosts/_turret/files/etc/config/dhcp
 create mode 100644 hosts/_turret/files/etc/config/dropbear
 create mode 100644 hosts/_turret/files/etc/config/firewall
 create mode 100644 hosts/_turret/files/etc/config/https-dns-proxy
 create mode 100644 hosts/_turret/files/etc/config/luci
 create mode 100644 hosts/_turret/files/etc/config/network
 create mode 100644 hosts/_turret/files/etc/config/rpcd
 create mode 100644 hosts/_turret/files/etc/config/system
 create mode 100644 hosts/_turret/files/etc/config/ucitrack
 create mode 100644 hosts/_turret/files/etc/config/uhttpd
 create mode 100644 hosts/_turret/files/etc/config/wireless
 create mode 100644 hosts/_turret/files/etc/dropbear/authorized_keys
 delete mode 100644 hosts/turret/default.nix
 delete mode 100644 hosts/turret/files/etc/config/dhcp
 delete mode 100644 hosts/turret/files/etc/config/dropbear
 delete mode 100644 hosts/turret/files/etc/config/firewall
 delete mode 100644 hosts/turret/files/etc/config/https-dns-proxy
 delete mode 100644 hosts/turret/files/etc/config/luci
 delete mode 100644 hosts/turret/files/etc/config/network
 delete mode 100644 hosts/turret/files/etc/config/rpcd
 delete mode 100644 hosts/turret/files/etc/config/system
 delete mode 100644 hosts/turret/files/etc/config/ucitrack
 delete mode 100644 hosts/turret/files/etc/config/uhttpd
 delete mode 100644 hosts/turret/files/etc/config/wireless
 delete mode 100644 hosts/turret/files/etc/dropbear/authorized_keys
 delete mode 100644 lib/default.nix
 delete mode 100644 lib/host.nix
 delete mode 100644 lib/user.nix
 create mode 100644 users/_secrets/rootPassword.age
 create mode 100644 users/_secrets/secrets.nix
 create mode 100644 users/_secrets/sethPassword.age
 delete mode 100644 users/secrets/rootPassword.age
 delete mode 100644 users/secrets/secrets.nix
 delete mode 100644 users/secrets/sethPassword.age

diff --git a/flake.lock b/flake.lock
index ea1381a..9657098 100644
--- a/flake.lock
+++ b/flake.lock
@@ -151,11 +151,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1681774655,
-        "narHash": "sha256-FutQ3V1KMuySMeGbxKeCQ6i3b4FZ7WbKJLRTbp/u+JU=",
+        "lastModified": 1682040726,
+        "narHash": "sha256-0wnUd7rCeANBvLOhawNhZxB0wW146q2GrfVkbHpbi70=",
         "owner": "getchoo",
         "repo": "overlay",
-        "rev": "76817703bb1cf925e6f99a2ba8ad78d2ec560b6e",
+        "rev": "5e476304b0ec6109cb9d09a89872a6b9a138efbf",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 1b13e27..63e969b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -68,12 +68,15 @@
     self,
     nixpkgs,
     agenix,
+    getchoo,
     flake-utils,
     openwrt-imagebuilder,
     pre-commit-hooks,
     ...
   }: let
-    inherit (import ./lib {inherit (nixpkgs) lib;}) mapHosts mapHMUsers;
+    getchooLib = getchoo.lib (inputs // {inherit self;});
+
+    inherit (getchooLib.configs) mapHMUsers mapHosts;
   in
     flake-utils.lib.eachDefaultSystem (system: let
       pkgs = nixpkgs.legacyPackages.${system};
@@ -110,10 +113,10 @@
 
       formatter = pkgs.alejandra;
 
-      homeConfigurations = mapHMUsers inputs system;
+      homeConfigurations = mapHMUsers system ./users;
     })
     // {
-      nixosConfigurations = mapHosts inputs;
+      nixosConfigurations = mapHosts ./hosts;
 
       nixosModules.getchoo = import ./modules;
 
diff --git a/hosts/_turret/default.nix b/hosts/_turret/default.nix
new file mode 100644
index 0000000..faac3d2
--- /dev/null
+++ b/hosts/_turret/default.nix
@@ -0,0 +1,38 @@
+{
+  pkgs,
+  openwrt-imagebuilder,
+  ...
+}: let
+  inherit (pkgs) runCommand;
+  inherit (pkgs.stdenv) mkDerivation;
+  inherit (openwrt-imagebuilder.lib) build profiles;
+  wrtProfiles = profiles {
+    inherit pkgs;
+    release = "22.03.3";
+  };
+  config = mkDerivation {
+    name = "openwrt-config-files";
+    src = ./files;
+    installPhase = ''
+      mkdir -p $out
+      cp -r * $out/
+    '';
+  };
+  image =
+    wrtProfiles.identifyProfile "netgear_wac104"
+    // {
+      packages = ["https-dns-proxy"];
+
+      files = runCommand "image-files" {} ''
+        mkdir -p $out/etc/uci-defaults
+        cat > $out/etc/uci-defaults/99-custom <<EOF
+        uci -q batch << EOI
+        set system.@system[0].hostname='turret'
+        commit
+        EOI
+        EOF
+        cp -fr ${config}/etc/* $out/etc/
+      '';
+    };
+in
+  build image
diff --git a/hosts/_turret/files/etc/config/dhcp b/hosts/_turret/files/etc/config/dhcp
new file mode 100644
index 0000000..4a471cf
--- /dev/null
+++ b/hosts/_turret/files/etc/config/dhcp
@@ -0,0 +1,55 @@
+
+config dnsmasq
+	option domainneeded '1'
+	option boguspriv '1'
+	option filterwin2k '0'
+	option localise_queries '1'
+	option rebind_protection '1'
+	option rebind_localhost '1'
+	option local '/lan/'
+	option domain 'lan'
+	option expandhosts '1'
+	option nonegcache '0'
+	option authoritative '1'
+	option readethers '1'
+	option leasefile '/tmp/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option nonwildcard '1'
+	option localservice '1'
+	option ednspacket_max '1232'
+	option doh_backup_noresolv '-1'
+	option noresolv '1'
+	list doh_backup_server ''
+	list doh_backup_server '/mask.icloud.com/'
+	list doh_backup_server '/mask-h2.icloud.com/'
+	list doh_backup_server '/use-application-dns.net/'
+	list doh_backup_server '127.0.0.1#5054'
+	list doh_backup_server '127.0.0.1#5053'
+	list server '/mask.icloud.com/'
+	list server '/mask-h2.icloud.com/'
+	list server '/use-application-dns.net/'
+	list server '127.0.0.1#5054'
+	list server '127.0.0.1#5053'
+
+config dhcp 'lan'
+	option interface 'lan'
+	option start '100'
+	option limit '150'
+	option leasetime '12h'
+	option dhcpv4 'server'
+	option dhcpv6 'server'
+	option ra 'server'
+	option ra_slaac '1'
+	list ra_flags 'managed-config'
+	list ra_flags 'other-config'
+
+config dhcp 'wan'
+	option interface 'wan'
+	option ignore '1'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'
+
diff --git a/hosts/_turret/files/etc/config/dropbear b/hosts/_turret/files/etc/config/dropbear
new file mode 100644
index 0000000..2139ba0
--- /dev/null
+++ b/hosts/_turret/files/etc/config/dropbear
@@ -0,0 +1,5 @@
+config dropbear
+	option PasswordAuth 'on'
+	option RootPasswordAuth 'on'
+	option Port         '22'
+#	option BannerFile   '/etc/banner'
diff --git a/hosts/_turret/files/etc/config/firewall b/hosts/_turret/files/etc/config/firewall
new file mode 100644
index 0000000..b9a4647
--- /dev/null
+++ b/hosts/_turret/files/etc/config/firewall
@@ -0,0 +1,189 @@
+config defaults
+	option syn_flood	1
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		REJECT
+# Uncomment this line to disable ipv6 rules
+#	option disable_ipv6	1
+
+config zone
+	option name		lan
+	list   network		'lan'
+	option input		ACCEPT
+	option output		ACCEPT
+	option forward		ACCEPT
+
+config zone
+	option name		wan
+	list   network		'wan'
+	list   network		'wan6'
+	option input		REJECT
+	option output		ACCEPT
+	option forward		REJECT
+	option masq		1
+	option mtu_fix		1
+
+config forwarding
+	option src		lan
+	option dest		wan
+
+# We need to accept udp packets on port 68,
+# see https://dev.openwrt.org/ticket/4108
+config rule
+	option name		Allow-DHCP-Renew
+	option src		wan
+	option proto		udp
+	option dest_port	68
+	option target		ACCEPT
+	option family		ipv4
+
+# Allow IPv4 ping
+config rule
+	option name		Allow-Ping
+	option src		wan
+	option proto		icmp
+	option icmp_type	echo-request
+	option family		ipv4
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IGMP
+	option src		wan
+	option proto		igmp
+	option family		ipv4
+	option target		ACCEPT
+
+# Allow DHCPv6 replies
+# see https://github.com/openwrt/openwrt/issues/5066
+config rule
+	option name		Allow-DHCPv6
+	option src		wan
+	option proto		udp
+	option dest_port	546
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-MLD
+	option src		wan
+	option proto		icmp
+	option src_ip		fe80::/10
+	list icmp_type		'130/0'
+	list icmp_type		'131/0'
+	list icmp_type		'132/0'
+	list icmp_type		'143/0'
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential incoming IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Input
+	option src		wan
+	option proto	icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	list icmp_type		router-solicitation
+	list icmp_type		neighbour-solicitation
+	list icmp_type		router-advertisement
+	list icmp_type		neighbour-advertisement
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+# Allow essential forwarded IPv6 ICMP traffic
+config rule
+	option name		Allow-ICMPv6-Forward
+	option src		wan
+	option dest		*
+	option proto		icmp
+	list icmp_type		echo-request
+	list icmp_type		echo-reply
+	list icmp_type		destination-unreachable
+	list icmp_type		packet-too-big
+	list icmp_type		time-exceeded
+	list icmp_type		bad-header
+	list icmp_type		unknown-header-type
+	option limit		1000/sec
+	option family		ipv6
+	option target		ACCEPT
+
+config rule
+	option name		Allow-IPSec-ESP
+	option src		wan
+	option dest		lan
+	option proto		esp
+	option target		ACCEPT
+
+config rule
+	option name		Allow-ISAKMP
+	option src		wan
+	option dest		lan
+	option dest_port	500
+	option proto		udp
+	option target		ACCEPT
+
+
+### EXAMPLE CONFIG SECTIONS
+# do not allow a specific ip to access wan
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option dest		wan
+#	option proto	tcp
+#	option target	REJECT
+
+# block a specific mac on wan
+#config rule
+#	option dest		wan
+#	option src_mac	00:11:22:33:44:66
+#	option target	REJECT
+
+# block incoming ICMP traffic on a zone
+#config rule
+#	option src		lan
+#	option proto	ICMP
+#	option target	DROP
+
+# port redirect port coming in on wan to lan
+#config redirect
+#	option src			wan
+#	option src_dport	80
+#	option dest			lan
+#	option dest_ip		192.168.16.235
+#	option dest_port	80
+#	option proto		tcp
+
+# port redirect of remapped ssh port (22001) on wan
+#config redirect
+#	option src		wan
+#	option src_dport	22001
+#	option dest		lan
+#	option dest_port	22
+#	option proto		tcp
+
+### FULL CONFIG SECTIONS
+#config rule
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port	80
+#	option dest		wan
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
+#	option target	REJECT
+
+#config redirect
+#	option src		lan
+#	option src_ip	192.168.45.2
+#	option src_mac	00:11:22:33:44:55
+#	option src_port		1024
+#	option src_dport	80
+#	option dest_ip	194.25.2.129
+#	option dest_port	120
+#	option proto	tcp
diff --git a/hosts/_turret/files/etc/config/https-dns-proxy b/hosts/_turret/files/etc/config/https-dns-proxy
new file mode 100644
index 0000000..e5623ad
--- /dev/null
+++ b/hosts/_turret/files/etc/config/https-dns-proxy
@@ -0,0 +1,18 @@
+
+config main 'config'
+	option dnsmasq_config_update '*'
+	list force_dns_port '53'
+	list force_dns_port '853'
+	option procd_trigger_wan6 '0'
+	option canary_domains_icloud '0'
+	option canary_domains_mozilla '0'
+	option force_dns '0'
+
+config https-dns-proxy
+	option bootstrap_dns '1.1.1.1,1.0.0.1'
+	option resolver_url 'https://cloudflare-dns.com/dns-query'
+	option listen_addr '127.0.0.1'
+	option listen_port '5054'
+	option user 'nobody'
+	option group 'nogroup'
+
diff --git a/hosts/_turret/files/etc/config/luci b/hosts/_turret/files/etc/config/luci
new file mode 100644
index 0000000..8eb8a9b
--- /dev/null
+++ b/hosts/_turret/files/etc/config/luci
@@ -0,0 +1,41 @@
+
+config core 'main'
+	option lang 'auto'
+	option mediaurlbase '/luci-static/bootstrap'
+	option resourcebase '/luci-static/resources'
+	option ubuspath '/ubus/'
+
+config extern 'flash_keep'
+	option uci '/etc/config/'
+	option dropbear '/etc/dropbear/'
+	option openvpn '/etc/openvpn/'
+	option passwd '/etc/passwd'
+	option opkg '/etc/opkg.conf'
+	option firewall '/etc/firewall.user'
+	option uploads '/lib/uci/upload/'
+
+config internal 'languages'
+
+config internal 'sauth'
+	option sessionpath '/tmp/luci-sessions'
+	option sessiontime '3600'
+
+config internal 'ccache'
+	option enable '1'
+
+config internal 'themes'
+	option Bootstrap '/luci-static/bootstrap'
+	option BootstrapDark '/luci-static/bootstrap-dark'
+	option BootstrapLight '/luci-static/bootstrap-light'
+
+config internal 'apply'
+	option rollback '90'
+	option holdoff '4'
+	option timeout '5'
+	option display '1.5'
+
+config internal 'diag'
+	option dns 'openwrt.org'
+	option ping 'openwrt.org'
+	option route 'openwrt.org'
+
diff --git a/hosts/_turret/files/etc/config/network b/hosts/_turret/files/etc/config/network
new file mode 100644
index 0000000..c71cf98
--- /dev/null
+++ b/hosts/_turret/files/etc/config/network
@@ -0,0 +1,29 @@
+
+config interface 'loopback'
+	option device 'lo'
+	option proto 'static'
+	option ipaddr '127.0.0.1'
+	option netmask '255.0.0.0'
+
+config globals 'globals'
+	option packet_steering '1'
+	option ula_prefix 'fd26:3166:dece::/48'
+
+config device
+	option name 'br-lan'
+	option type 'bridge'
+	list ports 'lan2'
+	list ports 'lan3'
+	list ports 'lan4'
+
+config interface 'lan'
+	option device 'br-lan'
+	option proto 'static'
+	option ipaddr '192.168.1.1'
+	option netmask '255.255.255.0'
+	option ip6assign '60'
+
+config interface 'wan'
+	option device 'lan1'
+	option proto 'dhcp'
+
diff --git a/hosts/_turret/files/etc/config/rpcd b/hosts/_turret/files/etc/config/rpcd
new file mode 100644
index 0000000..176c643
--- /dev/null
+++ b/hosts/_turret/files/etc/config/rpcd
@@ -0,0 +1,10 @@
+config rpcd
+	option socket /var/run/ubus/ubus.sock
+	option timeout 30
+
+config login
+	option username 'root'
+	option password '$p$root'
+	list read '*'
+	list write '*'
+
diff --git a/hosts/_turret/files/etc/config/system b/hosts/_turret/files/etc/config/system
new file mode 100644
index 0000000..ee3415f
--- /dev/null
+++ b/hosts/_turret/files/etc/config/system
@@ -0,0 +1,16 @@
+
+config system
+	option hostname 'turret'
+	option timezone 'UTC'
+	option ttylogin '0'
+	option log_size '64'
+	option urandom_seed '0'
+	option compat_version '1.1'
+
+config timeserver 'ntp'
+	option enabled '1'
+	option enable_server '0'
+	list server '0.openwrt.pool.ntp.org'
+	list server '1.openwrt.pool.ntp.org'
+	list server '2.openwrt.pool.ntp.org'
+	list server '3.openwrt.pool.ntp.org'
diff --git a/hosts/_turret/files/etc/config/ucitrack b/hosts/_turret/files/etc/config/ucitrack
new file mode 100644
index 0000000..bb4cdbc
--- /dev/null
+++ b/hosts/_turret/files/etc/config/ucitrack
@@ -0,0 +1,56 @@
+config network
+	option init network
+	list affects dhcp
+
+config wireless
+	list affects network
+
+config firewall
+	option init firewall
+	list affects luci-splash
+	list affects qos
+	list affects miniupnpd
+
+config olsr
+	option init olsrd
+
+config dhcp
+	option init dnsmasq
+	list affects odhcpd
+
+config odhcpd
+	option init odhcpd
+
+config dropbear
+	option init dropbear
+
+config httpd
+	option init httpd
+
+config fstab
+	option exec '/sbin/block mount'
+
+config qos
+	option init qos
+
+config system
+	option init led
+	option exec '/etc/init.d/log reload'
+	list affects luci_statistics
+	list affects dhcp
+
+config luci_splash
+	option init luci_splash
+
+config upnpd
+	option init miniupnpd
+
+config ntpclient
+	option init ntpclient
+
+config samba
+	option init samba
+
+config tinyproxy
+	option init tinyproxy
+
diff --git a/hosts/_turret/files/etc/config/uhttpd b/hosts/_turret/files/etc/config/uhttpd
new file mode 100644
index 0000000..cb2ff71
--- /dev/null
+++ b/hosts/_turret/files/etc/config/uhttpd
@@ -0,0 +1,31 @@
+
+config uhttpd 'main'
+	list listen_http '0.0.0.0:80'
+	list listen_http '[::]:80'
+	list listen_https '0.0.0.0:443'
+	list listen_https '[::]:443'
+	option redirect_https '0'
+	option home '/www'
+	option rfc1918_filter '1'
+	option max_requests '3'
+	option max_connections '100'
+	option cert '/etc/uhttpd.crt'
+	option key '/etc/uhttpd.key'
+	option cgi_prefix '/cgi-bin'
+	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
+	option script_timeout '60'
+	option network_timeout '30'
+	option http_keepalive '20'
+	option tcp_keepalive '1'
+	option ubus_prefix '/ubus'
+
+config cert 'defaults'
+	option days '730'
+	option key_type 'ec'
+	option bits '2048'
+	option ec_curve 'P-256'
+	option country 'ZZ'
+	option state 'Somewhere'
+	option location 'Unknown'
+	option commonname 'OpenWrt'
+
diff --git a/hosts/_turret/files/etc/config/wireless b/hosts/_turret/files/etc/config/wireless
new file mode 100644
index 0000000..b4a431d
Binary files /dev/null and b/hosts/_turret/files/etc/config/wireless differ
diff --git a/hosts/_turret/files/etc/dropbear/authorized_keys b/hosts/_turret/files/etc/dropbear/authorized_keys
new file mode 100644
index 0000000..495c605
--- /dev/null
+++ b/hosts/_turret/files/etc/dropbear/authorized_keys
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERx0I8DKtALZ9VrYnY1iBEpwl2pBlRiS8oJQvZwpl5e seth@glados
diff --git a/hosts/default.nix b/hosts/default.nix
index fdaea60..e9396a1 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -1,26 +1,42 @@
 inputs:
 with inputs; let
-  common = {
+  common = rec {
     system = "x86_64-linux";
-    stateVersion = "23.05";
-    pkgs = nixpkgsUnstable;
-    modules = with inputs; [
+    builder = nixpkgsUnstable.lib.nixosSystem;
+
+    modules = [
       agenix.nixosModules.default
       home-manager.nixosModules.home-manager
       nur.nixosModules.nur
+
+      self.nixosModules.getchoo
+      "${self}/users/seth"
+
       {
         age = {
           identityPaths = ["/etc/age/key"];
           secrets = {
-            rootPassword.file = ../users/secrets/rootPassword.age;
-            sethPassword.file = ../users/secrets/sethPassword.age;
+            rootPassword.file = "${self}/users/_secrets/rootPassword.age";
+            sethPassword.file = "${self}/users/_secrets/sethPassword.age";
           };
         };
+
+        nixpkgs = {
+          overlays = [nur.overlay getchoo.overlays.default];
+          config.allowUnfree = true;
+        };
+
+        nix.registry.getchoo.flake = getchoo;
+        nixos.enable = true;
+        system.stateVersion = "23.05";
       }
     ];
+
+    specialArgs = {};
   };
 in {
   glados = {
+    inherit (common) builder specialArgs system;
     modules =
       common.modules
       ++ [
@@ -29,14 +45,13 @@ in {
         nixos-hardware.nixosModules.common-pc-ssd
         lanzaboote.nixosModules.lanzaboote
       ];
-    inherit (common) system stateVersion pkgs;
   };
   glados-wsl = {
+    inherit (common) builder specialArgs system;
     modules =
       common.modules
       ++ [
         nixos-wsl.nixosModules.wsl
       ];
-    inherit (common) system stateVersion pkgs;
   };
 }
diff --git a/hosts/glados-wsl/default.nix b/hosts/glados-wsl/default.nix
index 4ba8485..25aaf5e 100644
--- a/hosts/glados-wsl/default.nix
+++ b/hosts/glados-wsl/default.nix
@@ -5,7 +5,6 @@
 }: {
   imports = [
     (modulesPath + "/profiles/minimal.nix")
-    ../../users/seth
   ];
 
   environment.systemPackages = with pkgs; [
@@ -31,6 +30,8 @@
 
   nixos.networking.enable = false;
 
+  networking.hostName = "glados-wsl";
+
   security = {
     apparmor.enable = false;
     audit.enable = false;
diff --git a/hosts/glados/default.nix b/hosts/glados/default.nix
index a2be3f5..62006b3 100644
--- a/hosts/glados/default.nix
+++ b/hosts/glados/default.nix
@@ -1,6 +1,9 @@
-{home-manager, ...}: {
+{
+  home-manager,
+  self,
+  ...
+}: {
   imports = [
-    ../../users/seth
     ./boot.nix
     ./hardware-configuration.nix
   ];
@@ -15,7 +18,7 @@
 
   home-manager.users.seth = {
     imports = [
-      ../../users/seth/desktop
+      "${self}/users/seth/desktop"
     ];
 
     desktop.gnome.enable = true;
@@ -25,6 +28,7 @@
     LIBVA_DRIVER_NAME=vdpau
   '';
 
+  networking.hostName = "glados";
   powerManagement.cpuFreqGovernor = "ondemand";
 
   security.tpm2 = {
diff --git a/hosts/turret/default.nix b/hosts/turret/default.nix
deleted file mode 100644
index faac3d2..0000000
--- a/hosts/turret/default.nix
+++ /dev/null
@@ -1,38 +0,0 @@
-{
-  pkgs,
-  openwrt-imagebuilder,
-  ...
-}: let
-  inherit (pkgs) runCommand;
-  inherit (pkgs.stdenv) mkDerivation;
-  inherit (openwrt-imagebuilder.lib) build profiles;
-  wrtProfiles = profiles {
-    inherit pkgs;
-    release = "22.03.3";
-  };
-  config = mkDerivation {
-    name = "openwrt-config-files";
-    src = ./files;
-    installPhase = ''
-      mkdir -p $out
-      cp -r * $out/
-    '';
-  };
-  image =
-    wrtProfiles.identifyProfile "netgear_wac104"
-    // {
-      packages = ["https-dns-proxy"];
-
-      files = runCommand "image-files" {} ''
-        mkdir -p $out/etc/uci-defaults
-        cat > $out/etc/uci-defaults/99-custom <<EOF
-        uci -q batch << EOI
-        set system.@system[0].hostname='turret'
-        commit
-        EOI
-        EOF
-        cp -fr ${config}/etc/* $out/etc/
-      '';
-    };
-in
-  build image
diff --git a/hosts/turret/files/etc/config/dhcp b/hosts/turret/files/etc/config/dhcp
deleted file mode 100644
index 4a471cf..0000000
--- a/hosts/turret/files/etc/config/dhcp
+++ /dev/null
@@ -1,55 +0,0 @@
-
-config dnsmasq
-	option domainneeded '1'
-	option boguspriv '1'
-	option filterwin2k '0'
-	option localise_queries '1'
-	option rebind_protection '1'
-	option rebind_localhost '1'
-	option local '/lan/'
-	option domain 'lan'
-	option expandhosts '1'
-	option nonegcache '0'
-	option authoritative '1'
-	option readethers '1'
-	option leasefile '/tmp/dhcp.leases'
-	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
-	option nonwildcard '1'
-	option localservice '1'
-	option ednspacket_max '1232'
-	option doh_backup_noresolv '-1'
-	option noresolv '1'
-	list doh_backup_server ''
-	list doh_backup_server '/mask.icloud.com/'
-	list doh_backup_server '/mask-h2.icloud.com/'
-	list doh_backup_server '/use-application-dns.net/'
-	list doh_backup_server '127.0.0.1#5054'
-	list doh_backup_server '127.0.0.1#5053'
-	list server '/mask.icloud.com/'
-	list server '/mask-h2.icloud.com/'
-	list server '/use-application-dns.net/'
-	list server '127.0.0.1#5054'
-	list server '127.0.0.1#5053'
-
-config dhcp 'lan'
-	option interface 'lan'
-	option start '100'
-	option limit '150'
-	option leasetime '12h'
-	option dhcpv4 'server'
-	option dhcpv6 'server'
-	option ra 'server'
-	option ra_slaac '1'
-	list ra_flags 'managed-config'
-	list ra_flags 'other-config'
-
-config dhcp 'wan'
-	option interface 'wan'
-	option ignore '1'
-
-config odhcpd 'odhcpd'
-	option maindhcp '0'
-	option leasefile '/tmp/hosts/odhcpd'
-	option leasetrigger '/usr/sbin/odhcpd-update'
-	option loglevel '4'
-
diff --git a/hosts/turret/files/etc/config/dropbear b/hosts/turret/files/etc/config/dropbear
deleted file mode 100644
index 2139ba0..0000000
--- a/hosts/turret/files/etc/config/dropbear
+++ /dev/null
@@ -1,5 +0,0 @@
-config dropbear
-	option PasswordAuth 'on'
-	option RootPasswordAuth 'on'
-	option Port         '22'
-#	option BannerFile   '/etc/banner'
diff --git a/hosts/turret/files/etc/config/firewall b/hosts/turret/files/etc/config/firewall
deleted file mode 100644
index b9a4647..0000000
--- a/hosts/turret/files/etc/config/firewall
+++ /dev/null
@@ -1,189 +0,0 @@
-config defaults
-	option syn_flood	1
-	option input		ACCEPT
-	option output		ACCEPT
-	option forward		REJECT
-# Uncomment this line to disable ipv6 rules
-#	option disable_ipv6	1
-
-config zone
-	option name		lan
-	list   network		'lan'
-	option input		ACCEPT
-	option output		ACCEPT
-	option forward		ACCEPT
-
-config zone
-	option name		wan
-	list   network		'wan'
-	list   network		'wan6'
-	option input		REJECT
-	option output		ACCEPT
-	option forward		REJECT
-	option masq		1
-	option mtu_fix		1
-
-config forwarding
-	option src		lan
-	option dest		wan
-
-# We need to accept udp packets on port 68,
-# see https://dev.openwrt.org/ticket/4108
-config rule
-	option name		Allow-DHCP-Renew
-	option src		wan
-	option proto		udp
-	option dest_port	68
-	option target		ACCEPT
-	option family		ipv4
-
-# Allow IPv4 ping
-config rule
-	option name		Allow-Ping
-	option src		wan
-	option proto		icmp
-	option icmp_type	echo-request
-	option family		ipv4
-	option target		ACCEPT
-
-config rule
-	option name		Allow-IGMP
-	option src		wan
-	option proto		igmp
-	option family		ipv4
-	option target		ACCEPT
-
-# Allow DHCPv6 replies
-# see https://github.com/openwrt/openwrt/issues/5066
-config rule
-	option name		Allow-DHCPv6
-	option src		wan
-	option proto		udp
-	option dest_port	546
-	option family		ipv6
-	option target		ACCEPT
-
-config rule
-	option name		Allow-MLD
-	option src		wan
-	option proto		icmp
-	option src_ip		fe80::/10
-	list icmp_type		'130/0'
-	list icmp_type		'131/0'
-	list icmp_type		'132/0'
-	list icmp_type		'143/0'
-	option family		ipv6
-	option target		ACCEPT
-
-# Allow essential incoming IPv6 ICMP traffic
-config rule
-	option name		Allow-ICMPv6-Input
-	option src		wan
-	option proto	icmp
-	list icmp_type		echo-request
-	list icmp_type		echo-reply
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	list icmp_type		router-solicitation
-	list icmp_type		neighbour-solicitation
-	list icmp_type		router-advertisement
-	list icmp_type		neighbour-advertisement
-	option limit		1000/sec
-	option family		ipv6
-	option target		ACCEPT
-
-# Allow essential forwarded IPv6 ICMP traffic
-config rule
-	option name		Allow-ICMPv6-Forward
-	option src		wan
-	option dest		*
-	option proto		icmp
-	list icmp_type		echo-request
-	list icmp_type		echo-reply
-	list icmp_type		destination-unreachable
-	list icmp_type		packet-too-big
-	list icmp_type		time-exceeded
-	list icmp_type		bad-header
-	list icmp_type		unknown-header-type
-	option limit		1000/sec
-	option family		ipv6
-	option target		ACCEPT
-
-config rule
-	option name		Allow-IPSec-ESP
-	option src		wan
-	option dest		lan
-	option proto		esp
-	option target		ACCEPT
-
-config rule
-	option name		Allow-ISAKMP
-	option src		wan
-	option dest		lan
-	option dest_port	500
-	option proto		udp
-	option target		ACCEPT
-
-
-### EXAMPLE CONFIG SECTIONS
-# do not allow a specific ip to access wan
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option dest		wan
-#	option proto	tcp
-#	option target	REJECT
-
-# block a specific mac on wan
-#config rule
-#	option dest		wan
-#	option src_mac	00:11:22:33:44:66
-#	option target	REJECT
-
-# block incoming ICMP traffic on a zone
-#config rule
-#	option src		lan
-#	option proto	ICMP
-#	option target	DROP
-
-# port redirect port coming in on wan to lan
-#config redirect
-#	option src			wan
-#	option src_dport	80
-#	option dest			lan
-#	option dest_ip		192.168.16.235
-#	option dest_port	80
-#	option proto		tcp
-
-# port redirect of remapped ssh port (22001) on wan
-#config redirect
-#	option src		wan
-#	option src_dport	22001
-#	option dest		lan
-#	option dest_port	22
-#	option proto		tcp
-
-### FULL CONFIG SECTIONS
-#config rule
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port	80
-#	option dest		wan
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
-#	option target	REJECT
-
-#config redirect
-#	option src		lan
-#	option src_ip	192.168.45.2
-#	option src_mac	00:11:22:33:44:55
-#	option src_port		1024
-#	option src_dport	80
-#	option dest_ip	194.25.2.129
-#	option dest_port	120
-#	option proto	tcp
diff --git a/hosts/turret/files/etc/config/https-dns-proxy b/hosts/turret/files/etc/config/https-dns-proxy
deleted file mode 100644
index e5623ad..0000000
--- a/hosts/turret/files/etc/config/https-dns-proxy
+++ /dev/null
@@ -1,18 +0,0 @@
-
-config main 'config'
-	option dnsmasq_config_update '*'
-	list force_dns_port '53'
-	list force_dns_port '853'
-	option procd_trigger_wan6 '0'
-	option canary_domains_icloud '0'
-	option canary_domains_mozilla '0'
-	option force_dns '0'
-
-config https-dns-proxy
-	option bootstrap_dns '1.1.1.1,1.0.0.1'
-	option resolver_url 'https://cloudflare-dns.com/dns-query'
-	option listen_addr '127.0.0.1'
-	option listen_port '5054'
-	option user 'nobody'
-	option group 'nogroup'
-
diff --git a/hosts/turret/files/etc/config/luci b/hosts/turret/files/etc/config/luci
deleted file mode 100644
index 8eb8a9b..0000000
--- a/hosts/turret/files/etc/config/luci
+++ /dev/null
@@ -1,41 +0,0 @@
-
-config core 'main'
-	option lang 'auto'
-	option mediaurlbase '/luci-static/bootstrap'
-	option resourcebase '/luci-static/resources'
-	option ubuspath '/ubus/'
-
-config extern 'flash_keep'
-	option uci '/etc/config/'
-	option dropbear '/etc/dropbear/'
-	option openvpn '/etc/openvpn/'
-	option passwd '/etc/passwd'
-	option opkg '/etc/opkg.conf'
-	option firewall '/etc/firewall.user'
-	option uploads '/lib/uci/upload/'
-
-config internal 'languages'
-
-config internal 'sauth'
-	option sessionpath '/tmp/luci-sessions'
-	option sessiontime '3600'
-
-config internal 'ccache'
-	option enable '1'
-
-config internal 'themes'
-	option Bootstrap '/luci-static/bootstrap'
-	option BootstrapDark '/luci-static/bootstrap-dark'
-	option BootstrapLight '/luci-static/bootstrap-light'
-
-config internal 'apply'
-	option rollback '90'
-	option holdoff '4'
-	option timeout '5'
-	option display '1.5'
-
-config internal 'diag'
-	option dns 'openwrt.org'
-	option ping 'openwrt.org'
-	option route 'openwrt.org'
-
diff --git a/hosts/turret/files/etc/config/network b/hosts/turret/files/etc/config/network
deleted file mode 100644
index c71cf98..0000000
--- a/hosts/turret/files/etc/config/network
+++ /dev/null
@@ -1,29 +0,0 @@
-
-config interface 'loopback'
-	option device 'lo'
-	option proto 'static'
-	option ipaddr '127.0.0.1'
-	option netmask '255.0.0.0'
-
-config globals 'globals'
-	option packet_steering '1'
-	option ula_prefix 'fd26:3166:dece::/48'
-
-config device
-	option name 'br-lan'
-	option type 'bridge'
-	list ports 'lan2'
-	list ports 'lan3'
-	list ports 'lan4'
-
-config interface 'lan'
-	option device 'br-lan'
-	option proto 'static'
-	option ipaddr '192.168.1.1'
-	option netmask '255.255.255.0'
-	option ip6assign '60'
-
-config interface 'wan'
-	option device 'lan1'
-	option proto 'dhcp'
-
diff --git a/hosts/turret/files/etc/config/rpcd b/hosts/turret/files/etc/config/rpcd
deleted file mode 100644
index 176c643..0000000
--- a/hosts/turret/files/etc/config/rpcd
+++ /dev/null
@@ -1,10 +0,0 @@
-config rpcd
-	option socket /var/run/ubus/ubus.sock
-	option timeout 30
-
-config login
-	option username 'root'
-	option password '$p$root'
-	list read '*'
-	list write '*'
-
diff --git a/hosts/turret/files/etc/config/system b/hosts/turret/files/etc/config/system
deleted file mode 100644
index ee3415f..0000000
--- a/hosts/turret/files/etc/config/system
+++ /dev/null
@@ -1,16 +0,0 @@
-
-config system
-	option hostname 'turret'
-	option timezone 'UTC'
-	option ttylogin '0'
-	option log_size '64'
-	option urandom_seed '0'
-	option compat_version '1.1'
-
-config timeserver 'ntp'
-	option enabled '1'
-	option enable_server '0'
-	list server '0.openwrt.pool.ntp.org'
-	list server '1.openwrt.pool.ntp.org'
-	list server '2.openwrt.pool.ntp.org'
-	list server '3.openwrt.pool.ntp.org'
diff --git a/hosts/turret/files/etc/config/ucitrack b/hosts/turret/files/etc/config/ucitrack
deleted file mode 100644
index bb4cdbc..0000000
--- a/hosts/turret/files/etc/config/ucitrack
+++ /dev/null
@@ -1,56 +0,0 @@
-config network
-	option init network
-	list affects dhcp
-
-config wireless
-	list affects network
-
-config firewall
-	option init firewall
-	list affects luci-splash
-	list affects qos
-	list affects miniupnpd
-
-config olsr
-	option init olsrd
-
-config dhcp
-	option init dnsmasq
-	list affects odhcpd
-
-config odhcpd
-	option init odhcpd
-
-config dropbear
-	option init dropbear
-
-config httpd
-	option init httpd
-
-config fstab
-	option exec '/sbin/block mount'
-
-config qos
-	option init qos
-
-config system
-	option init led
-	option exec '/etc/init.d/log reload'
-	list affects luci_statistics
-	list affects dhcp
-
-config luci_splash
-	option init luci_splash
-
-config upnpd
-	option init miniupnpd
-
-config ntpclient
-	option init ntpclient
-
-config samba
-	option init samba
-
-config tinyproxy
-	option init tinyproxy
-
diff --git a/hosts/turret/files/etc/config/uhttpd b/hosts/turret/files/etc/config/uhttpd
deleted file mode 100644
index cb2ff71..0000000
--- a/hosts/turret/files/etc/config/uhttpd
+++ /dev/null
@@ -1,31 +0,0 @@
-
-config uhttpd 'main'
-	list listen_http '0.0.0.0:80'
-	list listen_http '[::]:80'
-	list listen_https '0.0.0.0:443'
-	list listen_https '[::]:443'
-	option redirect_https '0'
-	option home '/www'
-	option rfc1918_filter '1'
-	option max_requests '3'
-	option max_connections '100'
-	option cert '/etc/uhttpd.crt'
-	option key '/etc/uhttpd.key'
-	option cgi_prefix '/cgi-bin'
-	list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
-	option script_timeout '60'
-	option network_timeout '30'
-	option http_keepalive '20'
-	option tcp_keepalive '1'
-	option ubus_prefix '/ubus'
-
-config cert 'defaults'
-	option days '730'
-	option key_type 'ec'
-	option bits '2048'
-	option ec_curve 'P-256'
-	option country 'ZZ'
-	option state 'Somewhere'
-	option location 'Unknown'
-	option commonname 'OpenWrt'
-
diff --git a/hosts/turret/files/etc/config/wireless b/hosts/turret/files/etc/config/wireless
deleted file mode 100644
index b4a431d..0000000
Binary files a/hosts/turret/files/etc/config/wireless and /dev/null differ
diff --git a/hosts/turret/files/etc/dropbear/authorized_keys b/hosts/turret/files/etc/dropbear/authorized_keys
deleted file mode 100644
index 495c605..0000000
--- a/hosts/turret/files/etc/dropbear/authorized_keys
+++ /dev/null
@@ -1 +0,0 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERx0I8DKtALZ9VrYnY1iBEpwl2pBlRiS8oJQvZwpl5e seth@glados
diff --git a/lib/default.nix b/lib/default.nix
deleted file mode 100644
index 94acb96..0000000
--- a/lib/default.nix
+++ /dev/null
@@ -1,16 +0,0 @@
-{lib}: let
-  inherit (builtins) readDir;
-  inherit (lib) filterAttrs mapAttrs;
-
-  my = {
-    mapFilterDirs = dir: filter: map: let
-      dirs = filterAttrs filter (readDir dir);
-    in
-      mapAttrs map dirs;
-  };
-
-  myLib = lib.extend (_: _: {inherit my;});
-  common = {lib = myLib;};
-in
-  (import ./host.nix common)
-  // (import ./user.nix common)
diff --git a/lib/host.nix b/lib/host.nix
deleted file mode 100644
index 5b092b4..0000000
--- a/lib/host.nix
+++ /dev/null
@@ -1,44 +0,0 @@
-{lib}: rec {
-  mkHost = {
-    name,
-    modules,
-    specialArgs ? {},
-    system ? "x86_64-linux",
-    stateVersion ? "22.11",
-    pkgs,
-    inputs,
-  }:
-    with pkgs.lib;
-      nixosSystem {
-        inherit system specialArgs;
-        modules =
-          [
-            ../modules
-            ../hosts/${name}
-
-            {
-              system.stateVersion = stateVersion;
-              networking.hostName = mkDefault name;
-
-              nixpkgs = {
-                overlays = with inputs; [nur.overlay getchoo.overlays.default];
-                config.allowUnfree = true;
-              };
-              nix.registry.getchoo.flake = inputs.getchoo;
-
-              nixos.enable = true;
-            }
-          ]
-          ++ modules;
-      };
-
-  mapHosts = inputs: let
-    hosts = import ../hosts inputs;
-    inherit (lib.my) mapFilterDirs;
-  in
-    mapFilterDirs ../hosts (n: v: v == "directory" && n != "turret") (name: _:
-      mkHost ({
-          inherit name inputs;
-        }
-        // hosts.${name}));
-}
diff --git a/lib/user.nix b/lib/user.nix
deleted file mode 100644
index 88e466f..0000000
--- a/lib/user.nix
+++ /dev/null
@@ -1,35 +0,0 @@
-{lib}: rec {
-  mkHMUser = {
-    username,
-    pkgs,
-    stateVersion ? "22.11",
-    modules ? [],
-    inputs,
-  }:
-    inputs.home-manager.lib.homeManagerConfiguration {
-      inherit pkgs;
-      modules =
-        [
-          ../users/${username}/home.nix
-          {
-            home = {
-              inherit username stateVersion;
-              homeDirectory = "/home/${username}";
-            };
-
-            programs.home-manager.enable = true;
-          }
-        ]
-        ++ modules;
-    };
-
-  mapHMUsers = inputs: system: let
-    users = import ../users inputs system;
-    inherit (lib.my) mapFilterDirs;
-  in
-    mapFilterDirs ../users (n: v: v == "directory" && n != "secrets") (username: _:
-      mkHMUser ({
-          inherit username inputs;
-        }
-        // users.${username}));
-}
diff --git a/users/_secrets/rootPassword.age b/users/_secrets/rootPassword.age
new file mode 100644
index 0000000..7a2ede3
Binary files /dev/null and b/users/_secrets/rootPassword.age differ
diff --git a/users/_secrets/secrets.nix b/users/_secrets/secrets.nix
new file mode 100644
index 0000000..c85e64a
--- /dev/null
+++ b/users/_secrets/secrets.nix
@@ -0,0 +1,6 @@
+let
+  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5K+yLHuz4kyCkJDX2Gd/uGVNEJroIAU/h0f9E2Mapn getchoo-nix";
+in {
+  "rootPassword.age".publicKeys = [key];
+  "sethPassword.age".publicKeys = [key];
+}
diff --git a/users/_secrets/sethPassword.age b/users/_secrets/sethPassword.age
new file mode 100644
index 0000000..43040ff
--- /dev/null
+++ b/users/_secrets/sethPassword.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 I92A3Q q+D1MbCtfpsmJ3RdGSWAJlkA5gKgmly5c+qLG+Hc3x8
+Y33KURx8gx4JD4BnY0YhqUaMewqfl9aumd09Oh+T3hA
+-> &y]9Y:zi-grease
+nOkEeca63qmZNxxQ+zMRUhij/3kthFTt8kGfM7CICkSWnkqCMpjj5rAiEvJvi72y
+qhUBxkMdCn9Obfoa0Ru1bUb1Nrjn0m1BHexk6B4rWsFKMAv61OaNmQUHdDR2X5Wq
+qQ
+--- 0KWr82Hu6LaurOmGtqAeyrygHMh9c5XZsPallag2MCc
+=yýKYév0g<‰|í<Xʶͽ	¶7šûB—÷KÒÚWøP®�Ý�’?Ãô|W„ù
Gª– ÎÞEò¢fè7¥áÅx˜øqqñ/¼Ê[lE„Ú…YŸB±÷Ê¥zPYSu[év¦©Üz^)¶H˜±[1sa>Ê‹©÷á¡*ðÚèä—sÁF
Ö¼N
\ No newline at end of file
diff --git a/users/default.nix b/users/default.nix
index 964fc3d..3fe9d4a 100644
--- a/users/default.nix
+++ b/users/default.nix
@@ -1,11 +1,11 @@
-inputs: system:
+system: inputs:
 with inputs; {
   seth = {
     pkgs = import nixpkgsUnstable {
       inherit system;
       overlays = [nur.overlay getchoo.overlays.default];
     };
-
-    stateVersion = "23.05";
+    modules = [];
+    extraSpecialArgs = {};
   };
 }
diff --git a/users/secrets/rootPassword.age b/users/secrets/rootPassword.age
deleted file mode 100644
index 7a2ede3..0000000
Binary files a/users/secrets/rootPassword.age and /dev/null differ
diff --git a/users/secrets/secrets.nix b/users/secrets/secrets.nix
deleted file mode 100644
index c85e64a..0000000
--- a/users/secrets/secrets.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-let
-  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ5K+yLHuz4kyCkJDX2Gd/uGVNEJroIAU/h0f9E2Mapn getchoo-nix";
-in {
-  "rootPassword.age".publicKeys = [key];
-  "sethPassword.age".publicKeys = [key];
-}
diff --git a/users/secrets/sethPassword.age b/users/secrets/sethPassword.age
deleted file mode 100644
index 43040ff..0000000
--- a/users/secrets/sethPassword.age
+++ /dev/null
@@ -1,9 +0,0 @@
-age-encryption.org/v1
--> ssh-ed25519 I92A3Q q+D1MbCtfpsmJ3RdGSWAJlkA5gKgmly5c+qLG+Hc3x8
-Y33KURx8gx4JD4BnY0YhqUaMewqfl9aumd09Oh+T3hA
--> &y]9Y:zi-grease
-nOkEeca63qmZNxxQ+zMRUhij/3kthFTt8kGfM7CICkSWnkqCMpjj5rAiEvJvi72y
-qhUBxkMdCn9Obfoa0Ru1bUb1Nrjn0m1BHexk6B4rWsFKMAv61OaNmQUHdDR2X5Wq
-qQ
---- 0KWr82Hu6LaurOmGtqAeyrygHMh9c5XZsPallag2MCc
-=yýKYév0g<‰|í<Xʶͽ	¶7šûB—÷KÒÚWøP®�Ý�’?Ãô|W„ù
Gª– ÎÞEò¢fè7¥áÅx˜øqqñ/¼Ê[lE„Ú…YŸB±÷Ê¥zPYSu[év¦©Üz^)¶H˜±[1sa>Ê‹©÷á¡*ðÚèä—sÁF
Ö¼N
\ No newline at end of file
diff --git a/users/seth/home.nix b/users/seth/home.nix
index 239782e..a10f061 100644
--- a/users/seth/home.nix
+++ b/users/seth/home.nix
@@ -8,7 +8,14 @@
     ./shell
   ];
 
+  home = {
+    username = "seth";
+    homeDirectory = "/home/seth";
+    stateVersion = "23.05";
+  };
+
   nix.package = lib.mkDefault pkgs.nixFlakes;
+
   xdg = {
     enable = true;
     configFile."nixpkgs/config.nix".text = ''
@@ -18,5 +25,4 @@
       }
     '';
   };
-  home.stateVersion = "23.05";
 }
-- 
cgit v1.2.3