flake.lock: Update

Flake lock file updates: • Updated input 'home-manager': 'github:nix-community/home-manager/4067ca1ffb6425b8597eafb63a84b171e0192d2b?narHash=sha256-Ok0jocJ82JriaMDtYEytR8oWcxADlX5WcWXULrN4czA%3D' (2025-12-27) → 'github:nix-community/home-manager/d2e0458d6531885600b346e161c38790dc356fa8?narHash=sha256-JR7A2xS3EBPWFeONzhqez5vp7nKEsp7eLj2Ks210Srk%3D' (2025-12-28) • Updated input 'sops-nix': 'github:Mic92/sops-nix/9836912e37aef546029e48c8749834735a6b9dad?narHash=sha256-BOKCwOQQIP4p9z8DasT5r%2Bqjri3x7sPCOq%2BFTjY8Z%2Bo%3D' (2025-12-21) → 'github:Mic92/sops-nix/61b39c7b657081c2adc91b75dd3ad8a91d6f07a7?narHash=sha256-pn8AxxfajqyR/Dmr1wnZYdUXHgM3u6z9x0Z1Ijmz2UQ%3D' (2025-12-28)
monorepo lab stuff, init zen
2026-01-11 21:18:15 -06:00 · 2026-01-11 21:16:35 -06:00 · 2025-12-27 14:26:28 -06:00 · 2025-12-18 00:15:26 -06:00
54 changed files with 67575 additions and 724 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -3,7 +3,7 @@ keys:
  - &t14 age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
  - &consensus age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
  - &oracle1 age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
-  - &oracle2 age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
+  - &zen age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
 creation_rules:
  - path_regex: secrets/[^/]+\.yaml$
    key_groups:
@ -11,4 +11,4 @@ creation_rules:
          - *t14
          - *consensus
          - *oracle1
-          - *oracle2
+          - *zen
--- a/clusters/lab/.sops.yaml
+++ b/clusters/lab/.sops.yaml
@ -0,0 +1,6 @@
+---
+keys:
+  - &t14 age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
+creation_rules:
+  - unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
+    age: *t14
--- a/clusters/lab/adguard/adguard-deployment.yaml
+++ b/clusters/lab/adguard/adguard-deployment.yaml
@ -0,0 +1,92 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: adguard-svc
+  namespace: adguard
+spec:
+  selector:
+    app: adguard
+  ports:
+    - protocol: TCP
+      port: 8082
+      targetPort: 3000
+      name: http-init
+    - protocol: TCP
+      port: 8081
+      targetPort: 80
+      name: http
+    - protocol: TCP
+      port: 53
+      targetPort: 53
+      name: dns-tcp
+    - protocol: UDP
+      port: 53
+      targetPort: 53
+      name: dns-udp
+  type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: adguard
+  namespace: adguard
+spec:
+  selector:
+    matchLabels:
+      app: adguard
+  replicas: 0
+  template:
+    metadata:
+      labels:
+        app: adguard
+    spec:
+      containers:
+        - name: adguard
+          image: adguard/adguardhome:latest
+          imagePullPolicy: IfNotPresent
+          ports:
+            - containerPort: 80
+              name: http
+            - containerPort: 53
+              name: dns
+            - containerPort: 3000
+              name: init
+          volumeMounts:
+            - name: adguard-data
+              mountPath: /opt/adguardhome/work
+            - name: adguard-conf
+              mountPath: /opt/adguardhome/conf
+      volumes:
+        - name: adguard-data
+          persistentVolumeClaim:
+            claimName: adguard-pvc-data
+        - name: adguard-conf
+          persistentVolumeClaim:
+            claimName: adguard-pvc-conf
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: adguard-pvc-conf
+  namespace: adguard
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: adguard-pvc-data
+  namespace: adguard
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 1Gi
--- a/clusters/lab/adguard/kustomization.yaml
+++ b/clusters/lab/adguard/kustomization.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: adguard
+resources:
+  # - adguard-deployment.yaml
--- a/clusters/lab/crds/kustomization.yaml
+++ b/clusters/lab/crds/kustomization.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: kube-system
+resources:
+  - sealed-secrets-release.yaml
--- a/clusters/lab/crds/prometheus-bundle.yaml
+++ b/clusters/lab/crds/prometheus-bundle.yaml
--- a/clusters/lab/crds/sealed-secrets-release.yaml
+++ b/clusters/lab/crds/sealed-secrets-release.yaml
@ -0,0 +1,11 @@
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: sealed-secrets-controller
+  namespace: kube-system
+spec:
+  repo: https://bitnami-labs.github.io/sealed-secrets
+  chart: sealed-secrets
+  valuesContent: |-
+    fullnameOverride: sealed-secrets-controller
--- a/clusters/lab/eth/kustomization.yaml
+++ b/clusters/lab/eth/kustomization.yaml
@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: eth
+resources:
+  # - namespace.yaml
+  # - nethermind-release.yaml
+  # - nimbus-release.yaml
+  # - besu-release.yaml
+  # - mev-boost.yaml
--- a/clusters/lab/eth/mev-boost.yaml
+++ b/clusters/lab/eth/mev-boost.yaml
@ -0,0 +1,45 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mev-boost
+  namespace: eth
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/app: mev-boost
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/app: mev-boost
+    spec:
+      containers:
+        - name: mev-boost
+          image: "flashbots/mev-boost:1.8"
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 18550
+          args:
+            - "--addr"
+            - "0.0.0.0:18550"
+            - "--min-bid"
+            - "0.05"
+            - "--relay-check"
+            - "--relays"
+            - "https://0xa15b52576bcbf1072f4a011c0f99f9fb6c66f3e1ff321f11f461d15e31b1cb359caa092c71bbded0bae5b5ea401aab7e@aestus.live,https://0xa7ab7a996c8584251c8f925da3170bdfd6ebc75d50f5ddc4050a6fdc77f2a3b5fce2cc750d0865e05d7228af97d69561@agnostic-relay.net"
+            - "--debug"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mev-boost
+  namespace: eth
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/app: mev-boost
+  ports:
+    - protocol: TCP
+      port: 18550
+      targetPort: 18550
--- a/clusters/lab/eth/namespace.yaml
+++ b/clusters/lab/eth/namespace.yaml
@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: eth
--- a/clusters/lab/eth/nethermind-release.yaml
+++ b/clusters/lab/eth/nethermind-release.yaml
@ -0,0 +1,54 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nethermind-mainnet-pvc
+  namespace: eth
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 1200Gi
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: nethermind-mainnet
+  namespace: kube-system
+spec:
+  targetNamespace: eth
+  repo: https://ethpandaops.github.io/ethereum-helm-charts/
+  chart: nethermind
+  valuesContent: |-
+    replicas: 1
+    image:
+      pullPolicy: "Always"
+      tag: 1.31.10
+    extraArgs:
+    - "--Network.MaxActivePeers 20"
+    - "--Pruning.CacheMb 4096"
+    - "--Pruning.FullPruningTrigger VolumeFreeSpace"
+    - "--Pruning.FullPruningCompletionBehavior AlwaysShutdown"
+    - "--Init.MemoryHint 4096000000"
+    p2pNodePort:
+      enabled: true
+      port: 30303
+    persistence:
+      enabled: true
+      existingClaim: nethermind-mainnet-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nethermind-http-rpc
+  namespace: eth
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/instance: nethermind-mainnet
+  ports:
+    - protocol: TCP
+      port: 8545
+      targetPort: 8545
--- a/clusters/lab/eth/nimbus-release.yaml
+++ b/clusters/lab/eth/nimbus-release.yaml
@ -0,0 +1,57 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nimbus-mainnet-pvc
+  namespace: eth
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 500Gi
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: nimbus-mainnet
+  namespace: kube-system
+spec:
+  targetNamespace: eth
+  repo: https://ethpandaops.github.io/ethereum-helm-charts/
+  chart: nimbus
+  valuesContent: |-
+    replicas: 1
+    image:
+      pullPolicy: "Always"
+      tag: "multiarch-v25.5.0"
+    extraArgs:
+    - "--web3-url=http://nethermind-mainnet.eth.svc.cluster.local:8551"
+    - "--payload-builder=true"
+    - "--payload-builder-url=http://mev-boost.eth.svc.cluster.local:18550"
+    - "--max-peers=100"
+    p2pNodePort:
+      enabled: true
+      port: 30001
+    persistence:
+      enabled: true
+      existingClaim: nimbus-mainnet-pvc
+    checkpointSync:
+      enabled: true
+      network: mainnet
+      url: https://mainnet-checkpoint-sync.attestant.io
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nimbus-http-rpc
+  namespace: eth
+spec:
+  type: LoadBalancer
+  selector:
+    app.kubernetes.io/instance: nimbus-mainnet
+  ports:
+    - protocol: TCP
+      port: 5052
+      targetPort: 5052
--- a/clusters/lab/kustomization.yaml
+++ b/clusters/lab/kustomization.yaml
@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generatorOptions:
+  labels:
+    type: generated
+resources:
+  - crds/
+  - minecraft/
+  - soft-serve/
+  - eth/
+  - unifi/
+  - adguard/
+  - smokeping/
--- a/clusters/lab/minecraft/kiki-minecraft-helm.yaml
+++ b/clusters/lab/minecraft/kiki-minecraft-helm.yaml
@ -0,0 +1,98 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: kiki-mc-world
+  namespace: minecraft
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: kiki-minecraft
+  namespace: kube-system
+spec:
+  targetNamespace: minecraft
+  repo: https://itzg.github.io/minecraft-server-charts/
+  chart: minecraft
+  valuesContent: |-
+    image:
+      repository: itzg/minecraft-server
+      tag: latest
+      pullPolicy: Always
+    replicaCount: 1
+    resources:
+      requests:
+        memory: 2000Mi
+        cpu: 1000m
+    strategyType: Recreate
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+    securityContext:
+      runAsUser: 1000
+      fsGroup: 1000
+    livenessProbe:
+      command:
+        - mc-health
+      initialDelaySeconds: 30
+      periodSeconds: 5
+      failureThreshold: 20
+      successThreshold: 1
+      timeoutSeconds: 1
+    readinessProbe:
+      command:
+        - mc-health
+      initialDelaySeconds: 30
+      periodSeconds: 5
+      failureThreshold: 20
+      successThreshold: 1
+      timeoutSeconds: 1
+    startupProbe:
+      command:
+        - mc-health
+      enabled: false
+      failureThreshold: 30
+      periodSeconds: 10
+    extraVolumes: []
+    minecraftServer:
+      eula: "TRUE"
+      wersion: "latest"
+      type: "VANILLA"
+      difficulty: normal
+      whitelist: cjriddz,k359
+      ops: cjriddz,k359
+      maxWorldSize: 15000
+      viewDistance: 16
+      motd: "good morning :)"
+      pvp: false
+      levelType: DEFAULT
+      worldSaveName: world
+      forceReDownload: false
+      memory: 2000M
+      serviceAnnotations: {}
+      serviceType: LoadBalancer
+      servicePort: 25566
+      clusterIP:
+      loadBalancerIP:
+      externalIPs:
+      query:
+        enabled: false
+        port: 25566
+      rcon:
+        enabled: true
+        withGeneratedPassword: true
+    envFrom: []
+
+    persistence:
+      annotations: {}
+      storageClass: "longhorn"
+      dataDir:
+        enabled: true
+        existingClaim: kiki-mc-world
--- a/clusters/lab/minecraft/kustomization.yaml
+++ b/clusters/lab/minecraft/kustomization.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: minecraft
+resources:
+  - minecraft-helm.yaml
+  - kiki-minecraft-helm.yaml
+  # - minecraft-restic-backup.yaml
+  # - minecraft-restic-secrets.yaml.enc
--- a/clusters/lab/minecraft/minecraft-helm.yaml
+++ b/clusters/lab/minecraft/minecraft-helm.yaml
@ -0,0 +1,163 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: minecraft
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mc-world
+  namespace: minecraft
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: minecraft
+  namespace: kube-system
+spec:
+  targetNamespace: minecraft
+  repo: https://itzg.github.io/minecraft-server-charts/
+  chart: minecraft
+  valuesContent: |-
+    image:
+      repository: itzg/minecraft-server
+      tag: java21
+      pullPolicy: Always
+    replicaCount: 1
+    resources:
+      requests:
+        memory: 3000Mi
+        cpu: 1000m
+    strategyType: Recreate
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+    securityContext:
+      runAsUser: 1000
+      fsGroup: 1000
+    livenessProbe:
+      command:
+        - mc-health
+      initialDelaySeconds: 30
+      periodSeconds: 5
+      failureThreshold: 20
+      successThreshold: 1
+      timeoutSeconds: 1
+    readinessProbe:
+      command:
+        - mc-health
+      initialDelaySeconds: 30
+      periodSeconds: 5
+      failureThreshold: 20
+      successThreshold: 1
+      timeoutSeconds: 1
+    startupProbe:
+      command:
+        - mc-health
+      enabled: false
+      failureThreshold: 30
+      periodSeconds: 10
+    extraVolumes: []
+    minecraftServer:
+      eula: "TRUE"
+      wersion: "latest"
+      type: "FABRIC"
+      difficulty: normal
+      whitelist: cjriddz,k359,yessorre,ZaltyPretzel,Yessorre,aemdryr
+      ops: cjriddz,k359,yessorre,ZaltyPretzel,Yessorre,aemdryr
+      maxWorldSize: 15000
+      viewDistance: 16
+      motd: "good morning :)"
+      pvp: false
+      levelType: DEFAULT
+      worldSaveName: world-gims-7
+      forceReDownload: false
+      memory: 3000M
+      serviceAnnotations: {}
+      serviceType: LoadBalancer
+      servicePort: 25565
+      clusterIP:
+      loadBalancerIP:
+      externalIPs:
+      query:
+        enabled: false
+        port: 25565
+      rcon:
+        enabled: true
+        withGeneratedPassword: true
+    extraEnv:
+      # https://fabricmc.net/use/server/
+      VERSION_FROM_MODRINTH_PROJECTS: true
+      RCON_CMDS_STARTUP:  |-
+        gamerule playersSleepingPercentage 19
+        gamerule doInsomnia false
+        gamerule mobGriefing false
+      # deprecated mods
+      # incendium:alpha
+      # nullscape
+      # true-ending
+      # upgraded-mobs
+      # spellbound-weapons
+      # neoenchant
+      # lukis-grand-capitals
+      # lukis-crazy-chambers
+      # lukis-ancient-cities
+      # towns-and-towers
+      # dungeons-and-taverns-jungle-temple-overhaul
+      # dungeons-and-taverns-ocean-monument-overhaul
+      # dungeons-and-taverns-woodland-mansion-replacement
+      # dungeons-and-taverns-nether-fortress-overhaul
+      # dungeons-and-taverns-stronghold-overhaul
+      # structory
+      # structory-towers
+      # yggdrasil-structure
+      # hostile-mobs-improve-over-time
+      # beyondenchant
+      # expanded-axe-enchanting
+      # expanded-weapon-enchanting
+      # expanded-bow-enchanting
+      # expanded-armor-enchanting
+      # expanded-trident-enchanting
+      # infinite-trading
+      # healing-campfire
+      # fabric-language-kotlin
+      # cloth-config
+      # owo-lib
+      # cristel-lib
+      # ct-overhaul-village
+      # tectonic
+      # terralith
+      # portfolio
+      # tree-harvester
+      # chunky
+      # ferrite-core
+      # scalablelux
+      # appleskin
+      # inventory-sorting
+      # datapack:health-indicator
+      MODRINTH_PROJECTS: |-
+        fabric-api
+        collective
+        cloth-config
+        lithium
+        c2me-fabric:alpha
+        your-items-are-safe
+        datapack:geophilic
+        dungeons-and-taverns
+        more-mobs
+    envFrom: []
+
+    persistence:
+      annotations: {}
+      storageClass: "longhorn"
+      dataDir:
+        enabled: true
+        existingClaim: mc-world
--- a/clusters/lab/smokeping/kustomization.yaml
+++ b/clusters/lab/smokeping/kustomization.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: smokeping
+resources:
+  - smokeping-helm.yaml
--- a/clusters/lab/smokeping/smokeping-helm.yaml
+++ b/clusters/lab/smokeping/smokeping-helm.yaml
@ -0,0 +1,40 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: smokeping
+---
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: smokeping
+  namespace: kube-system
+spec:
+  targetNamespace: smokeping
+  repo: https://nicholaswilde.github.io/helm-charts/
+  chart: smokeping
+  valuesContent: |-
+    image:
+      repository: ghcr.io/linuxserver/smokeping
+      pullPolicy: IfNotPresent
+    env:
+      TZ: "America/Chigaco"
+    ingress:
+      enabled: false
+    persistence:
+      config:
+        enabled: true
+        emptyDir: false
+        mountPath: /config
+        storageClass: local-path
+        accessMode: ReadWriteOnce
+        size: 1Gi
+        skipuninstall: false
+      data:
+        enabled: true
+        emptyDir: false
+        mountPath: /data
+        storageClass: local-path
+        accessMode: ReadWriteOnce
+        size: 1Gi
+        skipuninstall: false
--- a/clusters/lab/soft-serve/kustomization.yaml
+++ b/clusters/lab/soft-serve/kustomization.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: soft-serve
+resources:
+  # - ss-deployment.yaml
--- a/clusters/lab/soft-serve/ss-deployment.yaml
+++ b/clusters/lab/soft-serve/ss-deployment.yaml
@ -0,0 +1,64 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: soft-serve
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: soft-serve-pvc
+  namespace: soft-serve
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: soft-serve-svc
+  namespace: soft-serve
+spec:
+  selector:
+    app: soft-serve
+  ports:
+    - protocol: TCP
+      port: 22
+      targetPort: 23231
+  type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: soft-serve
+  namespace: soft-serve
+spec:
+  selector:
+    matchLabels:
+      app: soft-serve
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: soft-serve
+    spec:
+      containers:
+        - name: soft-serve
+          image: charmcli/soft-serve:v0.10.0
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 23231
+          volumeMounts:
+            - name: soft-serve-data
+              mountPath: /soft-serve
+          env:
+            - name: SOFT_SERVE_INITIAL_ADMIN_KEYS
+              value: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14"
+      volumes:
+        - name: soft-serve-data
+          persistentVolumeClaim:
+            claimName: soft-serve-pvc
--- a/clusters/lab/unifi/kustomization.yaml
+++ b/clusters/lab/unifi/kustomization.yaml
@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: adguard
+resources:
+  - unifi-deployment.yaml
--- a/clusters/lab/unifi/unifi-deployment.yaml
+++ b/clusters/lab/unifi/unifi-deployment.yaml
@ -0,0 +1,75 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: unifi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: unifi-pvc
+  namespace: unifi
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: unifi-svc
+  namespace: unifi
+spec:
+  selector:
+    app: unifi
+  ports:
+    - protocol: TCP
+      port: 8443
+      targetPort: 8443
+      name: http
+    - protocol: UDP
+      port: 10001
+      targetPort: 10001
+      name: ap-disc
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080
+      name: adopt
+  type: LoadBalancer
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: unifi
+  namespace: unifi
+spec:
+  selector:
+    matchLabels:
+      app: unifi
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: unifi
+    spec:
+      containers:
+        - name: unifi
+          image: lscr.io/linuxserver/unifi-controller:latest
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8080
+              name: adopt
+            - containerPort: 10001
+              name: ap-disc
+            - containerPort: 8443
+              name: http
+          volumeMounts:
+            - name: unifi-data
+              mountPath: /config
+      volumes:
+        - name: unifi-data
+          persistentVolumeClaim:
+            claimName: unifi-pvc
--- a/flake.lock
+++ b/flake.lock
@ -2,15 +2,15 @@
  "nodes": {
    "dart": {
      "inputs": {
-        "flake-utils": "flake-utils_2",
+        "flake-utils": "flake-utils",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
-        "lastModified": 1761202123,
-        "narHash": "sha256-ULrZW4b8SKRvPpJPt8/jkqqc/blQiIWUriNWVXA33so=",
+        "lastModified": 1765140120,
+        "narHash": "sha256-lLY34wnbyzi21zE8i+VM0AoEt67r4aPn/EoaZ8o4NgU=",
        "owner": "iofq",
        "repo": "dart.nvim",
-        "rev": "71421e7ef5aee8267e24dc562fdd07a83bda192e",
+        "rev": "205f809fbb27d56aff22756a97b5ba6f0c7243c3",
        "type": "github"
      },
      "original": {
@ -28,11 +28,11 @@
        "utils": "utils"
      },
      "locked": {
-        "lastModified": 1756719547,
-        "narHash": "sha256-N9gBKUmjwRKPxAafXEk1EGadfk2qDZPBQp4vXWPHINQ=",
+        "lastModified": 1766051518,
+        "narHash": "sha256-znKOwPXQnt3o7lDb3hdf19oDo0BLP4MfBOYiWkEHoik=",
        "owner": "serokell",
        "repo": "deploy-rs",
-        "rev": "125ae9e3ecf62fb2c0fd4f2d894eb971f1ecaed2",
+        "rev": "d5eff7f948535b9c723d60cd8239f8f11ddc90fa",
        "type": "github"
      },
      "original": {
@ -45,21 +45,17 @@
      "inputs": {
        "determinate-nixd-aarch64-darwin": "determinate-nixd-aarch64-darwin",
        "determinate-nixd-aarch64-linux": "determinate-nixd-aarch64-linux",
-        "determinate-nixd-x86_64-darwin": [
-          "determinate",
-          "determinate-nixd-aarch64-darwin"
-        ],
        "determinate-nixd-x86_64-linux": "determinate-nixd-x86_64-linux",
        "nix": "nix",
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
-        "lastModified": 1761251546,
-        "narHash": "sha256-I/TDYHCKui0K62f2cEk2UJf6N9rO/hdsa65kpEJMhSo=",
-        "rev": "70beec406153496943274f59cb2ded76be49fcd7",
-        "revCount": 306,
+        "lastModified": 1766549083,
+        "narHash": "sha256-G1Hljg7vIBt8n9cxO382YAZWtZU/mYfQcg3icdNG8RQ=",
+        "rev": "ba8999fac986e70f52b4cba15047be7bbb7b6346",
+        "revCount": 318,
        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.12.0/019a12c8-c95c-7c68-8da4-d8cc92608fbf/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/determinate/3.15.1/019b4e8a-dc22-75db-aef5-a447efbb1a13/source.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -69,37 +65,37 @@
    "determinate-nixd-aarch64-darwin": {
      "flake": false,
      "locked": {
-        "narHash": "sha256-TORlljq+wwn8XWLoN0giLY15pNiIAXuU0igpIXjLhMY=",
+        "narHash": "sha256-uWDS94cAYprGj+AwuT42nuuDDicRLj1S0JwalZGeBRU=",
        "type": "file",
-        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.12.0/macOS"
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.1/macOS"
      },
      "original": {
        "type": "file",
-        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.12.0/macOS"
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.1/macOS"
      }
    },
    "determinate-nixd-aarch64-linux": {
      "flake": false,
      "locked": {
-        "narHash": "sha256-1HEvUQcG0mVdEQrEqcLEdB9nHpMNbb39bdNxdvyizqk=",
+        "narHash": "sha256-uHBcZCh2/Bj5/88TDihupA336tSQDk7s5lVP66IDAX0=",
        "type": "file",
-        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.12.0/aarch64-linux"
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.1/aarch64-linux"
      },
      "original": {
        "type": "file",
-        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.12.0/aarch64-linux"
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.1/aarch64-linux"
      }
    },
    "determinate-nixd-x86_64-linux": {
      "flake": false,
      "locked": {
-        "narHash": "sha256-WrXQbrXVisAdZl/hh49PsErSPHwzks1Vw+O3jarVjDo=",
+        "narHash": "sha256-y+l05H6GNv/1WcrMztDYem8VBWqjc9gNg4WjeQ1PQxo=",
        "type": "file",
-        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.12.0/x86_64-linux"
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.1/x86_64-linux"
      },
      "original": {
        "type": "file",
-        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.12.0/x86_64-linux"
+        "url": "https://install.determinate.systems/determinate-nixd/tag/v3.15.1/x86_64-linux"
      }
    },
    "flake-compat": {
@ -153,47 +149,15 @@
    "flake-compat_4": {
      "flake": false,
      "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
+        "lastModified": 1767039857,
+        "narHash": "sha256-vNpUSpF5Nuw8xvDLj2KCwwksIbjua2LZCqhV1LNRDns=",
+        "owner": "NixOS",
        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "rev": "5edf11c44bc78a0d334f6334cdaf7d60d732daab",
        "type": "github"
      },
      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_5": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "type": "github"
-      }
-    },
-    "flake-compat_6": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1747046372,
-        "narHash": "sha256-CIVLLkVgvHYbgI2UpXvIIBJ12HWgX+fjA8Xf8PUmqCY=",
-        "owner": "edolstra",
-        "repo": "flake-compat",
-        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
-        "type": "github"
-      },
-      "original": {
-        "owner": "edolstra",
+        "owner": "NixOS",
        "repo": "flake-compat",
        "type": "github"
      }
@ -246,11 +210,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1760948891,
-        "narHash": "sha256-TmWcdiUUaWk8J4lpjzu4gCGxWY6/Ok7mOK4fIFfBuU4=",
+        "lastModified": 1767609335,
+        "narHash": "sha256-feveD98mQpptwrAEggBQKJTYbvwwglSbOv53uCfH9PY=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
-        "rev": "864599284fc7c0ba6357ed89ed5e2cd5040f0c04",
+        "rev": "250481aafeb741edfe23d29195671c19b36b6dca",
        "type": "github"
      },
      "original": {
@ -265,7 +229,6 @@
      },
      "locked": {
        "lastModified": 1731533236,
-        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
@ -281,23 +244,6 @@
      "inputs": {
        "systems": "systems_3"
      },
-      "locked": {
-        "lastModified": 1731533236,
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "flake-utils",
-        "type": "github"
-      }
-    },
-    "flake-utils_3": {
-      "inputs": {
-        "systems": "systems_4"
-      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
@ -345,7 +291,7 @@
          "gen-luarc",
          "nixpkgs"
        ],
-        "nixpkgs-stable": "nixpkgs-stable"
+        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
        "lastModified": 1723803910,
@ -387,30 +333,6 @@
        "url": "https://flakehub.com/f/cachix/git-hooks.nix/0.1.941"
      }
    },
-    "git-hooks_2": {
-      "inputs": {
-        "flake-compat": "flake-compat_5",
-        "gitignore": "gitignore_2",
-        "nixpkgs": [
-          "nvim",
-          "neovim-nightly-overlay",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1760663237,
-        "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
-        "type": "github"
-      },
-      "original": {
-        "owner": "cachix",
-        "repo": "git-hooks.nix",
-        "type": "github"
-      }
-    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
@ -435,29 +357,6 @@
      }
    },
    "gitignore_2": {
-      "inputs": {
-        "nixpkgs": [
-          "nvim",
-          "neovim-nightly-overlay",
-          "git-hooks",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1709087332,
-        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "gitignore.nix",
-        "type": "github"
-      }
-    },
-    "gitignore_3": {
      "inputs": {
        "nixpkgs": [
          "pre-commit-hooks",
@ -478,33 +377,6 @@
        "type": "github"
      }
    },
-    "hercules-ci-effects": {
-      "inputs": {
-        "flake-parts": [
-          "nvim",
-          "neovim-nightly-overlay",
-          "flake-parts"
-        ],
-        "nixpkgs": [
-          "nvim",
-          "neovim-nightly-overlay",
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1761230615,
-        "narHash": "sha256-pLE7U5gOtlA/2wbKCsVRYf5DqMQ5TWBCrCfZGytDDeo=",
-        "owner": "hercules-ci",
-        "repo": "hercules-ci-effects",
-        "rev": "7db2b867219a26781437d840ce457b75b7645154",
-        "type": "github"
-      },
-      "original": {
-        "owner": "hercules-ci",
-        "repo": "hercules-ci-effects",
-        "type": "github"
-      }
-    },
    "home-manager": {
      "inputs": {
        "nixpkgs": [
@ -512,11 +384,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1762146130,
-        "narHash": "sha256-/XOEA0a61fZ45i/BpaSsyLNNbw/yKwjMbkB/IWSGLzU=",
+        "lastModified": 1768068402,
+        "narHash": "sha256-bAXnnJZKJiF7Xr6eNW6+PhBf1lg2P1aFUO9+xgWkXfA=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "b5ed4afc2277339bdf0e9edf59befff7350cf075",
+        "rev": "8bc5473b6bc2b6e1529a9c4040411e1199c43b4c",
        "type": "github"
      },
      "original": {
@ -544,18 +416,17 @@
    },
    "microvm": {
      "inputs": {
-        "flake-utils": "flake-utils",
        "nixpkgs": [
          "nixpkgs"
        ],
        "spectrum": "spectrum"
      },
      "locked": {
-        "lastModified": 1762030278,
-        "narHash": "sha256-7p3blvxYNqOHQqpW4+MzcwxLh0ur0QtNXzNuquDyDxQ=",
+        "lastModified": 1768085909,
+        "narHash": "sha256-VmLSHlimAq+em9rXX9YhBS0Shu5MBCAQi2Kd//8OOgQ=",
        "owner": "microvm-nix",
        "repo": "microvm.nix",
-        "rev": "062a1d49f12d194855dbb87285a323f58ddfa725",
+        "rev": "4f267df275361406cda9a3f8e349035be207b307",
        "type": "github"
      },
      "original": {
@ -566,23 +437,19 @@
    },
    "neovim-nightly-overlay": {
      "inputs": {
-        "flake-compat": "flake-compat_4",
        "flake-parts": "flake-parts_3",
-        "git-hooks": "git-hooks_2",
-        "hercules-ci-effects": "hercules-ci-effects",
        "neovim-src": "neovim-src",
        "nixpkgs": [
          "nvim",
          "nixpkgs"
-        ],
-        "treefmt-nix": "treefmt-nix"
+        ]
      },
      "locked": {
-        "lastModified": 1761437965,
-        "narHash": "sha256-X4SNeOXdFkE7Gt+waO5ck3TqfqWskqJHxt1WIu3nnUQ=",
+        "lastModified": 1768003501,
+        "narHash": "sha256-pxxUR3VRDcDpMgF1qb9FnlHAEOGi24bk6pdB1QzL1II=",
        "owner": "nix-community",
        "repo": "neovim-nightly-overlay",
-        "rev": "21595d9f79b5da0eef177dcfdd84ca981ac253a9",
+        "rev": "d31b28318affe5d58ef12e7f72a7adfa66930a7a",
        "type": "github"
      },
      "original": {
@ -594,11 +461,11 @@
    "neovim-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1761434579,
-        "narHash": "sha256-S+YmbP/bPETjKk6B/tlh+jwIH7K7iPoXyHLLwTqVOhk=",
+        "lastModified": 1768000044,
+        "narHash": "sha256-hcdQHR8l8oZDIl0vXKNtbrN+32dTs9EYvlqppoHgG2k=",
        "owner": "neovim",
        "repo": "neovim",
-        "rev": "a121ede1bfee2704c26159124f8f61f96c6aa136",
+        "rev": "930817f1009d9d392103b5440e2503cb47fdacc0",
        "type": "github"
      },
      "original": {
@ -616,12 +483,12 @@
        "nixpkgs-regression": "nixpkgs-regression"
      },
      "locked": {
-        "lastModified": 1761238235,
-        "narHash": "sha256-BvEZ31+FQKJz2XH8PTXpJqGZ1eT9bhMQ2wBj2ehBYvM=",
-        "rev": "9512828397f684d0f732ea76b7631f69a0db34f7",
-        "revCount": 23138,
+        "lastModified": 1766546676,
+        "narHash": "sha256-GsC52VFF9Gi2pgP/haQyPdQoF5Qe2myk1tsPcuJZI28=",
+        "rev": "51dacdd248e8071cd0243a8245c8c42ac1f33307",
+        "revCount": 24299,
        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.12.0/019a1277-d4c6-7dca-9d55-ee5165fd0bf6/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nix-src/3.15.1/019b4e84-d036-75db-b6c6-6bc2e2035c53/source.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -635,11 +502,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1762055842,
-        "narHash": "sha256-Pu1v3mlFhRzZiSxVHb2/i/f5yeYyRNqr0RvEUJ4UgHo=",
+        "lastModified": 1765267181,
+        "narHash": "sha256-d3NBA9zEtBu2JFMnTBqWj7Tmi7R5OikoU2ycrdhQEws=",
        "owner": "nix-community",
        "repo": "nix-index-database",
-        "rev": "359ff6333a7b0b60819d4c20ed05a3a1f726771f",
+        "rev": "82befcf7dc77c909b0f2a09f5da910ec95c5b78f",
        "type": "github"
      },
      "original": {
@ -650,11 +517,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1761933221,
-        "narHash": "sha256-rNHeoG3ZrA94jczyLSjxCtu67YYPYIlXXr0uhG3wNxM=",
+        "lastModified": 1767185284,
+        "narHash": "sha256-ljDBUDpD1Cg5n3mJI81Hz5qeZAwCGxon4kQW3Ho3+6Q=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "7467f155fcba189eb088a7601f44fbef7688669b",
+        "rev": "40b1a28dce561bea34858287fbb23052c3ee63fe",
        "type": "github"
      },
      "original": {
@ -665,12 +532,12 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1755922037,
-        "narHash": "sha256-wY1+2JPH0ZZC4BQefoZw/k+3+DowFyfOxv17CN/idKs=",
-        "rev": "b1b3291469652d5a2edb0becc4ef0246fff97a7c",
-        "revCount": 808723,
+        "lastModified": 1761597516,
+        "narHash": "sha256-wxX7u6D2rpkJLWkZ2E932SIvDJW8+ON/0Yy8+a5vsDU=",
+        "rev": "daf6dc47aa4b44791372d6139ab7b25269184d55",
+        "revCount": 811874,
        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.808723%2Brev-b1b3291469652d5a2edb0becc4ef0246fff97a7c/0198daf7-011a-7703-95d7-57146e794342/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/NixOS/nixpkgs/0.2505.811874%2Brev-daf6dc47aa4b44791372d6139ab7b25269184d55/019a3494-3498-707e-9086-1fb81badc7fe/source.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -722,6 +589,22 @@
      }
    },
    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1768028080,
+        "narHash": "sha256-50aDK+8eLvsLK39TzQhKNq50/HcXyP4hyxOYoPoVxjo=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "d03088749a110d52a4739348f39a63f84bb0be14",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-25.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable_2": {
      "locked": {
        "lastModified": 1720386169,
        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
@ -739,12 +622,12 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1760965567,
-        "narHash": "sha256-0JDOal5P7xzzAibvD0yTE3ptyvoVOAL0rcELmDdtSKg=",
-        "rev": "cb82756ecc37fa623f8cf3e88854f9bf7f64af93",
-        "revCount": 880602,
+        "lastModified": 1766314097,
+        "narHash": "sha256-laJftWbghBehazn/zxVJ8NdENVgjccsWAdAqKXhErrM=",
+        "rev": "306ea70f9eb0fb4e040f8540e2deab32ed7e2055",
+        "revCount": 914780,
        "type": "tarball",
-        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.880602%2Brev-cb82756ecc37fa623f8cf3e88854f9bf7f64af93/019a0545-358b-78f4-97fe-88a7820eac2f/source.tar.gz"
+        "url": "https://api.flakehub.com/f/pinned/DeterminateSystems/nixpkgs-weekly/0.1.914780%2Brev-306ea70f9eb0fb4e040f8540e2deab32ed7e2055/019b49b8-ed0f-724e-bdaf-5fd90cc1c590/source.tar.gz"
      },
      "original": {
        "type": "tarball",
@ -753,11 +636,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1761907660,
-        "narHash": "sha256-kJ8lIZsiPOmbkJypG+B5sReDXSD1KGu2VEPNqhRa/ew=",
+        "lastModified": 1768127708,
+        "narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "2fb006b87f04c4d3bdf08cfdbc7fab9c13d94a15",
+        "rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38",
        "type": "github"
      },
      "original": {
@ -782,112 +665,41 @@
        "type": "github"
      }
    },
-    "nixpkgs_5": {
-      "locked": {
-        "lastModified": 1761114652,
-        "narHash": "sha256-f/QCJM/YhrV/lavyCVz8iU3rlZun6d+dAiC3H+CDle4=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "01f116e4df6a15f4ccdffb1bcd41096869fb385c",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-unstable",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "nvim": {
      "inputs": {
        "dart": "dart",
-        "flake-utils": "flake-utils_3",
+        "flake-utils": "flake-utils_2",
        "gen-luarc": "gen-luarc",
        "neovim-nightly-overlay": "neovim-nightly-overlay",
-        "nixpkgs": [
-          "nixpkgs"
-        ],
-        "nvim-treesitter-main": "nvim-treesitter-main"
-      },
-      "locked": {
-        "lastModified": 1762153921,
-        "narHash": "sha256-jLhCBoZ1sQEajCTK79BFb2n9CUgPk9u98EQOV4XFZhM=",
-        "path": "/home/e/dev/nvim.nix",
-        "type": "path"
-      },
-      "original": {
-        "path": "/home/e/dev/nvim.nix",
-        "type": "path"
-      }
-    },
-    "nvim-treesitter": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1761385693,
-        "narHash": "sha256-/SGikTPEMxI7rcfGvuJlNZs73/wZiQx14QX9xlfsTv0=",
-        "owner": "nvim-treesitter",
-        "repo": "nvim-treesitter",
-        "rev": "98fe644cb3b5ba390d1bc3f89299f93c70020803",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nvim-treesitter",
-        "ref": "main",
-        "repo": "nvim-treesitter",
-        "type": "github"
-      }
-    },
-    "nvim-treesitter-main": {
-      "inputs": {
-        "nixpkgs": "nixpkgs_5",
-        "nvim-treesitter": "nvim-treesitter",
-        "nvim-treesitter-textobjects": "nvim-treesitter-textobjects"
-      },
-      "locked": {
-        "lastModified": 1761496664,
-        "narHash": "sha256-xTQUiJu0jJNSEHEv4La1HbaFokup0eWr67Kqf/wDENA=",
-        "owner": "iofq",
-        "repo": "nvim-treesitter-main",
-        "rev": "834d66648bb7a96a2ad11d53a33f2d9b13766447",
-        "type": "github"
-      },
-      "original": {
-        "owner": "iofq",
-        "repo": "nvim-treesitter-main",
-        "type": "github"
-      }
-    },
-    "nvim-treesitter-textobjects": {
-      "flake": false,
-      "locked": {
-        "lastModified": 1756368113,
-        "narHash": "sha256-+KmOpRi4JAqm6UqYdtk80jwFrJhLCs0lZM/Liofq0R4=",
-        "owner": "nvim-treesitter",
-        "repo": "nvim-treesitter-textobjects",
-        "rev": "1b2d85d3de6114c4bcea89ffb2cd1ce9e3a19931",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nvim-treesitter",
-        "ref": "main",
-        "repo": "nvim-treesitter-textobjects",
-        "type": "github"
-      }
-    },
-    "pre-commit-hooks": {
-      "inputs": {
-        "flake-compat": "flake-compat_6",
-        "gitignore": "gitignore_3",
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1760663237,
-        "narHash": "sha256-BflA6U4AM1bzuRMR8QqzPXqh8sWVCNDzOdsxXEguJIc=",
+        "lastModified": 1768164266,
+        "narHash": "sha256-HKxy//xkB/NIm1rURS1EUU/kgrH4ZgvehgB1lekJuVg=",
+        "path": "/home/e/dev/nvim.nix",
+        "type": "path"
+      },
+      "original": {
+        "path": "/home/e/dev/nvim.nix",
+        "type": "path"
+      }
+    },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_4",
+        "gitignore": "gitignore_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1767281941,
+        "narHash": "sha256-6MkqajPICgugsuZ92OMoQcgSHnD6sJHwk8AxvMcIgTE=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
-        "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37",
+        "rev": "f0927703b7b1c8d97511c4116eb9b4ec6645a0fa",
        "type": "github"
      },
      "original": {
@ -905,11 +717,12 @@
        "nix-index-database": "nix-index-database",
        "nixos-hardware": "nixos-hardware",
        "nixpkgs": "nixpkgs_3",
+        "nixpkgs-stable": "nixpkgs-stable",
        "nvim": "nvim",
        "pre-commit-hooks": "pre-commit-hooks",
        "sops-nix": "sops-nix",
-        "systems": "systems_5",
-        "treefmt-nix": "treefmt-nix_2"
+        "systems": "systems_4",
+        "treefmt-nix": "treefmt-nix"
      }
    },
    "sops-nix": {
@ -919,11 +732,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1760998189,
-        "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
+        "lastModified": 1768104471,
+        "narHash": "sha256-HdnXWQsA1EI27IJlaENUEEug58trUrh6+MT0cFiDHmY=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
+        "rev": "94f9cbd20f680ebb2ad6cdf39da97cbcfaedf004",
        "type": "github"
      },
      "original": {
@ -1008,55 +821,18 @@
        "type": "github"
      }
    },
-    "systems_5": {
-      "locked": {
-        "lastModified": 1681028828,
-        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
-        "owner": "nix-systems",
-        "repo": "default",
-        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nix-systems",
-        "repo": "default",
-        "type": "github"
-      }
-    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
-          "nvim",
-          "neovim-nightly-overlay",
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1761311587,
-        "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
+        "lastModified": 1768158989,
+        "narHash": "sha256-67vyT1+xClLldnumAzCTBvU0jLZ1YBcf4vANRWP3+Ak=",
        "owner": "numtide",
        "repo": "treefmt-nix",
-        "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
-        "type": "github"
-      },
-      "original": {
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "type": "github"
-      }
-    },
-    "treefmt-nix_2": {
-      "inputs": {
-        "nixpkgs": [
-          "nixpkgs"
-        ]
-      },
-      "locked": {
-        "lastModified": 1761311587,
-        "narHash": "sha256-Msq86cR5SjozQGCnC6H8C+0cD4rnx91BPltZ9KK613Y=",
-        "owner": "numtide",
-        "repo": "treefmt-nix",
-        "rev": "2eddae033e4e74bf581c2d1dfa101f9033dbd2dc",
+        "rev": "e96d59dff5c0d7fddb9d113ba108f03c3ef99eca",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -3,6 +3,7 @@
  inputs = {
    nixos-hardware.url = "github:NixOS/nixos-hardware";
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-25.11";
    pre-commit-hooks = {
      url = "github:cachix/pre-commit-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
@ -45,6 +46,7 @@
    {
      self,
      nixpkgs,
+      nixpkgs-stable,
      systems,
      ...
    }@inputs:
@ -61,6 +63,10 @@
          (import ./pkgs/overlay.nix)
        ];
      };
+      pkgs-stable = import nixpkgs-stable {
+        inherit system;
+        config.allowUnfree = true;
+      };
      eachSystem = f: nixpkgs.lib.genAttrs (import systems) (system: f nixpkgs.legacyPackages.${system});
      treefmtEval = eachSystem (pkgs: inputs.treefmt-nix.lib.evalModule pkgs ./treefmt.nix);
    in
@ -69,6 +75,7 @@
        inherit
          inputs
          pkgs
+          pkgs-stable
          attrs
          system
          ;
@ -83,54 +90,27 @@
          };
        };
      };
-      deploy.nodes = {
-        consensus = {
-          hostname = "consensus";
-          sshUser = "root";
-          remoteBuild = true;
-          profiles.system = {
-            user = "root";
-            path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.consensus;
-          };
-        };
-        oracle1 = {
-          hostname = "oracle1";
-          sshUser = "root";
-          sshOpts = [
-            "-p"
-            "2022"
-          ];
-          remoteBuild = false;
-          profiles.system = {
-            user = "root";
-            path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle1;
-          };
-        };
-        oracle2 = {
-          hostname = "oracle2";
-          sshUser = "root";
-          sshOpts = [
-            "-p"
-            "2022"
-          ];
-          remoteBuild = false;
-          profiles.system = {
-            user = "root";
-            path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle2;
-          };
-        };
-      };
+      deploy.nodes = import ./fleet.nix { inherit inputs self system; };
      formatter = eachSystem (pkgs: treefmtEval.${pkgs.system}.config.build.wrapper);
      devShells.${system}.default = pkgs.mkShell {
        inherit (self.checks.pre-commit-check) shellHook;
-        buildInputs = [
-          pkgs.home-manager
-          pkgs.git
-          pkgs.ssh-to-age
-          pkgs.sops
-          pkgs.age
-          pkgs.deploy-rs
+        buildInputs = with pkgs; [
+          age
+          deploy-rs
+          git
+          home-manager
+          k9s
+          kubectl
+          kubeseal
+          sops
+          ssh-to-age
          treefmtEval.${system}.config.build.wrapper
+          velero
+          (pkgs.writeShellScriptBin "deploy-k8s" ''
+            cd $(git rev-parse --show-toplevel)
+            kubectl config use-context lab
+            kubectl apply -k ./clusters/lab
+          '')
        ];
      };
    };
--- a/fleet.nix
+++ b/fleet.nix
@ -0,0 +1,33 @@
+{inputs, system, self}: {
+  consensus = {
+    hostname = "consensus";
+    sshUser = "root";
+    remoteBuild = false;
+    profiles.system = {
+      user = "root";
+      path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.consensus;
+    };
+  };
+  zen = {
+    hostname = "192.168.1.148";
+    sshUser = "root";
+    remoteBuild = false;
+    profiles.system = {
+      user = "root";
+      path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.zen;
+    };
+  };
+  oracle1 = {
+    hostname = "oracle1";
+    sshUser = "root";
+    sshOpts = [
+      "-p"
+      "2022"
+    ];
+    remoteBuild = false;
+    profiles.system = {
+      user = "root";
+      path = inputs.deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.oracle1;
+    };
+  };
+}
--- a/home-manager/t14/home.nix
+++ b/home-manager/t14/home.nix
@ -56,12 +56,6 @@
        user = "root";
        identityFile = "/home/e/.ssh/id_ed25519";
      };
-      "oracle2" = {
-        port = 2022;
-        hostname = "oracle2";
-        user = "root";
-        identityFile = "/home/e/.ssh/id_ed25519";
-      };
      "10110110.xyz" = {
        port = 22;
        hostname = "10110110.xyz";
--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -1,66 +1,7 @@
 {
-  inputs,
-  pkgs,
-  host,
+  lib,
  ...
 }:
 {
-  # Create plugdev group
-  networking.hostName = host.hostName;
-  time.timeZone = "America/Chicago";
-  users = {
-    groups.plugdev = { };
-    groups.${host.username} = { };
-    users.${host.username} = {
-      isNormalUser = true;
-      group = "${host.username}";
-      extraGroups = [
-        "wheel"
-        "plugdev"
-        "video"
-        "adbusers"
-        "network"
-      ];
-    };
-  };
-  programs = {
-    nix-index = {
-      enableBashIntegration = false;
-      enableZshIntegration = false;
-    };
-    nix-index-database.comma.enable = true;
-  };
-
-  # Enable flakes and unfree packages
-  nix = {
-    package = pkgs.nixVersions.nix_2_31; # https://github.com/serokell/deploy-rs/issues/340
-    registry.nixpkgs.flake = inputs.nixpkgs;
-    settings = {
-      auto-optimise-store = true;
-      substituters = [
-        "https://nix-community.cachix.org"
-        "https://install.determinate.systems"
-        "https://nvim-treesitter-main.cachix.org"
-      ];
-      trusted-public-keys = [
-        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
-        "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
-        "nvim-treesitter-main.cachix.org-1:cbwE6blfW5+BkXXyeAXoVSu1gliqPLHo2m98E4hWfZQ="
-      ];
-      trusted-users = [ host.username ];
-      experimental-features = [
-        "nix-command"
-        "flakes"
-      ];
-      # lazy-trees = true; # https://github.com/serokell/deploy-rs/issues/340
-    };
-    channel.enable = false;
-    nixPath = [ "nixpkgs=flake:nixpkgs" ];
-    gc = {
-      automatic = true;
-      dates = "00:00";
-      options = "--delete-older-than 14d";
-    };
-  };
-  security.sudo-rs.enable = true;
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nixos/consensus/backups.nix
+++ b/nixos/consensus/backups.nix
@ -16,13 +16,13 @@
      passwordFile = config.sops.secrets."b2-immich/password".path;

      paths = [
-        "/srv/immich"
+        "/rice/immich"
      ];
      timerConfig = {
        OnCalendar = "06:00";
      };
      pruneOpts = [
-        "--keep-daily 14"
+        "--keep-daily 31"
        "--keep-monthly 6"
        "--keep-yearly 1"
      ];
--- a/nixos/consensus/configuration.nix
+++ b/nixos/consensus/configuration.nix
@ -1,6 +1,6 @@
 {
-  lib,
  pkgs,
+  pkgs-unstable,
  config,
  ...
 }:
@ -16,105 +16,57 @@
      };
    };
  };
-  documentation = {
-    enable = lib.mkDefault false;
-    info.enable = lib.mkDefault false;
-    man.enable = lib.mkDefault false;
-    nixos.enable = lib.mkDefault false;
-  };
  environment.systemPackages = with pkgs; [
    git
    vim
    docker-compose
    tmux
  ];
+  system-net.openssh.ports = [2022];
  services = {
-    # zfs.autoScrub.enable = true;
-    # zfs.autoSnapshot.enable = true;
+    zfs.autoScrub.enable = true;
+    zfs.autoSnapshot.enable = true;
    fstrim.enable = true;
-    tailscale.enable = true;
+    nfs.server = {
+      enable = true;
+      exports = ''
+        /rice 192.168.1.0/24(rw,fsid=0,no_subtree_check) 100.87.58.70(rw,fsid=0,no_subtree_check)
+      '';
+    };
    k3s = {
      enable = true;
      role = "server";
      extraFlags = toString [
        "--disable=traefik"
-      ];
-    };
-    fail2ban = {
-      enable = true;
-      maxretry = 5;
-      bantime = "1h";
-      ignoreIP = [
-        "172.16.0.0/12"
-        "192.168.0.0/16"
-        "10.0.0.0/8"
-        "tailc353f.ts.net"
-      ];
-
-      bantime-increment = {
-        enable = true;
-        multipliers = "1 2 4 8 16 32 64 128 256";
-        maxtime = "24h";
-        overalljails = true;
-      };
-    };
-    openssh = {
-      enable = true;
-      ports = [ 2022 ];
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "prohibit-password";
-        PermitEmptyPasswords = false;
-        PermitTunnel = false;
-        UseDns = false;
-        KbdInteractiveAuthentication = false;
-        X11Forwarding = false;
-        MaxAuthTries = 3;
-        MaxSessions = 2;
-        ClientAliveInterval = 300;
-        ClientAliveCountMax = 0;
-        TCPKeepAlive = false;
-        AllowTcpForwarding = false;
-        AllowAgentForwarding = false;
-        LogLevel = "VERBOSE";
-      };
-      hostKeys = [
-        {
-          path = "/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
+        "--flannel-iface=tailscale0"
      ];
    };
    immich = {
-      enable = false;
+      enable = true;
+      package = pkgs-unstable.immich;
      port = 2283;
      host = "localhost";
      openFirewall = true;
      machine-learning.enable = true;
-      mediaLocation = "/srv/immich";
+      mediaLocation = "/rice/immich";
+      accelerationDevices = null;
    };
    nginx = {
      enable = true;
-      # virtualHosts."img.10110110.xyz" = {
-      #   forceSSL = true;
-      #   useACMEHost = "10110110.xyz";
-      #   locations."/" = {
-      #     proxyPass = "http://localhost:${toString config.services.immich.port}";
-      #     proxyWebsockets = true;
-      #     recommendedProxySettings = true;
-      #     extraConfig = ''
-      #       client_max_body_size 50000M;
-      #       proxy_read_timeout   600s;
-      #       proxy_send_timeout   600s;
-      #       send_timeout         600s;
-      #     '';
-      #   };
-      # };
-      virtualHosts."fs.10110110.xyz" = {
+      virtualHosts."img.10110110.xyz" = {
        forceSSL = true;
        useACMEHost = "10110110.xyz";
-        root = "/var/www/nginx";
-        extraConfig = "autoindex on;";
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.immich.port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+          extraConfig = ''
+            client_max_body_size 50000M;
+            proxy_read_timeout   600s;
+            proxy_send_timeout   600s;
+            send_timeout         600s;
+          '';
+        };
      };
    };
  };
@ -122,64 +74,44 @@
    kernel.sysctl = {
      "vm.swappiness" = 6;
    };
-    tmp.cleanOnBoot = true;
-    # supportedFilesystems = ["zfs"];
-    # zfs.forceImportRoot = false;
-    # zfs.extraPools = ["rice"];
  };
  networking = {
    hostId = "91238132";
-    hostName = "consensus";
    firewall = {
-      enable = true;
      allowedTCPPorts = [
        22
        80
        443
        2022
-        8080
-        8443
+        2049 #nfs
+        8080 #unifi
+        8443 #unifi
        10001
-        6443
-        25565
-        25566
-        9001
-        30303
+        10250
+        6443 #k8s
+        25565 #mc
+        25566 #mc
+        9001 #eth
+        30303 #eth
      ];
      allowedUDPPorts = [
        9001
        30303
      ];
-      logRefusedConnections = true;
    };
-
  };
-  zramSwap.enable = false;
-  swapDevices = [
-    {
-      device = "/swapfile";
-      size = 16 * 1024;
-    }
-  ];
-  virtualisation.docker.enable = true;
+  system-sys = {
+    zram = false;
+    swapSize = 16;
+  };
+  virtualisation.docker = {
+    enable = true;
+    extraOptions = "--dns 1.1.1.1";
+  };

  users.users = {
-    root = {
-      openssh.authorizedKeys.keys = [
-        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
-      ];
-    };
-    e = {
-      isNormalUser = true;
-      extraGroups = [ "wheel" ];
-      home = "/home/e";
-      openssh.authorizedKeys.keys = [
-        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
-        ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJou+k8HtIWdlztpWog7fVfJgxJnRIo7c5xVPUBhBxhi'' # phone
-      ];
-    };
+    immich.extraGroups = [ "video" "render" ];
  };
-  security.sudo-rs.wheelNeedsPassword = false;
  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@10110110.xyz";
@ -192,6 +124,11 @@
      };
    };
  };
-  nix.settings.trusted-users = [ "e" ];
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver # For Broadwell (2014) or newer processors. LIBVA_DRIVER_NAME=iHD
+    ];
+  };
  system.stateVersion = "23.11";
 }
--- a/nixos/consensus/hardware-configuration.nix
+++ b/nixos/consensus/hardware-configuration.nix
@ -12,6 +12,9 @@
    "xen_blkfront"
    "vmw_pvscsi"
  ];
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.forceImportRoot = false;
+  boot.zfs.extraPools = [ "rice" ];
  boot.initrd.kernelModules = [ "nvme" ];
  fileSystems."/" = {
    device = "/dev/mapper/vg-root";
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -1,6 +1,7 @@
 {
  inputs,
  pkgs,
+  pkgs-stable,
  attrs,
  system,
  ...
@ -11,7 +12,10 @@ let
    inputs.sops-nix.nixosModules.sops
    inputs.nix-index-database.nixosModules.nix-index
    # inputs.determinate.nixosModules.default # https://github.com/serokell/deploy-rs/issues/340
-  ];
+  ]  ++ builtins.attrValues
+    (builtins.mapAttrs
+    (name: _: ./modules/${name})
+    (builtins.readDir ./modules));
 in
 {
  t14 = inputs.nixpkgs.lib.nixosSystem {
@ -28,9 +32,10 @@ in
      inputs.nixos-hardware.nixosModules.lenovo-thinkpad-t14-amd-gen1
    ];
  };
-  consensus = inputs.nixpkgs.lib.nixosSystem {
-    inherit pkgs;
+  consensus = inputs.nixpkgs-stable.lib.nixosSystem {
+    pkgs = pkgs-stable;
    specialArgs = {
+      pkgs-unstable = pkgs;
      inherit inputs system attrs;
      host = {
        hostName = "consensus";
@ -38,12 +43,24 @@ in
      };
    };
    modules = defaultModules ++ [
-      inputs.microvm.nixosModules.host
      ./consensus/configuration.nix
    ];
  };
-  oracle1 = inputs.nixpkgs.lib.nixosSystem {
-    inherit pkgs;
+  zen = inputs.nixpkgs-stable.lib.nixosSystem {
+    pkgs = pkgs-stable;
+    specialArgs = {
+      inherit inputs system attrs;
+      host = {
+        hostName = "zen";
+        inherit (attrs) username;
+      };
+    };
+    modules = defaultModules ++ [
+      ./zen/configuration.nix
+    ];
+  };
+  oracle1 = inputs.nixpkgs-stable.lib.nixosSystem {
+    pkgs = pkgs-stable;
    specialArgs = {
      inherit inputs system attrs;
      host = {
@ -51,20 +68,6 @@ in
        inherit (attrs) username;
      };
    };
-    modules = defaultModules ++ [
-      ./oracle/configuration.nix
-      ./oracle/forgejo.nix
-    ];
-  };
-  oracle2 = inputs.nixpkgs.lib.nixosSystem {
-    inherit pkgs;
-    specialArgs = {
-      inherit inputs system attrs;
-      host = {
-        hostName = "oracle2";
-        inherit (attrs) username;
-      };
-    };
    modules = defaultModules ++ [
      ./oracle/configuration.nix
    ];
--- a/nixos/modules/net.nix
+++ b/nixos/modules/net.nix
@ -0,0 +1,105 @@
+{ host, pkgs, config, lib, ...}:
+let cfg = config.system-net; in {
+  options.system-net = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    dns = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    openssh = {
+      enable = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+      };
+      ports = lib.mkOption {
+        type = lib.types.listOf lib.types.int;
+        default = [22];
+      };
+    };
+    tailscale = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    nfs = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services = {
+      tailscale.enable = cfg.tailscale;
+      resolved = lib.mkIf cfg.dns {
+        enable = true;
+        fallbackDns = [
+          "1.1.1.1"
+          "9.9.9.9"
+        ];
+      };
+      fail2ban = {
+        enable = true;
+        maxretry = 5;
+        bantime = "1h";
+        ignoreIP = [
+          "172.16.0.0/12"
+          "192.168.0.0/16"
+          "10.0.0.0/8"
+          "tailc353f.ts.net"
+        ];
+        bantime-increment = {
+          enable = true;
+          multipliers = "1 2 4 8 16 32 64 128 256";
+          maxtime = "24h";
+          overalljails = true;
+        };
+      };
+      openssh = {
+        enable = cfg.openssh.enable;
+        ports = cfg.openssh.ports;
+        settings = {
+          PasswordAuthentication = false;
+          PermitRootLogin = "prohibit-password";
+          PermitEmptyPasswords = false;
+          PermitTunnel = false;
+          UseDns = false;
+          KbdInteractiveAuthentication = false;
+          X11Forwarding = false;
+          MaxAuthTries = 3;
+          MaxSessions = 2;
+          ClientAliveInterval = 300;
+          ClientAliveCountMax = 0;
+          TCPKeepAlive = false;
+          AllowTcpForwarding = false;
+          AllowAgentForwarding = false;
+          LogLevel = "VERBOSE";
+        };
+        hostKeys = [
+          {
+            path = "/etc/ssh/ssh_host_ed25519_key";
+            type = "ed25519";
+          }
+        ];
+      };
+    };
+    systemd = {
+      mounts = [{
+        type = "nfs";
+        mountConfig = {
+          Options = "noatime";
+        };
+        what = "consensus:/rice";
+        where = "/mnt/rice";
+      }];
+      automounts = [{
+        wantedBy = [ "multi-user.target" ];
+        automountConfig = {
+          TimeoutIdleSec = "600";
+        };
+        where = "/mnt/rice";
+      }];
+    };
+  };
+}
--- a/nixos/modules/nix.nix
+++ b/nixos/modules/nix.nix
@ -0,0 +1,46 @@
+{ host, pkgs, config, lib, ...}:
+let cfg = config.system-nix; in {
+  options.system-nix = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    programs = {
+      nix-index = {
+        enableBashIntegration = false;
+        enableZshIntegration = false;
+      };
+      nix-index-database.comma.enable = true;
+    };
+    nix = {
+      package = pkgs.nixVersions.nix_2_31; # https://github.com/serokell/deploy-rs/issues/340
+      settings = {
+        auto-optimise-store = true;
+        substituters = [
+          "https://install.determinate.systems"
+          "https://nvim-treesitter-main.cachix.org"
+        ];
+        trusted-public-keys = [
+          "cache.flakehub.com-3:hJuILl5sVK4iKm86JzgdXW12Y2Hwd5G07qKtHTOcDCM="
+          "nvim-treesitter-main.cachix.org-1:cbwE6blfW5+BkXXyeAXoVSu1gliqPLHo2m98E4hWfZQ="
+        ];
+        trusted-users = [ host.username ];
+        experimental-features = [
+          "nix-command"
+          "flakes"
+        ];
+        # lazy-trees = true; # https://github.com/serokell/deploy-rs/issues/340
+      };
+      channel.enable = false;
+      nixPath = [ "nixpkgs=flake:nixpkgs" ];
+      gc = {
+        automatic = true;
+        dates = "00:00";
+        options = "--delete-older-than 14d";
+      };
+    };
+  };
+}
--- a/nixos/modules/pkgs.nix
+++ b/nixos/modules/pkgs.nix
@ -0,0 +1,17 @@
+{ pkgs, config, lib, ...}:
+let cfg = config.system-pkgs; in {
+  options.system-pkgs = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    environment.systemPackages = with pkgs; [
+      git
+      vim
+      tmux
+    ];
+  };
+}
--- a/nixos/modules/system.nix
+++ b/nixos/modules/system.nix
@ -0,0 +1,78 @@
+{ host, config, lib, ...}:
+let cfg = config.system-sys; in {
+  options.system-sys = {
+    enable = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    swapSize = lib.mkOption {
+      type = lib.types.int;
+      default = 4;
+    };
+    zram = lib.mkOption {
+      type = lib.types.bool;
+      default = true;
+    };
+    documentation = lib.mkOption {
+      type = lib.types.bool;
+      default = false;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    time.timeZone = "America/Chicago";
+    boot.tmp.cleanOnBoot = true;
+    zramSwap.enable = cfg.zram;
+    security.sudo-rs = {
+      enable = true;
+      wheelNeedsPassword = false;
+    };
+    swapDevices = [
+      {
+        device = "/swapfile";
+        size = cfg.swapSize * 1024;
+      }
+    ];
+    documentation = lib.mkIf cfg.documentation {
+      enable = lib.mkDefault false;
+      info.enable = lib.mkDefault false;
+      man.enable = lib.mkDefault false;
+      nixos.enable = lib.mkDefault false;
+    };
+    networking = {
+      domain = "";
+      hostName = host.hostName;
+      firewall = {
+        enable = true;
+        allowedTCPPorts = [
+          22
+        ];
+        logRefusedConnections = true;
+      };
+    };
+    users = {
+      groups.plugdev = { };
+      groups.${host.username} = { };
+      users.${host.username} = {
+        isNormalUser = true;
+        group = "${host.username}";
+        home = "/home/e";
+        extraGroups = [
+          "wheel"
+          "plugdev"
+          "video"
+          "adbusers"
+          "network"
+        ];
+        openssh.authorizedKeys.keys = [
+          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
+          ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJou+k8HtIWdlztpWog7fVfJgxJnRIo7c5xVPUBhBxhi'' # phone
+        ];
+      };
+    };
+    users.users.root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcL53Gdrj5V9YDwKlCBIcgqiS+zHtOQpJlnOHTevJCJ e@t14''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
+    ];
+  };
+}
--- a/nixos/oracle/configuration.nix
+++ b/nixos/oracle/configuration.nix
@ -2,79 +2,23 @@
 {
  imports = [
    ./hardware-configuration.nix
+    ./forgejo.nix
  ];
-  boot.tmp.cleanOnBoot = true;
  boot.kernel.sysctl = {
    "net.ipv4.ip_forward" = 1;
    "net.ipv6.conf.all.forwarding" = 1;
  };
-  zramSwap.enable = true;
-  swapDevices = [
-    {
-      device = "/swapfile";
-      size = 2 * 1024;
-    }
-  ];
-  services = {
-    fail2ban.enable = true;
-    fail2ban.maxretry = 5;
-    fail2ban.bantime = "1h";
-    fail2ban.ignoreIP = [
-      "172.16.0.0/12"
-      "192.168.0.0/16"
-      "10.0.0.0/8"
-      "tailc353f.ts.net"
-    ];
-
-    fail2ban.bantime-increment = {
-      enable = true;
-      multipliers = "1 2 4 8 16 32 64 128 256";
-      maxtime = "24h";
-      overalljails = true;
-    };
-    tailscale.enable = true;
-    openssh = {
-      enable = true;
-      ports = [
-        22
-        2022
-      ];
-      settings = {
-        PasswordAuthentication = false;
-        PermitRootLogin = "prohibit-password";
-        PermitEmptyPasswords = false;
-        UseDns = false;
-        KbdInteractiveAuthentication = false;
-        X11Forwarding = false;
-        AllowTcpForwarding = false;
-        AllowAgentForwarding = false;
-      };
-      hostKeys = [
-        {
-          path = "/etc/ssh/ssh_host_ed25519_key";
-          type = "ed25519";
-        }
-      ];
-    };
-  };
+  system-net.openssh.ports = [22 2022];
  networking = {
-    domain = "";
-    hostId = "81238132";
-    hostName = host.hostName;
+    hostId = "00238132";
    firewall = {
-      enable = true;
      allowedTCPPorts = [
        22
        2022
        80
        443
      ];
-      logRefusedConnections = true;
    };
  };
-  users.users.root.openssh.authorizedKeys.keys = [
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDcL53Gdrj5V9YDwKlCBIcgqiS+zHtOQpJlnOHTevJCJ e@t14''
-    ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHM4Zr0PFN7QdOG2aJ+nuzRCK6caulrpY6bphA1Ppl8Y e@t14''
-  ];
  system.stateVersion = "23.11";
 }
--- a/nixos/oracle/forgejo.nix
+++ b/nixos/oracle/forgejo.nix
@ -76,7 +76,7 @@ in
        "/var/lib/forgejo"
      ];
      timerConfig = {
-        OnCalendar = "*-*-* */6:00:00";
+        OnCalendar = "06:00";
      };
      pruneOpts = [
        "--keep-daily 31"
--- a/nixos/oracle/hardware-configuration.nix
+++ b/nixos/oracle/hardware-configuration.nix
@ -21,5 +21,4 @@
    device = "/dev/sda1";
    fsType = "ext4";
  };
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 }
--- a/nixos/t14/configuration.nix
+++ b/nixos/t14/configuration.nix
@ -44,11 +44,8 @@ in
      dns = "systemd-resolved";
    };
    firewall = {
-      enable = true;
      allowedTCPPorts = [ 11111 ];
-      allowedUDPPorts = [ ];
      trustedInterfaces = [ "tailscale0" ];
-      logRefusedConnections = true;
    };
  };

@ -86,7 +83,8 @@ in
      ];
    };
  };
-
+  system-net.nfs = true;
+  system-sys.zram = false;
  hardware = {
    graphics = {
      enable = true;
@ -100,13 +98,6 @@ in
    enableAllFirmware = true;
  };
  services = {
-    resolved = {
-      enable = true;
-      fallbackDns = [
-        "1.1.1.1"
-      ];
-    };
-    tailscale.enable = true;
    pipewire = {
      enable = true;
      alsa.enable = true;
@ -157,7 +148,6 @@ in

    trezord.enable = true;
    udisks2.enable = true; # kindle
-    ollama.enable = true;
  };
  fonts = {
    # Set a sane system-wide default font
--- a/nixos/t14/hardware-configuration.nix
+++ b/nixos/t14/hardware-configuration.nix
@ -15,6 +15,7 @@
    initrd.kernelModules = ["amdgpu"];
    kernelModules = ["kvm-amd"];
    extraModulePackages = [];
+    supportedFilesystems = [ "nfs" "btrfs" ];
    tmp = {
      useTmpfs = true;
    };
--- a/nixos/zen/configuration.nix
+++ b/nixos/zen/configuration.nix
@ -0,0 +1,54 @@
+{ host, config, pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+  ];
+  sops.secrets = {
+    "password" = {
+      sopsFile = ../../secrets/k8s.yaml;
+    };
+    forgejo-runner = {
+      sopsFile = ../../secrets/forgejo-runner.yaml;
+    };
+  };
+  system-sys.zram = false;
+  networking = {
+    hostId = "81238132";
+    firewall = {
+      allowedTCPPorts = [
+        22
+        10250
+        25565 #mc
+        25566 #mc
+      ];
+    };
+  };
+  virtualisation.podman.enable = true;
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-runner;
+    instances.default = {
+      enable = true;
+      name = host.hostName;
+      url = "https://git.10110110.xyz";
+      tokenFile = config.sops.secrets.forgejo-runner.path;
+      labels = [
+        "ubuntu-latest:docker://node:24-bullseye"
+        "nix-upstream-latest:docker://nixos/nix:latest"
+      ];
+    };
+  };
+  services.k3s = {
+    enable = true;
+    role = "agent";
+    extraFlags = toString [
+      "--flannel-iface=tailscale0"
+    ];
+    tokenFile = config.sops.secrets."password".path;
+    serverAddr = "https://consensus:6443";
+  };
+  services.logind.lidSwitch = "ignore";
+  services.logind.lidSwitchExternalPower = "ignore";
+  hardware.enableRedistributableFirmware = true;
+  hardware.firmware = [ pkgs.linux-firmware ];
+  system.stateVersion = "23.11";
+}
--- a/nixos/zen/hardware-configuration.nix
+++ b/nixos/zen/hardware-configuration.nix
@ -0,0 +1,14 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/EECE-9ACB"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; };
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/secrets/cf-acme.yaml
+++ b/secrets/cf-acme.yaml
@ -4,38 +4,38 @@ sops:
        - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3bEpKNEhOMVRYazNDSmhB
-            T0VadEhCdExkT2tXaklDcXFMcnNYTkx6ejJVCmJiRFUyVGRkU2tTalBCUFpYTWVk
-            WkZNSFVSSi9lMkQyOFU1bVM5WkFCSkUKLS0tIGo0c0QrRStRWEp3SE9vNFdMY0lP
-            dDNaTGprZVRlcmpwSzZmVzl3clZ3MzgK8y4ck9cgiPT6jDl23g0Da6mr7+KD7J+K
-            DflytAEkBZxWN8JLIeFSml6HS65xWeMuwjnQHVXQVQBlVAN9pl4fmg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKQ3YzNU13MGFvUGliY25x
+            TmxIRUwzRjlPTlh5Tyt3R2Zkc3lCMFhBT2p3ClhlR3VXM3ExQS9CeDNSY1Vvb1NC
+            ejE3elFhSk40ejBOaHdTK2Y5cVBSdHcKLS0tIHQ3TTRnSmdLWjFEWks4bnZFNkt0
+            ZHU2MkJVZUErTnJubHcxcDhxVDJwS1EKtx8pjBpjz8r8era40aUspZ8Nyg2uKBfJ
+            2m0FXMUyI/4KzGXAnFxPPqdeVun+NkJ61Wv4jT9Xn6PXf35ngqJ0xw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwNzZUdnVwUDBKRmo3Nm9s
-            Q0l1NXZOQXhvT1JIZStLK0YyWWhQbVNuazJVCnRDa21lcHJpczk4OWtsbkN3Z2tW
-            aXJGbnJGK1VvenJwa0ExWEFrZ3pFYjQKLS0tIGxBcUxlcnV4UEQyeE5sTWNDRU1l
-            bTVmbmxhZXk5RmlUV0h0dWFVZyszSnMKQ/DVB38i8a5d6LFJaftxChthRdjBY5GQ
-            TsFDbl6okwxUqBCx07A0ftYSeCHoC2Nj/AW0b8HU0DwXPPHqXwA08w==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLYzdFY3J3R3lOcUUvRXJi
+            K0doenVhVHk4Q2syZWNidmNXNk1BaTd5Q1I4Cm9oWWYvQ0s3T3pQMEJGYllyWUl2
+            MEg2eHZZWHdTMkVwdjRMbXdPN3RPWncKLS0tIFFIL2NoQXRkbnZONjJOZGIwNVBl
+            aXZrNGVxRHdRR3VLbTFOS2I4czFGcWcKUzvwpiCHzQIgtX/cikMwvHoGu/8QxPbN
+            HIyjqxwxpBOWPvLV4xdayQAnIbVwK4TrQ2lcXVPJUs8/ZfTF7MREHQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRZjY1RXI1Y3MyeWVlMGlC
-            Nm1XNUlkODFYTkRqbnlMUytxZjZNSURYcXg0CjYxaDdLWDVZR0gwdEgrMVBSK1Br
-            V2lXZ2t2Nnp2ZG52YWxYQXVoKzBTU1UKLS0tIG9RcUdqQ2E4cnlFbVRQajVJalM5
-            bWhxdERTaHpFSVE5MEdoRndMM3VGK2MKYbs06A2NmyFKssKqeudt/mFG4l/yDV9k
-            Kod6mEZYxdjUP91waOmLCC997DSIkih9sHaaYhm/ahy4ryD4fstkLA==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBV1pNTE5oNmZTZlg1anpn
+            Q1NRUjRaVVBGaDRLYlByVEo4ZktKcnQrL240CkhXRlc1bENhWUdqVHJ5bkdyNXox
+            eGJ4dUNwb2M0U2o5SnQxcmxCaTJKQkUKLS0tIHRqaDdwcHVlZ21JVVh2SzQ5SHkv
+            d0RtZjRKN1ZhU2VCWE4rMDBvYTBwUnMKlygdEBamBOQnhDOH7nzhbSYFDyFS+3q5
+            eSqIZfCWW0V1yEHbe/t4SwSLYiVZLY21DS63JZ22jrnl0v7521ntqA==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
+        - recipient: age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2ek8vNVNZUkNraGNGbFJy
-            RmliVHFiVnRhUDArVFN0MGplTkYzbGxSQmg4ClZaMzZobFM3eGNvaytIeEJ3cjI2
-            VlhKNXBIK0pWTml2TThqQ1VUSi9hMHcKLS0tIEExN0dwWS9UNTBzWmZTWHFnWnBH
-            Skx4ZWgrN0lFLzNyL0RTNWRaRnZUL0kKGysePFPyRFVSEfoSaqsdRkH/SbkWy7RJ
-            IyYjt0JFtSo9QplzHFkOsdbeAV5E8MrMP/lFhhvPZcjwmO6/Pxl5Lg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPaGZUM3hKSE1BM1JscmlS
+            ZGZST2g3MkZzbmRISnN3TkltK2lleHpmWHlzCmdFbnZKSXZWOFZoWFhhV0RON0tm
+            MENsZnprTkJka3pJZXM1cFpwNCtUclEKLS0tIFR4TUFSQkxkN296aXJyT25nK3RG
+            b3pxaExSTjYxbFFwYU1PNUJBbEIrSTgKzxlxMiHPdQpvciHa2fNr3/QIRrReq3mm
+            xDjklnlIAdYTrq2mr6rS3sZMer3aOx7A8glOTcVL2VjgyQ1/s30+uA==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-06-02T00:02:47Z"
    mac: ENC[AES256_GCM,data:l3I8KNMoZGrUUS/RzY0fAr7DkvyhynOqPW/09IfI8sKYBP+gavdf3/OpW3uwhYzuS6pRWwCaUTa0F+HELu7rBG8FwpvyBpdeAgZb1hVFtKeBuaCjXDieuxKjj27IKLx3UbHx2iRm91oB7bIMZaXYMrlYVmrs/BkgoT8vHj5j7Rc=,iv:KaB9qaUTYbnS6ix297MjIHxl+LSazZnRW0Lu2bP/kmk=,tag:bbncBMsk/qOfz0LRmrqiUQ==,type:str]
--- a/secrets/forgejo-runner.yaml
+++ b/secrets/forgejo-runner.yaml
@ -4,38 +4,38 @@ sops:
        - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyUEh4TDhiL2ZQRlpBRUd5
-            ZDduRGpqd2xNdml1eHIyanM3bVpyazFYZld3CjFHS29NcXhUTTJRQS9haUxYUzZn
-            akIzZW0yMFNyUEV5MDJ1c1NJRGwzekkKLS0tIDJ0ZmdXVVQ5TDUzUmRvYTIrY3JC
-            Q1l5NHZZRGgxTjkyRml3Zjk3c0J6b0UKWxpejYzaLl5ndmITKoWeFdwjytSQwTm+
-            6FKP8jFUjybRjhAVvJDQ7Cxab+oHJ7p7+fCAT5mo7i3okVB7bdHhrw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGWnNRSHpLWkdMVGpDNVdF
+            QitwMkoyUDFVRk5STCthU0VvaENOMmhxUW13CmVCaTExQXRsTXI4UEJVM0tNSGJC
+            NHg1cU1FTzlrRithbFNlejU5N0p6QmMKLS0tIE81R1lxVmw0YUtQT0tLWWlFR0VR
+            QjlJTVZTbENqa2xNMlJzR0wwN3NwMkUKbhEnJPJu46i+Zx/cjlCMgahBwCsFWTG3
+            aIlCS9tPZNHHw/BZ0qoOeXAzRsAbqQaelxTRkStnksslgzZPdfpaiA==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGZnYyNVZqNzVYcitMampP
-            a0VtYTkwRlNkaktrNThZeGljZUt1RXgrYkQ0Ck5WNHNHT3NOd2daSW8rMERsN1JN
-            WEYrWDZFOEpDYzFXQldqWWRyWjYyeTAKLS0tIDZObFRaRFpoMkZmNlFUcVJrRHRZ
-            dHV3bFRZTExqNWpiblJoQ1h2MXJQNzgKXHwe7ZyvKuAf9wMxFHR1U1oilw3ecD1P
-            O/XS/+WhYAVHMkaUVUkanczvP6ff5DRBrbdJ+akBYu3pZNkrgCCiiw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNSDdTalFXelU5V2JWQUhr
+            UHhKSUxBek1HR0dEbkdyODFOWVJILzlpVVFrCmtXM20wMjkwangrS3cveWp2aE5Q
+            Z1FpeE43cWwyNk1DbGoxVjJzNXJHWHMKLS0tIHZMM21BRy91ZE1kU0RVTys5WStW
+            NGlFYlJTMXRmZ0NENXBHRVkvV2tjNEEK9PaKtAHAnlkiAtXm0AcqTSUm4ynB6WFi
+            XAX4I/Yv6ykAMA6FyfFXQjqPA1pqh9HjrlVimor91Puwz0omCJcgjw==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiQjZNLytxTWlIdG0ycmlM
-            aURiMUdBN3dEbmc4UitmT2xIcWl2RitnS21BClpmM0RDQ2xHQ2R2eHordUhTdWp0
-            cW9zNHY4Z1JaQitCQ2lUQm05cWlkT3MKLS0tIGJ5VVU2ZzN2L0ZRTEFTS2hnaDkz
-            NnVJZEpvQ3VpVXZQMEhFMTBiL0IrNEEK4lbNKd8AiN5pY9dEUirZ2TiCkexI4v0a
-            W8XtUcGg+tQsrw1G5q7jS0EgV/oy1I9+0gJkHNhfRJH2P0UQ7079YQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGRktOaW5XSU1jbitCMjFJ
+            NDJTcXc5enNLQWFqWVpXbkM2dGxpb1lpN3lVClVJZWEvYTBHbm1vd3dwVTV4Y3Fn
+            T2JRYmlFNE5hMDB4cmJwNUs0RlFKQVEKLS0tIHM3cEpwUFZIbmEvZnkxbW5BQ1E4
+            dDVpbFVoVGprWHF4K0lJSnVOY01TcUUKWzrAsKsGMVWqds0BuYjXxo7In1RSlmQP
+            C2BpEutA3uQ8GrNEM5N0r1Nauy3x+e0n+j0/LS7hzSaj0HQLTKUR6w==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
+        - recipient: age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VUtrNU1KdENHNVdOT0tu
-            TmY1S0tNb0ZHM0JyT2tPUTllTnFIT25YWmhRCk1ORHJvUkRqclQveDhwazIvM2pM
-            V3JUNjVZa28yK1FyY1VLazFDd0x6N0EKLS0tIEd5eDRRak1yclNaS0lOWnNoTkR4
-            YU5PeW52MEZGd3lzUG5aZEZhaURHdE0KUlf6EEc22UHcPDyVCQoVND5PFs20aCc3
-            XUbtQQD9w3/aRpsuaYfJBHINjB+Ns7XIIOfWkdJe5fJiOU0u29SO8Q==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2NUJyamdFdHh1YS9BZjN1
+            bWlvWVpjRGFnUXhoSGNHSDRLRFN0NWJvY1ZjCmFOL0RHY1JXbk1hQVF4dEp2anNu
+            ajRaWFJ0RVVRZ0NGT1NFeVBVQzd2d1kKLS0tIC93d3NvdWZtMXRVWHNHcE8xT1Ew
+            bzliRFhSUUpVZ3RJZTNnVlQxdmlaMUEKmPkrlHyc/bXfHKE0qbFEXX2/w4rgiRSB
+            bbk+uwK1IhoZnqvPhwWxiHTlvSgYCJmxzYzP+f+qO/rl+hkAaePg0Q==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-09-27T18:30:16Z"
    mac: ENC[AES256_GCM,data:nOs0CUT0DD5dphyPTN8ev8WTdflFmNScg3UIPvXtlhGE3nJdPRW/MjraUEd5gQZ4qrwkgo99fsD1Uv6HiWBQbg59TqDNQOwhXU3SYto/zVX9Y1LGwvGurMymiQNbhHjzn+VN1tXdwyTbvhUnRSwz2a6uu1sl9m3VNfRbMewuQnM=,iv:FtMd7i5V9eRcuK9HhjiKETx/SWs5+MijVExUB/mxHjE=,tag:H+USoPhnzWzTNl7um39Pfw==,type:str]
--- a/secrets/k8s.yaml
+++ b/secrets/k8s.yaml
@ -0,0 +1,43 @@
+password: ENC[AES256_GCM,data:ZGMA25kEy+ulzCSz4Cf2awwNJt0YgithxU4E73hCBucmATVwRvP9RLTb3/wryVJCdRqytMbNCUn10ucB/AixpCF5ocRlsY2FGJWXt7BSHUPnptQo02ycR99fgDPDKWHMdZhIp8lmFYER3cSD,iv:N7kyENzosqbG6ziJncJ0B3MsqpMMBDF+PQEgYz/7ymw=,tag:drDfEiXLotKtxRb6Ek2Mzg==,type:str]
+sops:
+    age:
+        - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBidk5Qak9TZGxxbEhOa2c5
+            Vk5walNpc2lsL0RieHBUQ1NzUzFJdXI1NVVrCk1JRkN6ZjJKTWh2T0lWUWxyZjB2
+            K0RGM003aThuWnZxcmhENGFjYUhGWXcKLS0tIC9QQU9BRE1LZU1TbElHQ2dFRXB1
+            M0xGL1ZwcDEvV3lYQU5XN3hoN0w1elUKnmnIHsA1wNdXhF32O6RymrTiabnI78Ho
+            Gg3LFTTj8DxZP/OZwOR+djW7xjwzw8NHWbxc1gT3YiYTWiP7DRepnw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNVZaWWs1WjdxanYvRmt5
+            OUE4SHd2REE3RGZNTEt6UmFVSVYrZThkSUdnCktrZWk4QTV5dkdBTFlGQ2tsdTJJ
+            eEpTQ0FEbkVRZ0pEdysvWnVLVUJxVm8KLS0tIDRxZEgvNFk1WENGTGdUZEdmU0tr
+            NGxUK2thclU0cHd4cS8rYW1kQm9WT1kKX7oKMJWC3G4o2ZFlyxzl/dCEi+uUTFI1
+            XStgutdWvyMQ2nmJbQlhnN12qTt6VDj36QXVH3175U47KaJNOGvdZA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtclF0TityOStDWFZsMzA3
+            Qit2d3g4VC9kRWpqd016ZXM1OW11WVhKQUh3CkhZTFhmaklWYlBwSXhuOUo0SUdl
+            NTVsVVNtTXNmRStBVXI1VzlYTFgwSlUKLS0tIHhPeWFsUmtkZFVvZDRxVkE5UXN3
+            STR3MUphNlBHcFNrS01NOUQ2b2lXV2MK1AxEIpS5+clX5EoMbQoyufLg/+Rh+NHz
+            /Oe/xM4IqrKAlFn2vHXw0DxDxj16ReucUBRsp8haixZiGr1pMVgHvw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVNzJacDVvTnB6VFNmL0dW
+            NzRmSHRpeVVVZnBJZXJOZXUrb2hWQjhDZ3pVCk1QbnpPZTFxdEFaSW0zMmtwWTBm
+            VXZsN3E5Nk9GYnF6WUUyMElVclRpZ00KLS0tIEZJWkNVbllvS0ZTVWY5ZnpUSlpU
+            NzUxTHZhL2Y4YXpvR29JUW9aOFRKemMK+fPgPXc1eGfVsJU7gyo7OwLVcpm3PE7K
+            x2GFKtrw84aNE4CMxKvx3dRUoIphj2vw45cLOriJRpnig9xnMQIbCg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-01-11T20:07:38Z"
+    mac: ENC[AES256_GCM,data:JNF6aQfUQy1a+L2BbMAjSCfnntUaUlWcyfP9kgXpwrxcVK/qEbXxHPb+NDOliWvOPp4cMDjVphBgyQtjNTzTRfkMeMqtpKEIOkYUpo9dN69uHrws6rGq+tDCn50UZOgKirA3ojvrqEZvUKS8QgsRN7l0XK4RJjgTATBJQfNjGRY=,iv:vEAJJJEF/rPSDAfcxp1FbhnP78I3Uuk+GarWpHSGCUs=,tag:BIz3mYMVjmugWtKEg9WXiw==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0
--- a/secrets/restic.yaml
+++ b/secrets/restic.yaml
@ -22,38 +22,38 @@ sops:
        - recipient: age14e2d2y8e2avzfrsyxg9dudxd36svm24t7skw6e969n0c42znlp3shffdtg
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKcC90dkcvbnJoQzFDWTcr
-            SXFTdnRTOGhxZ3RNMHVpZFFLWHdIWUxMYzNZCjRlRTdYaS9YMjdFdzIzeHVLR3hs
-            QzNPM2k2UVV3bWI5WjVDT2pDaVZPaFEKLS0tIFFtdDI2Zmxnbk4xV2NGb2NDWUF6
-            VmROS3plOURRTzYzaEo2S1RraFRKeW8Kg3jYWWQuEX1Y6SfkT6lRdX6tmgkFiIW7
-            JX9D10jqN4DbDOYKu+MRvdz9/cagIyodg1/5LIPGBNGOKpNLiEH7AQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1V3hSa0VVY1hLLzNEZkJw
+            OEp0THhMM3VMOWMxOGMxZjV6UVdJMTMrZzFZCnlrL0sveTBqL08zSUJDeVZLUVNO
+            WUgzZGhYdytRZ1FVa2N3Vmd4aEFnS00KLS0tIFJHMStGQ29pMWFGUno5aEg0REU5
+            N1J1c3JLT2h1R25ZWVVoY3g3bzF4M00KW4YOac1MZEVvtlovVcEvVOGqnghq5JDF
+            V0uBNdqtYEyIBVCQI0gXebtNmtxkfg06PI4JdGiUkoUKW+ztIk4TsQ==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age16pdhm238k63uye3rf4cwwe7ddyzds6xj9jv4wpsfggkghyarjqtsjzkxna
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqd3RQQUtmVXgvb1JLMnZt
-            Y0dITDF6anBKcWxoOWZuQStSTk1zWkdwdEN3CmFaVWphcVpjTUhNcUdjVGpnV0hq
-            Z25hVmNDQUQ1YnJSd3puS214TzlkbkUKLS0tIGVXRG9mczBKcHFzb0FwYU5FZkpY
-            ZVhQWDZwR2xFU0xTVGVLZ3NFanY1emcKu09zXLUscPvcVQSgiN4H4dWpjMyb3t7e
-            aa54tbZ6o1+6lLg1DniL9lBxit6R+qk3SjMuU1MQJvD7ah39RSuyng==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuV1FBTGpKc1d5cjhRdUUy
+            MG8yQ3BqTTlsemhzWFBQTFR3UXV4SEFOaUhnCmE5ajdYaTRsN1BrY2JMYnBGUTZJ
+            VnFvS0gvU05mT1hzb1A4NU5xOXFMbGMKLS0tIGdOZDE5SVJXNkFhYmVUbVZ0UkNK
+            R2Y3NUdlay9LZmtHVCtSQm83bHBJWlEKCzXphy/+kQXUDIkhYDZ8oaQlenP3yfFe
+            RmPZ2/asS8Ol0xkJui54i9Qqvu+18VISJVHGqcaYw+YrQnCGRPP92w==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age12tz2r7clep9e450qhr5a6ctnx29ywmu0llq8uk9kcwhpp82zsa0sk9la9h
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYdUpxSWtHbmxzdlRYZHFT
-            NUY5RDhXUGN5YmlPS0UyTWcrUDlUZ3Rjbnp3CnlkQUgyNVBVclh0KzNCZkVYZURx
-            RXFkR2JFckVPbkg5Umo3VEF1cFFOZFkKLS0tIEM2OE1hZVpUd0EzeEFrVGc4Zmww
-            UzZZcFB4UngvTHF2YWtsSWQ1dGJaKzQK+cuuvX8un2bID+fLG5SFzQhfJ6QX5/pG
-            sVSUc+VG+04aak70p8AgOO7zN75rzSf5R83mmpEwB9a+rfDrKvbjiQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRRzBPdGp2d0k0RzFWNE94
+            dWRlVDRlTDMyclNMMnQ4UE5sSTNsRzdMbm1vCjZFZnEzbStzU1lyQ2xGOU5DK3No
+            RU5jTGJra0NuQWhxakVQMDZMRSsxcG8KLS0tIE9xOThadmRISWRLb2tmeGZqWkRW
+            RFRxbzdKa0MwRDlqOC9ITjBkSDV1Z00KI0Iq7DnOBGNmvx3RZvwdG4KYcKKgUQbB
+            myqlctokOU3cKkGLVdVn+dYUsYqU814oIAuwiqQmD7OydIqfhbSQVQ==
            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1yar6nyfr5xzy79t54yrcf4sn3qc0689wgtsjv0npzh0nls5cjslsp0qruc
+        - recipient: age1nzlng9tw59rxnr86jw330s9z4x28hr394cl2qgktptf8swat23gqahgudw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdUU2NDRKV0w1Wkp0cDh6
-            NkV5bGRXOXpId1N4R09HdGhaK1lyM05WMkNRCnZSa0ovK01JaUZ3cG1qMkFzbW5z
-            WHc2NDYvNFN0SnBnSVlId0pjM2xBZnMKLS0tIHRoVkQ3NzBab1BzUVltWEVWeVZi
-            MmJRaXZheS9JamgybTc2THc1OVQ5N3MKr73ke9RIRsZvvVGl4nyxbbe/8f5KQ6Av
-            Uac6joEg0R6DbcQ9xRkbHyFySnLTHsF5HfVnUj2gPbdA1YsO0w2nlg==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMEZML0xZRHFQdXJXVm1x
+            elFhWnorOTB4RXFES0VCZG1KZVBMeCtMd3lzCmJFZnpZT3BUeEVVaUJEeXc5djN0
+            N3d0ZzJ0UHNFM0hpTS85T014VUwyY2MKLS0tIGVremFqNGh2YkNCWkNYQnNiRy93
+            WS9RVW1VcXRXVjlaeE9ZNHhzaFdabWcKUbNHbMPw4O+sDjWk8ziRPoTRzzBF07ul
+            TRVXuiIAzfAXcf4Z9P5fyY0saPJhBijaurzdTD0JUP5LZh8jreWJRg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-09-27T20:37:26Z"
    mac: ENC[AES256_GCM,data:30D/RyuIjhaJkRa4kBb3JK3FOGbbGL0aKAOlPgyNhpPyp7OWY1eYo2uoQSVa6lnjRgCV+YbmquXF6iNzUgWbzUWs6UuOfN+hIb/PKydBgITgVLp1bOfUQs8l2X2feYJ/QatBwr6VMgbBdrshppctSdypc9cTNv5r6sod0QwfpHA=,iv:uhwGM/bru/Z3UqnmOUHImhQkNm97zad+aH+VNXKy9m0=,tag:Zpdgcp2lPBNP4FjlTeXtKw==,type:str]
--- a/terraform/.gitignore
+++ b/terraform/.gitignore
@ -0,0 +1,6 @@
+terraform.tfvars
+*.tfstate
+*.pem
+*.backup
+*.lock*
+*.terraform/
--- a/terraform/compartment.tf
+++ b/terraform/compartment.tf
@ -0,0 +1,19 @@
+resource "oci_identity_compartment" "tf-compartment" {
+    compartment_id = var.tenancy_ocid
+    description = "Compartment for Terraform resources."
+    name = var.compartment_name
+}
+
+# Source from https://registry.terraform.io/providers/hashicorp/oci/latest/docs/data-sources/identity_availability_domains
+
+# <tenancy-ocid> is the compartment OCID for the root compartment.
+# Use <tenancy-ocid> for the compartment OCID.
+
+data "oci_identity_availability_domains" "ads" {
+  compartment_id = var.tenancy_ocid
+}
+
+data "oci_core_boot_volumes" "homelab_boot_volumes" {
+  availability_domain = data.oci_identity_availability_domains.ads.availability_domains[1].name
+  compartment_id      = oci_identity_compartment.tf-compartment.id
+}
--- a/terraform/compute.tf
+++ b/terraform/compute.tf
@ -0,0 +1,59 @@
+resource "oci_core_instance" "vm_instance_ampere" {
+    count = 1
+    availability_domain                 = data.oci_identity_availability_domains.ads.availability_domains[1].name
+    compartment_id                      = oci_identity_compartment.tf-compartment.id
+    shape                               = "VM.Standard.A1.Flex"
+    display_name                        = join("", [var.vm_name_template, "-arm", count.index]) 
+    is_pv_encryption_in_transit_enabled = true 
+    preserve_boot_volume = false
+
+    shape_config {
+        memory_in_gbs = 16
+        ocpus         = 4
+    }
+
+    metadata = {
+        ssh_authorized_keys = var.ssh_public_key
+    }
+
+    source_details {
+        source_id   = var.vm_image_arm
+        source_type = "image"
+        boot_volume_size_in_gbs = 100
+    }
+
+    create_vnic_details {
+        assign_public_ip          = true
+        subnet_id                 = oci_core_subnet.homelab_subnet.id
+        assign_private_dns_record = true
+        hostname_label            = join("", [var.vm_name_template, "-arm", count.index])
+        nsg_ids                   = [oci_core_network_security_group.homelab_nsg.id]
+    }
+}
+
+resource "oci_core_instance" "vm_instance_x86_64" {
+  count                               = 1
+  availability_domain                 = data.oci_identity_availability_domains.ads.availability_domains[2].name
+  compartment_id                      = oci_identity_compartment.tf-compartment.id
+  shape                               = "VM.Standard.E2.1.Micro"
+  display_name                        = join("", [var.vm_name_template, "-x64", count.index]) 
+  is_pv_encryption_in_transit_enabled = true
+
+  metadata = {
+    ssh_authorized_keys = var.ssh_public_key
+  }
+
+  source_details {
+    source_id   = var.vm_image_amd64
+    source_type = "image"
+    boot_volume_size_in_gbs = 50
+  }
+
+  create_vnic_details {
+      assign_public_ip          = true
+      subnet_id                 = oci_core_subnet.homelab_subnet.id
+      assign_private_dns_record = true
+      hostname_label            = join("", [var.vm_name_template, "-x84", count.index])
+      nsg_ids                   = [oci_core_network_security_group.homelab_nsg.id]
+  }
+}
--- a/terraform/main.tf
+++ b/terraform/main.tf
@ -0,0 +1,25 @@
+terraform {
+    required_version = ">= 1.3.0"
+
+    cloud {
+        organization = "lab-xyz"
+        workspaces {
+            name = "xyz-homelab"
+        }
+    }
+
+    required_providers {
+        oci = {
+            source = "oracle/oci"
+            version = ">= 4.90.0"
+        }
+    }
+}
+
+provider "oci" {
+    tenancy_ocid  =  var.tenancy_ocid
+    user_ocid     =  var.user_ocid
+    private_key   =  var.private_key
+    fingerprint   =  var.fingerprint
+    region        =  var.region
+}
--- a/terraform/networking.tf
+++ b/terraform/networking.tf
@ -0,0 +1,81 @@
+resource "oci_core_vcn" "homelab_vcn" {
+  cidr_block     = "10.0.0.0/16"
+  compartment_id = oci_identity_compartment.tf-compartment.id
+  display_name   = var.compartment_name
+  dns_label      = "vcn"
+}
+
+resource "oci_core_network_security_group" "homelab_nsg" {
+  compartment_id = oci_identity_compartment.tf-compartment.id
+  display_name   = "${var.compartment_name}-nsg"
+  vcn_id         = oci_core_vcn.homelab_vcn.id
+}
+
+resource "oci_core_internet_gateway" "homelab_ig" {
+  compartment_id = oci_identity_compartment.tf-compartment.id
+  display_name   = "${var.compartment_name}-ig"
+  vcn_id         = oci_core_vcn.homelab_vcn.id
+}
+
+resource "oci_core_route_table" "homelab_rt" {
+  compartment_id = oci_identity_compartment.tf-compartment.id
+  vcn_id         = oci_core_vcn.homelab_vcn.id
+  display_name   = "${var.compartment_name}-rt"
+
+  route_rules {
+    destination       = "0.0.0.0/0"
+    destination_type  = "CIDR_BLOCK"
+    network_entity_id = oci_core_internet_gateway.homelab_ig.id
+  }
+}
+resource "oci_core_subnet" "homelab_subnet" {
+  #Required
+  cidr_block     = "10.0.0.0/24"
+  compartment_id = oci_identity_compartment.tf-compartment.id
+  vcn_id         = oci_core_vcn.homelab_vcn.id
+  dns_label      = "homelab"
+
+  # Provider code tries to maintain compatibility with old versions.
+  security_list_ids = [oci_core_security_list.public-security-list.id]
+  display_name   = "${var.compartment_name}-subnet"
+  route_table_id    = oci_core_route_table.homelab_rt.id
+}
+
+resource "oci_core_security_list" "public-security-list" {
+  compartment_id = oci_identity_compartment.tf-compartment.id
+  vcn_id         = oci_core_vcn.homelab_vcn.id
+  display_name   = "public-security-list"
+
+  egress_security_rules {
+    stateless        = false
+    destination      = "0.0.0.0/0"
+    destination_type = "CIDR_BLOCK"
+    protocol         = "all"
+  }
+
+  ingress_security_rules {
+    stateless   = false
+    source      = "0.0.0.0/0"
+    source_type = "CIDR_BLOCK"
+    protocol    = "all"
+    description = "allow all"
+  }
+}
+
+resource "oci_core_network_security_group_security_rule" "homelab-network-security-group-list-ingress" {
+  network_security_group_id = oci_core_network_security_group.homelab_nsg.id
+  direction                 = "INGRESS"
+  source                    = oci_core_network_security_group.homelab_nsg.id
+  source_type               = "NETWORK_SECURITY_GROUP"
+  protocol                  = "all"
+  stateless                 = true
+}
+
+resource "oci_core_network_security_group_security_rule" "homelab-network-security-group-list-egress" {
+  network_security_group_id = oci_core_network_security_group.homelab_nsg.id
+  direction                 = "EGRESS"
+  destination               = oci_core_network_security_group.homelab_nsg.id
+  destination_type          = "NETWORK_SECURITY_GROUP"
+  protocol                  = "all"
+  stateless                 = true
+}
--- a/terraform/outputs.tf
+++ b/terraform/outputs.tf
@ -0,0 +1,3 @@
+output "x64_public_ip0" {
+  value = oci_core_instance.vm_instance_x86_64[0].public_ip
+}
--- a/terraform/terraform.tfvars.example
+++ b/terraform/terraform.tfvars.example
@ -0,0 +1,20 @@
+# https://cloud.oracle.com/org-mgmt/tenancy
+tenancy_ocid     = ""
+# https://cloud.oracle.com/identity/domains/my-profile
+user_ocid        = ""
+# https://cloud.oracle.com/identity/domains/my-profile/api-keys
+# contents of the private key, rather than a path pointing to the .pem file
+private_key      = ""
+fingerprint      = ""
+region           = "us-ashburn-1"
+
+# VM Images: https://docs.oracle.com/en-us/iaas/images/
+vm_image_arm = "ocid1.image.oc1.iad.aaaaaaaam4d2tsohvgq7cqilhtcnlvp2zmzatb57xuprljhkvqgon73uzeqq"
+
+# SSH keys for remote exec
+ssh_public_key = "ssh-ed25519 xxx..."
+ssh_private_key = "..."
+
+# OPTIONAL
+vm_name_template = "xyz-homelab"
+compartment_name = "xyz_homelab"
--- a/terraform/variables.tf
+++ b/terraform/variables.tf
@ -0,0 +1,65 @@
+variable "compartment_name" {
+  description = "Name of OCI compartment"
+  type        = string
+}
+
+variable "tenancy_ocid" {
+  description = "Tenancy OCID."
+  type        = string
+}
+
+variable "user_ocid" {
+  description = "User OCID."
+  type        = string
+}
+
+variable "vm_image_arm" {
+  description = "The OCID of the arm VM image to deploy."
+  type        = string
+}
+
+variable "vm_image_amd64" {
+  description = "The OCID of the amd64 VM image to deploy."
+  type        = string
+}
+
+variable "vm_name_template" {
+  description = ""
+  type        = string
+}
+
+variable "region" {
+  description = "The name of the OCI resource region."
+  type        = string
+  default     = "us-ashburn-1"
+}
+
+variable "fingerprint" {
+  description = "Fingerprint of the public API key from OCI."
+  type        = string
+}
+
+variable "private_key" {
+  description = "Contents of the .pem private key, downloaded from Oracle Cloud"
+  type        = string
+}
+
+variable "ssh_public_key" {
+  description = "SSH pubkey string"
+  type        = string
+}
+
+variable "ssh_private_key" {
+  description = "SSH privkey string"
+  type        = string
+}
+
+variable "k3s_master_ip" {
+  description = "IP addr of k3s master, to pass to ansible"
+  type        = string
+}
+
+variable "k3s_token" {
+  description = "k3s token, to pass to ansible"
+  type        = string
+}