hopefully fix the wheatley issue by adding mullvad to the internal network

disko/GLaDOS/default.nix

@@ -1,9 +1,9 @@
 {
   disko.devices = {
     disk = {
-      sda1 = {
+      main = {
         type = "disk";
-        device = "/dev/disk/by-path/pci-0000:06:00.0-ata-6";
+        device = "/dev/disk/by-path/pci-0000:01:00.0-nvme-1";
         content = {
           type = "gpt";
           partitions = {
@@ -14,16 +14,14 @@
                 type = "filesystem";
                 format = "vfat";
                 mountpoint = "/boot";
-                mountOptions = [
+                mountOptions = [ "umask=0077" ];
-                  "defaults"
-                ];
               };
             };
-            luks = {
+            nvme_luks = {
               size = "100%";
               content = {
                 type = "luks";
-                name = "crypted";
+                name = "nvme_crypted";
                 extraOpenArgs = [ ];
                 settings = {
                   # if you want to use the key for interactive login be sure there is no trailing newline
@@ -31,47 +29,30 @@
                   #keyFile = "/tmp/secret.key";
                   allowDiscards = true;
                 };
-                #additionalKeyFiles = ["/tmp/additionalSecret.key"];
                 content = {
                   type = "lvm_pv";
-                  vg = "pool";
+                  vg = "nvme_pool";
                 };
               };
             };
           };
         };
       };
-      #sdc = {
-        #device = "/dev/disk/by-path/pci-0000:06:00.0-ata-2";
-        #type = "disk";
-        #content = {
-          #type = "gpt";
-          #partitions = {
-            #root = {
-              #size = "100%";
-              #content = {
-                #type = "filesystem";
-                #format = "ext4";
-                #mountpoint = "/media";
-              #};
-            #};
-          #};
-        #};
-      #};
     };
     lvm_vg = {
-      pool = {
+      nvme_pool = {
         type = "lvm_vg";
         lvs = {
-          swap = {
+          nvme_swap = {
-            size = "16G";
+            size = "32G";
             content = {
               type = "swap";
+              discardPolicy = "both";
               resumeDevice = true; # resume from hiberation from this device
             };
           };
-          root = {
+          nvme_root = {
-            size = "100%FREE";
+            size = "100%";
             content = {
               type = "filesystem";
               format = "ext4";
@@ -84,13 +65,5 @@
         };
       };
     };
-    nodev = {
-      "/home/lillian/Downloads" = {
-        fsType = "tmpfs";
-        mountOptions = [
-          "size=4G"
-        ];
-      };
-    };
   };
 }

flake.nix

@@ -180,6 +180,18 @@
     # NixOS configuration entrypoint
     # Available through 'nixos-rebuild --flake .#your-hostname'
     nixosConfigurations = {
+      nixIso = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = {inherit inputs outputs;};
+        modules =
+          sharedModules
+          ++ desktopModules
+          ++ [
+            ./nixos/hosts/iso/configuration.nix
+            "${nixpkgs}/nixos/modules/installer/cd-dvd/installation-cd-base.nix"
+          ];
+      };
+
       EDI = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         specialArgs = {inherit inputs outputs;};

home-manager/hosts/iso/id_ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKeZHHAEoUh/Ly9F1xUSPZLPNE0Yh/wM2qWgKvlEBa8A lillian@GLaDOS

home-manager/hosts/iso/lillian.nix

@@ -11,13 +11,11 @@
 
     # You can also split up your configuration and import pieces of it here:
     # ./nvim.nix
-    ../../desktop
-    ../../shared
   ];
 
   home.packages = with pkgs; [
   ];
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
-  home.stateVersion = "25.05";
+  home.stateVersion = "25.11";
 }

nixos/desktop/default.nix

@@ -30,7 +30,7 @@
   };
 
   environment.systemPackages =
-    (with pkgs; [
+    with pkgs; [
       # Custom tools
       dvd
       dvt
@@ -85,16 +85,17 @@
       libportal
 
       # User tools
+      freetube
       noisetorch
       qjackctl
       wireplumber
       #rustdesk
-    ])
+    ]
-    ++ (with pkgs-edge; [
+    # ++ (with pkgs-edge; [
-      freetube
     # list of latest packages from nixpkgs master
     # Can be used to install latest version of some packages
-    ]);
+    # ])
+    ;
   sops = {
     secrets."nextcloud-password" = {
       mode = "0600";

nixos/hosts/GLaDOS/configuration.nix

@@ -31,6 +31,7 @@
   ];
 
   environment.systemPackages = with pkgs; [
+    gparted
   ];
 
   services.vpn-ip = {

nixos/hosts/iso/configuration.nix

@@ -10,20 +10,20 @@
     # outputs.homeManagerModules.example
     # outputs.nixosModules.contabo.wan
     inputs.home-manager.nixosModules.home-manager
+    outputs.nixosModules.vpn-ip
     # Or modules exported from other flakes (such as nix-colors):
     # inputs.nix-colors.homeManagerModules.defaults
 
     # Import shared settings
-    ../../shared
   ];
 
-  programs.command-not-found.enable = lib.mkForce false;
+  # programs.command-not-found.enable = lib.mkForce false;
-  programs.nix-index.enable = true;
+  # programs.nix-index.enable = true;
-  programs.nix-index-database.comma.enable = true;
+  # programs.nix-index-database.comma.enable = true;
 
-  boot.tmp.cleanOnBoot = true;
+  # boot.tmp.cleanOnBoot = true;
-  zramSwap.enable = false;
+  # zramSwap.enable = false;
-  networking.domain = "";
+  # networking.domain = "";
   services.openssh = {
     enable = true;
     # require public key authentication for better security
@@ -45,7 +45,9 @@
   #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys
   sops.defaultSopsFile = ./secrets/sops.yaml;
 
-  services.desktopManager.plasma6.enable = true;
+  services.vpn-ip.enable = false;
+
+  # services.desktopManager.plasma6.enable = true;
 
   environment.systemPackages = with pkgs; [
     # Custom tools
@@ -65,7 +67,6 @@
     sbctl
     tpm2-tools
     tpm2-tss
-    waydroid
     zsh
 
     # KDE/QT
@@ -81,13 +82,14 @@
     kdePackages.plasma-pa
     kdePackages.sddm-kcm
     kdePackages.dolphin-plugins
-    libportal-qt5
     libportal
   ];
 
   # Enable networking
   networking.networkmanager.enable = true;
 
+  networking.hostName = "iso";
+
   # Contabo ipv6 nameservers: "2a02:c207::1:53" "2a02:c207::2:53"
 
   networking.firewall.enable = true;
@@ -106,24 +108,24 @@
   # Enable bluetooth hardware
   hardware.bluetooth.enable = true;
 
-  security.tpm2.enable = true;
+  # security.tpm2.enable = true;
-  security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
+  # security.tpm2.pkcs11.enable = true; # expose /run/current-system/sw/lib/libtpm2_pkcs11.so
-  security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
+  # security.tpm2.tctiEnvironment.enable = true; # TPM2TOOLS_TCTI and TPM2_PKCS11_TCTI env variables
-  users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
+  # users.users.lillian.extraGroups = ["tss"]; # tss group has access to TPM devices
 
   # Set your time zone.
   time.timeZone = "Europe/Amsterdam";
 
-  programs.git = {
+  # programs.git = {
-    enable = true;
+  #   enable = true;
-  };
+  # };
 
-  programs.direnv = {
+  # programs.direnv = {
-    enable = true;
+  #   enable = true;
-  };
+  # };
 
-  # Enable completion of system packages by zsh
+  # # Enable completion of system packages by zsh
-  environment.pathsToLink = ["/share/zsh"];
+  # environment.pathsToLink = ["/share/zsh"];
 
   # kde power settings do not turn off screen
   systemd = {
@@ -136,17 +138,17 @@
     };
   };
 
-  home-manager = {
+  # home-manager = {
-    extraSpecialArgs = {inherit inputs outputs;};
+  #   extraSpecialArgs = {inherit inputs outputs;};
-    users = {
+  #   users = {
-      # Import your home-manager configuration
+  #     # Import your home-manager configuration
-      lillian = import ../../../home-manager/hosts/iso;
+  #     lillian = import ../../../home-manager/hosts/iso;
-    };
+  #   };
-  };
+  # };
 
-  boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
+  # boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest;
-  boot.supportedFilesystems = lib.mkForce ["bcachefs" "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"];
+  # boot.supportedFilesystems = lib.mkForce ["bcachefs" "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs"];
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
-  system.stateVersion = "24.11";
+  system.stateVersion = "25.11";
 }

nixos/hosts/iso/secrets/sops.yaml

@@ -1,9 +1,8 @@
 lillian-password: ENC[AES256_GCM,data:eQzZwGxK9Lw2gc8HDNw57odxPzTH4sa/2O97h3VAghRwLClmCYKT91kxj2F3kQ4iEctBl0GxdS4WoL3H9eE4/CAPffXdTmkdYg==,iv:2ezB4DNHFv5ceJ2gtATV12Azm3vFFDLX1qSSy+cKuMY=,tag:zxb5agUCDpi92bYV7+DmoA==,type:str]
+ssh-private-key: ENC[AES256_GCM,data:YQ+9aKpBL9XYl0IBxpPttUli6/E25alUhO36dZwPPSIBLI1ehyczocQMxNRYNtB2xKYx4wPaYIndLBhj9VdTUgaOWUd2C6aU6YgXgFAsjgEwqVDZWRp7TrTHojtrS5HnJgfopx6EqPf/uljD9yQsOkubDDUbpYkpWX/3vixm9LJ1eRXxTxXW8D3O5OM2Z1NsqA7meVa1xhvWJokqS4sD5ntp1HT78Xmu62EweHQVGaznUvWZupYh0uCQd0tr6GVTZLHdyCdaFUGHRbRddBcljpBIRWaWkhIrkjejvptUZ4Ht/UN5XM5z+zfU3DxsDOxeJ7m83om9I3WdZSdq1aDXe+VFEfMrx/0QTk2LtAmOvujcN6wO7a77SD4Rpuvq8KH2CeKrwMLlFf2BeGIcGhvAhRYUVxtypM38DEdbf/7xIcw0vQP2zNZN4QWdukUInDndnAxMfbIXKpYI5OPRaZMTVui41hkS86LBfbd5RhTjyzrtIpVSq9XkKRX7d5i8Gcjb4ORpQvrNNYMo+TXCiLNTg3/q0My/jEhfjfTF,iv:EpKC9judTZ1+0Y2LC1OK2YzGH/orRpZNtE7O+ZZyU1E=,tag:S6ju/FkwIBbBA8YU3dRo1A==,type:str]
+nextcloud-password: ENC[AES256_GCM,data:5u8j1wau5FewTe+t3YZ365Acfcrt09XDgCUNpDbuVKaNZIEW3gdR60XACQeAvsyQeznynILJnz7/txV2,iv:l1xYhUkQGdWYNNy1lG9xB5SgL9cn2FdzAs19iVCohlA=,tag:rT0flG+v9wd8jSUm8DrCjg==,type:str]
+wg-private-key: ENC[AES256_GCM,data:3JpyscuzK4LG1lfM3oyQNBHy7BQ2WeTaSyaZoaNfS4U7KkpEaCp5EVLBYiY=,iv:odDG8xp+d+O4FuECfeCJn/z2ka4KSzSBvgBCmcMZ0S0=,tag:iPwnqgtap+i44Mru/S7TyA==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age12e00qvf4shtmsfq3ujamyaa72pjvad2qhrxkvpl9hryrjvgxev4sjhmkxz
           enc: |
@@ -14,8 +13,7 @@ sops:
             dXlaN3dWOUl4Mys2V0x3Z3F6UVU4MVUKEJYpX8XhSNcM+7aUuxnIwrokY0/29Cnh
             yz0HAZkaj8FwvnPnafo5jmwVyi6WXECvX5E0NZfjKH4AF5vTu6Wukg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-03-20T18:17:48Z"
+    lastmodified: "2025-08-14T18:00:16Z"
-    mac: ENC[AES256_GCM,data:3UHIoYPHC6n56CHguOVuoFd9VwCjGiD9VCYy2d5W+4XQEZpjnONX8fhwwWRm42COymz89tmqDmpDp88BnSU8uE14IaCIUoxfCaRiZtjAiHjouua2jr50aUV56pwyan8ZiiOjP8oP1VY/tsv1w0jWI9TjSTHvCdNLR8XEcf6bCrk=,iv:/lBJdkQgwZyiztQ9vSoHgY+WxXJKHFI93dxtOSunHNo=,tag:lLwrSdzoN9CzmyIdLOe5ig==,type:str]
+    mac: ENC[AES256_GCM,data:NnX0hMrfeKJucgqgVUIUS0WOHerkDtKe3P+4vvWRCMX3eXg4Tsju8pZySZP7RSZX7+2W3OUHMOUuAum0YrVasTXuhm6jPvlbqvRnVXaVzCNheIUvTCF7LFeJEOQYKS5m8AiVKFRrxz+dGn90DSeijjajSePBjo8AnKyAOQEt1S8=,iv:1iJiqJU0vdDiWnJAYDlbOBBa9lBOODjjdlsRH54aTGI=,tag:JZtgVeLvFN6vcCZkRnuNcQ==,type:str]
-    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.10.2

nixos/hosts/wheatley/configuration.nix

@@ -306,7 +306,7 @@
       # enable NAT
       enable = true;
       externalInterface = "end0";
-      internalInterfaces = ["wg1"];
+      internalInterfaces = ["wg1" "mullvad"];
     };
     firewall = {
       enable = true;