Initial vps1 config migration

Flake lock file updates:

• Updated input 'agenix':
    'github:ryantm/agenix/d0d4ad5be611da43da04321f49684ad72d705c7e' (2023-12-22)
  → 'github:ryantm/agenix/457669db4259ff69d1ac1183aaa6000420940c1f' (2023-12-23)
• Updated input 'agenix/darwin':
    'github:lnl7/nix-darwin/87b9d090ad39b25b2400029c64825fc2a8868943' (2023-01-09)
  → 'github:lnl7/nix-darwin/4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d' (2023-11-24)
• Updated input 'agenix/home-manager':
    'github:nix-community/home-manager/32d3e39c491e2f91152c84f8ad8b003420eab0a1' (2023-04-22)
  → 'github:nix-community/home-manager/3bfaacf46133c037bb356193bd2f1765d9dc82c1' (2023-12-20)
• Updated input 'agenix/nixpkgs':
    'github:NixOS/nixpkgs/a08d6979dd7c82c4cef0dcc6ac45ab16051c1169' (2023-03-01)
  → 'github:NixOS/nixpkgs/54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6' (2023-12-19)
• Added input 'agenix/systems':
    'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09)
• Updated input 'home-manager':
    'github:nix-community/home-manager/0c2353d5d930c3d93724df6858aef064a31b3c00' (2023-12-20)
  → 'github:nix-community/home-manager/d5824a76bc6bb93d1dce9ebbbcb09a9b6abcc224' (2023-12-23)

flake.lock

@@ -4,14 +4,15 @@
       "inputs": {
         "darwin": "darwin",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs"
+        "nixpkgs": "nixpkgs",
+        "systems": "systems"
       },
       "locked": {
-        "lastModified": 1701216516,
+        "lastModified": 1703371241,
-        "narHash": "sha256-jKSeJn+7hZ1dZdiH1L+NWUGT2i/BGomKAJ54B9kT06Q=",
+        "narHash": "sha256-f7ZcabJ5iAH2IRfVuI55xSPZ9TbegFzvFxoKtIPNEn8=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "13ac9ac6d68b9a0896e3d43a082947233189e247",
+        "rev": "457669db4259ff69d1ac1183aaa6000420940c1f",
         "type": "github"
       },
       "original": {
@@ -28,11 +29,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1673295039,
+        "lastModified": 1700795494,
-        "narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
         "type": "github"
       },
       "original": {
@@ -42,14 +43,34 @@
         "type": "github"
       }
     },
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": "nixpkgs_2",
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1703087360,
+        "narHash": "sha256-0VUbWBW8VyiDRuimMuLsEO4elGuUw/nc2WDeuO1eN1M=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "b709d63debafce9f5645a5ba550c9e0983b3d1f7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
     "firefox-gnome-theme": {
       "flake": false,
       "locked": {
-        "lastModified": 1702138393,
+        "lastModified": 1703023593,
-        "narHash": "sha256-2jRm1yzX+gKpSCtdpYt1olIgWVEkJnS7FeK00o9X1ko=",
+        "narHash": "sha256-M+Cw6vh7xCDmIhyVuEPNmaNVUwpmdFQq8zlsXZTKees=",
         "owner": "rafaelmardojai",
         "repo": "firefox-gnome-theme",
-        "rev": "d2e6cfdd63651ae8168e5905d94138f406580dd6",
+        "rev": "bad853333d9021e7012adb9b8fbfe7a7003f26bc",
         "type": "github"
       },
       "original": {
@@ -58,6 +79,22 @@
         "type": "github"
       }
     },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
     "home-manager": {
       "inputs": {
         "nixpkgs": [
@@ -66,11 +103,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1682203081,
+        "lastModified": 1703113217,
-        "narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
         "type": "github"
       },
       "original": {
@@ -86,11 +123,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1702195709,
+        "lastModified": 1703367386,
-        "narHash": "sha256-+zRjWkm5rKqQ57PuLZ3JF3xi3vPMiOJzItb1m/43Cq4=",
+        "narHash": "sha256-FMbm48UGrBfOWGt8+opuS+uLBLQlRfhiYXhHNcYMS5k=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "6761b8188b860f374b457eddfdb05c82eef9752f",
+        "rev": "d5824a76bc6bb93d1dce9ebbbcb09a9b6abcc224",
         "type": "github"
       },
       "original": {
@@ -100,13 +137,28 @@
         "type": "github"
       }
     },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1702453208,
+        "narHash": "sha256-0wRi9SposfE2wHqjuKt8WO2izKB/ASDOV91URunIqgo=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "7763c6fd1f299cb9361ff2abf755ed9619ef01d6",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1677676435,
+        "lastModified": 1703013332,
-        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "narHash": "sha256-+tFNwMvlXLbJZXiMHqYq77z/RfmpfpiI3yjL6o/Zo9M=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "rev": "54aac082a4d9bb5bbc5c4e899603abfb76a3f6d6",
         "type": "github"
       },
       "original": {
@@ -118,11 +170,27 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1702233072,
+        "lastModified": 1702272962,
-        "narHash": "sha256-H5G2wgbim2Ku6G6w+NSaQaauv6B6DlPhY9fMvArKqRo=",
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "781e2a9797ecf0f146e81425c822dca69fe4a348",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1703068421,
+        "narHash": "sha256-WSw5Faqlw75McIflnl5v7qVD/B3S2sLh+968bpOGrWA=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "d65bceaee0fb1e64363f7871bc43dc1c6ecad99f",
         "type": "github"
       },
       "original": {
@@ -134,12 +202,61 @@
     "root": {
       "inputs": {
         "agenix": "agenix",
+        "deploy-rs": "deploy-rs",
         "firefox-gnome-theme": "firefox-gnome-theme",
         "home-manager": "home-manager_2",
-        "nixpkgs": "nixpkgs_2",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_3",
+        "secrets": "secrets",
         "thunderbird-gnome-theme": "thunderbird-gnome-theme"
       }
     },
+    "secrets": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1702936962,
+        "narHash": "sha256-uIZ2uPE26JKJ58463ejHMiAOpqBwflyN6tCmZ89vaSQ=",
+        "ref": "refs/heads/master",
+        "rev": "c6db5c3ba8bff0e618fc3e31c9680863c5e53800",
+        "revCount": 5,
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
+      },
+      "original": {
+        "type": "git",
+        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
     "thunderbird-gnome-theme": {
       "flake": false,
       "locked": {
@@ -155,6 +272,24 @@
         "repo": "thunderbird-gnome-theme",
         "type": "github"
       }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
     }
   },
   "root": "root",

flake.nix

@@ -4,6 +4,7 @@
   inputs = {
     nixpkgs.url = "nixpkgs/nixos-23.11";
     agenix.url = "github:ryantm/agenix";
+    deploy-rs.url = "github:serokell/deploy-rs";
     home-manager = {
       url = "github:nix-community/home-manager/release-23.11";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -12,13 +13,18 @@
       url = "github:rafaelmardojai/firefox-gnome-theme";
       flake = false;
     };
+    nixos-hardware.url = "github:NixOS/nixos-hardware";
+    secrets = {
+      url = "git+ssh://git@git.vimium.com/jordan/nix-secrets.git";
+      flake = false;
+    };
     thunderbird-gnome-theme = {
       url = "github:rafaelmardojai/thunderbird-gnome-theme";
       flake = false;
     };
   };
 
-  outputs = inputs @ { self, nixpkgs, agenix, home-manager, ... }:
+  outputs = inputs @ { self, nixpkgs, agenix, deploy-rs, home-manager, nixos-hardware, secrets, ... }:
     let
       nixpkgsForSystem = system: inputs.nixpkgs;
       overlays = [
@@ -30,7 +36,7 @@
         home-manager.nixosModule
         ./modules
       ];
-      nixosSystem = system: name:
+      nixosSystem = { system, name, extraModules ? [] }:
         let
           nixpkgs = nixpkgsForSystem system;
           lib = (import nixpkgs { inherit overlays system; }).lib;
@@ -52,15 +58,40 @@
                 };
               })
             ./hosts/${name}
-          ];
+          ] ++ extraModules;
         };
-      nixosConfigurations = {
-        atlas = nixosSystem "x86_64-linux" "atlas";
-        eos = nixosSystem "x86_64-linux" "eos";
-        helios = nixosSystem "x86_64-linux" "helios";
-        odyssey = nixosSystem "x86_64-linux" "odyssey";
-      };
     in
-    { inherit nixosConfigurations; };
+    {
+      nixosConfigurations = {
+        atlas = nixosSystem { system = "x86_64-linux"; name = "atlas"; };
+        eos = nixosSystem { system = "x86_64-linux"; name = "eos"; };
+        helios = nixosSystem { system = "x86_64-linux"; name = "helios"; };
+        odyssey = nixosSystem { system = "x86_64-linux"; name = "odyssey"; };
+        pi = nixosSystem { system = "aarch64-linux"; name = "pi"; extraModules = [ nixos-hardware.nixosModules.raspberry-pi-4 ]; };
+        vps1 = nixosSystem { system = "x86_64-linux"; name = "vps1"; };
+      };
+
+      deploy.nodes = {
+        pi = {
+          hostname = "10.0.1.191";
+          sshUser = "jordan";
+          user = "root";
+
+          profiles.system = {
+            user = "root";
+            path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.pi;
+          };
+        };
+        vps1 = {
+          magicRollback = true;
+          autoRollback = true;
+          hostname = "vps1.mesh.vimium.net";
+          profiles.system = {
+            user = "root";
+            path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.vps1;
+      };
+
+      # checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+    };
 }
 

hosts/desktop.nix

@@ -44,6 +44,12 @@
     neovim
   ];
 
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+ssh://git@git.vimium.com/jordan/nix-config.git";
+    randomizedDelaySec = "10min";
+  };
+
   nix = {
     settings = {
       connect-timeout = 5;

hosts/odyssey/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, pkgs, ... }:
+{ config, lib, pkgs, inputs, ... }:
 
 {
   imports = [
@@ -25,6 +25,8 @@
 
   virtualisation.libvirtd.enable = true;
   virtualisation.lxd.enable = true;
+  # Work around https://github.com/NixOS/nixpkgs/issues/263359
+  networking.firewall.trustedInterfaces = [ "lxdbr0" "virbr0" ];
 
   users.defaultUserShell = pkgs.zsh;
 
@@ -50,23 +52,21 @@
     };
   };
 
-  age.secrets."odyssey_borg_passphrase" = {
+  age.secrets."passwords/services/borg/odyssey-passphrase" = {
-    file = ../../secrets/odyssey_borg_passphrase.age;
+    file = "${inputs.secrets}/passwords/services/borg/odyssey-passphrase.age";
   };
 
   services.borgmatic = {
     enable = true;
     settings = {
-      location = {
+      source_directories = [
-        source_directories = [
+        "/home/jordan/Documents"
-          "/home/jordan/Documents"
+      ];
-        ];
+      repositories = [
-        repositories = [
+        { label = "borgbase"; path = "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo"; }
-          "ssh://iqwu22oq@iqwu22oq.repo.borgbase.com/./repo"
+      ];
-        ];
-      };
       storage = {
-        encryption_passcommand = "cat ${config.age.secrets.odyssey_borg_passphrase.path}";
+        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/odyssey-passphrase".path}";
         ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
       };
       retention = {
@@ -86,6 +86,10 @@
       browsers = {
         firefox.enable = true;
       };
+      gaming.emulators = {
+        ps2.enable = true;
+        psp.enable = true;
+      };
       media.graphics = {
         modeling.enable = true;
         raster.enable = true;

hosts/pi/README.md

@@ -0,0 +1,18 @@
+# Pi
+
+## Overview
+Raspberry Pi 4
+
+## Specs
+* SoC - Broadcom BCM2711
+* CPU - ARM Cortex-A72 @ 1.8 GHz
+* Memory - 8 GB LPDDR4
+
+### Disks
+Device | Partitions _(filesystem, usage)_
+--- | ---
+SD card | `/dev/mmcblk0` (ext4, NixOS Root)
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `pi.mesh.vimium.net`.

hosts/pi/default.nix

@@ -0,0 +1,147 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../server.nix
+  ];
+
+  networking.hostId = "731d1660";
+
+  hardware = {
+    raspberry-pi."4" = {
+      apply-overlays-dtmerge.enable = true;
+      audio.enable = false;
+      fkms-3d.enable = false;
+      xhci.enable = false;
+    };
+    deviceTree = {
+      enable = true;
+      overlays = [
+        { name = "hifiberry-digi-pro"; dtboFile = "${pkgs.device-tree_rpi.overlays}/hifiberry-digi-pro.dtbo"; }
+      ];
+    };
+    firmware = with pkgs; [
+      firmwareLinuxNonfree
+      wireless-regdb
+    ];
+  };
+
+  sound.enable = true;
+
+  age.secrets."passwords/networks.age" = {
+    file = "${inputs.secrets}/passwords/networks.age";
+  };
+
+  networking = {
+    wireless = {
+      enable = true;
+      interfaces = [ "wlan0" ];
+      environmentFile = config.age.secrets."passwords/networks.age".path;
+      networks = {
+        "Apollo 600 Mbps".psk = "@PSK_APOLLO@";
+      };
+    };
+  };
+
+  security.rtkit.enable = true;
+  services.pipewire = {
+    enable = true;
+    alsa.enable = true;
+    alsa.support32Bit = true;
+    pulse.enable = true;
+    systemWide = true;
+  };
+
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers.homeassistant = {
+      volumes = [ "home-assistant:/config" ];
+      environment.TZ = config.time.timeZone;
+      image = "ghcr.io/home-assistant/home-assistant:stable";
+      extraOptions = [
+        "--network=host"
+        "--device=/dev/ttyUSB0:/dev/ttyUSB0"
+      ];
+    };
+  };
+
+  services.mosquitto = {
+    enable = true;
+    listeners = [{
+      port = 1883;
+      settings = {
+        allow_anonymous = true;
+      };
+    }];
+  };
+
+  age.secrets."files/services/zigbee2mqtt/secret.yaml" = {
+    file = "${inputs.secrets}/files/services/zigbee2mqtt/secret.yaml.age";
+    path = "${config.services.zigbee2mqtt.dataDir}/secret.yaml";
+    owner = "zigbee2mqtt";
+    group = "zigbee2mqtt";
+  };
+
+  services.zigbee2mqtt = {
+    enable = true;
+    dataDir = "/var/lib/zigbee2mqtt";
+    settings = {
+      homeassistant = true;
+      frontend = true;
+      device_options = {
+        retain = true;
+      };
+      serial = {
+        port = "/dev/serial/by-id/usb-Silicon_Labs_Sonoff_Zigbee_3.0_USB_Dongle_Plus_0001-if00-port0";
+      };
+      advanced = {
+        channel = 20;
+        network_key = "!secret.yaml network_key";
+        pan_id = 13001;
+        ext_pan_id = [ 79 1 73 47 250 136 124 222 ];
+      };
+      mqtt = {
+        version = 5;
+        server = "mqtt://localhost:1883";
+      };
+    };
+  };
+
+  age.secrets."passwords/services/borg/pi-passphrase" = {
+    file = "${inputs.secrets}/passwords/services/borg/pi-passphrase.age";
+  };
+
+  services.borgmatic = {
+    enable = true;
+    settings = {
+      source_directories = [
+        "/var/lib/mosquitto"
+        "/var/lib/zigbee2mqtt"
+      ];
+      repositories = [
+        { label = "borgbase"; path = "ssh://qcw86s11@qcw86s11.repo.borgbase.com/./repo"; }
+      ];
+      storage = {
+        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/pi-passphrase".path}";
+        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+      };
+      retention = {
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+      };
+    };
+  };
+
+  # Without this override, `cat` is unavailable for `encryption_passcommand`
+  systemd.services.borgmatic.confinement.fullUnit = true;
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+    raspberrypi-eeprom
+  ];
+
+  system.stateVersion = "22.11";
+}
+

hosts/pi/hardware-configuration.nix

@@ -0,0 +1,31 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/sd-card/sd-image-aarch64.nix")
+  ];
+
+  boot = {
+    # Stop ZFS kernel being built
+    supportedFilesystems = lib.mkForce [ "btrfs" "cifs" "f2fs" "jfs" "ntfs" "reiserfs" "vfat" "xfs" ];
+    tmp.cleanOnBoot = true;
+  };
+
+  # Fix missing modules
+  # https://github.com/NixOS/nixpkgs/issues/154163
+  nixpkgs.overlays = [
+    (final: super: {
+      makeModulesClosure = x:
+        super.makeModulesClosure (x // { allowMissing = true; });
+    })
+  ];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+      options = [ "noatime" ];
+    };
+  };
+}
+

hosts/server.nix

@@ -18,6 +18,8 @@
 
   console.keyMap = "uk";
 
+  documentation.enable = false;
+
   services.openssh = {
     enable = true;
     settings = {

hosts/vps1/README.md

@@ -0,0 +1,17 @@
+# vps1
+
+## Overview
+VPS hosted in OVH.
+
+## Specs
+* CPU - ??
+* Memory - ??
+
+### Disks
+Device | Partitions _(filesystem, usage)_
+--- | ---
+NVMe | `/dev/sda1` (ext4, NixOS Root)
+
+### Networks
+- DHCP on `10.0.1.0/24` subnet.
+- Tailscale on `100.64.0.0/10` subnet. FQDN: `vps1.mesh.vimium.net`.

hosts/vps1/default.nix

@@ -0,0 +1,195 @@
+{ config, lib, pkgs, inputs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    ../server.nix
+  ];
+
+  networking = {
+    hostId = "???";
+    hostName = "vps1";
+    domain = "mesh.vimium.net";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [
+        22    # SSH
+        8448  # Matrix federation
+        80    # HTTP
+        443   # HTTPS
+        5349  # STUN TLS
+        5350  # STUN TLS alt
+      ];
+      allowedUDPPortRanges = [
+        { from = 49152; to = 49999; } # TURN relay
+      ];
+    };
+  };
+
+  users.users = {
+    git = {
+      isSystemUser = true;
+      useDefaultShell = true;
+      group =  "git";
+      extraGroups = [ "gitea" ];
+      home = config.services.gitea.stateDir;
+    };
+    jellyfin = {
+      isSystemUser = true;
+      group = "jellyfin";
+      shell = "/bin/sh";
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOaaS+KMAEAymZhIJGC4LK8aMhUzhpmloUgvP2cxeBH4 jellyfin"
+      ];
+    };
+    root = {
+      openssh.authorizedKeys.keys = [
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
+      ];
+    };
+  };
+
+  users.groups = {
+    git = { };
+    jellyfin = { };
+  };
+
+  age.secrets."passwords/services/borg/vps1-passphrase" = {
+    file = "${inputs.secrets}/passwords/services/borg/vps1-passphrase.age";
+  };
+
+  services.borgmatic = {
+    enable = true;
+    settings = {
+      source_directories = [
+        "/home"
+        "/var/lib"
+        "/var/www"
+      ];
+      repositories = [
+        { label = "borgbase"; path = "ssh://p91y8oh7@p91y8oh7.repo.borgbase.com/./repo"; }
+      ];
+      storage = {
+        encryption_passcommand = "cat ${config.age.secrets."passwords/services/borg/vps1-passphrase".path}";
+        ssh_command = "ssh -i /etc/ssh/ssh_host_ed25519_key";
+      };
+      retention = {
+        keep_daily = 7;
+        keep_weekly = 4;
+        keep_monthly = 6;
+      };
+    };
+  };
+
+  # Without this override, `cat` is unavailable for `encryption_passcommand`
+  systemd.services.borgmatic.confinement.fullUnit = true;
+
+  age.secrets."passwords/services/coturn/shared-secret" = {
+    file = "${inputs.secrets}/passwords/services/coturn/shared-secret.age";
+  };
+
+  services.coturn = {
+    enable = true;
+    lt-cred-mech = true;
+    use-auth-secret = true;
+    static-auth-secret = "???";
+    realm = "turn.vimium.com";
+    relay-ips = [
+      "198.244.190.160"
+    ];
+    no-tcp-relay = true;
+    extraConfig = ''
+      cipher-list="HIGH"
+      no-loopback-peers
+      no-multicast-peers
+    '';
+    secure-stun = true;
+    cert = "/var/lib/acme/turn.vimium.com/fullchain.pem";
+    pkey = "/var/lib/acme/turn.vimium.com/key.pem";
+    min-port = 49152;
+    max-port = 49999;
+  };
+
+  services.gitea = rec {
+    package = pkgs.gitea;
+    enable = true;
+    user = "git";
+    appName = "Vimium Git";
+    stateDir = "/var/lib/gitea";
+    repositoryRoot = "${stateDir}/repositories";
+    database = {
+      type = "sqlite3";
+      inherit user;
+      path = "${stateDir}/gitea.db";
+    };
+    lfs = {
+      enable = true;
+      contentDir = "${stateDir}/lfs";
+    };
+    settings = {
+      server = {
+        SSH_USER = "git";
+        SSH_DOMAIN = "git.vimium.com";
+        SSH_PORT = lib.head config.services.openssh.ports;
+        OFFLINE_MODE = true;
+        PROTOCOL = "http+unix";
+        DOMAIN = config.networking.domain;
+        ROOT_URL = "https://git.vimium.com/";
+      };
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+      log.ROOT_PATH = "${stateDir}/log";
+      ui = {
+        THEMES = "gitea,arc-green,github-dark,bthree-dark";
+        DEFAULT_THEME = "github-dark";
+      };
+      actions.ENABLED = true;
+      indexer = {
+        REPO_INDEXER_ENABLED = true;
+      };
+      packages.CHUNKED_UPLOAD_PATH = lib.mkForce "${stateDir}/data/tmp/package-upload";
+    };
+  };
+
+  services.headscale = {
+    enable = true;
+    port = 8080;
+    settings = {
+      server_url = "https://headscale.vimium.net";
+      dns_config = {
+        base_domain = "vimium.net";
+      };
+      logtail.enabled = false;
+    };
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      database.name = "sqlite3";
+      enable_registration = false;
+      server_name = "vimium.com";
+      turn_shared_secret = "???";
+      turn_uris = [
+        "turn:turn.vimium.com:5349?transport=udp"
+        "turn:turn.vimium.com:5350?transport=udp"
+        "turn:turn.vimium.com:5349?transport=tcp"
+        "turn:turn.vimium.com:5350?transport=tcp"
+      ];
+    };
+  };
+
+  services.tailscale.enable = true;
+  networking.firewall = {
+    checkReversePath = "loose";
+    trustedInterfaces = [ "tailscale0" ];
+    allowedUDPPorts = [ config.services.tailscale.port ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    config.services.headscale.package
+  ];
+
+  system.stateVersion = "22.11";
+}
+

hosts/vps1/hardware-configuration.nix

@@ -0,0 +1,26 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
+      kernelModules = [ "nvme" ];
+    };
+    loader.grub.device = "/dev/sda";
+    tmp.cleanOnBoot = true;
+  };
+
+  zramSwap.enable = true;
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/sda1";
+      fsType = "ext4";
+    };
+  };
+}
+

modules/desktop/gnome.nix

@@ -200,7 +200,9 @@ in {
       tokei
       tree
       wl-clipboard
-    ];
+    ] ++ (if config.virtualisation.podman.enable then [
+      pods
+    ] else []);
 
     home.services.gpg-agent.pinentryFlavor = "gnome3";
   };

modules/options.nix

@@ -1,4 +1,4 @@
-{ config, options, lib, home-manager, ... }:
+{ config, options, lib, home-manager, inputs, ... }:
 
 with lib;
 {
@@ -29,6 +29,7 @@ with lib;
   };
 
   config = {
+    age.secrets."passwords/users/jordan".file = "${inputs.secrets}/passwords/users/jordan.age";
     user =
       let user = builtins.getEnv "USER";
           name = if elem user [ "" "root" ] then "jordan" else user;
@@ -41,6 +42,7 @@ with lib;
         openssh.authorizedKeys.keys = [
           "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS jordan@vimium.com"
         ];
+        hashedPasswordFile = config.age.secrets."passwords/users/jordan".path;
         home = "/home/${name}";
         group = "users";
         uid = 1000;

secrets.nix

@@ -1,10 +0,0 @@
-let
-  jordan = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILVHTjsyMIV4THNw6yz0OxAxGnC+41gX72UrPqTzR+OS";
-  users = [ jordan ];
-
-  odyssey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJre8/cjdoUnbTu0x4ClTITcq4lq+FjpEyJBbLbOlox7";
-  systems = [ odyssey ];
-in
-{
-  "secrets/odyssey_borg_passphrase.age".publicKeys = [ jordan odyssey ];
-}