rix101/machines/nixos/x86_64-linux/jeeves/configuration.nix

{ inputs, outputs, lib, pkgs, config, ... }:
{
  imports = [
    inputs.hardware.nixosModules.common-cpu-amd
    inputs.hardware.nixosModules.common-gpu-amd
    ./disko.nix
    inputs.ragenix.nixosModules.default
    inputs.agenix-rekey.nixosModules.default
    ./network.nix
    ./wireguard.nix
    ./jellyfin.nix
    ./mindustry.nix
    ./home-assistant
    ./samba.nix
    ./ollama.nix
  ];

  age.rekey = {
    hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB";
    masterIdentities = [ "${inputs.self}/secrets/privkey.age" ];
    storageMode = "derivation";
    # forceRekeyOnSystem = "aarch64-linux";
  };

  nixpkgs = {
    hostPlatform = "x86_64-linux";
    config = {
      allowUnfree = true;
    };
    overlays = [
    ];
  };

  networking.hostName = "jeeves";

  boot = {
    loader.systemd-boot.enable = true;
    kernelPackages = pkgs.linuxPackages_latest;
    binfmt.emulatedSystems = [ "aarch64-linux" ];
    initrd = {
      availableKernelModules = [
        "nvme"
      ];
      # kernelModules = [
      #   "amdgpu"
      # ];
    };
  };

  hardware.enableRedistributableFirmware = true;
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

  nix = {
    registry =
      lib.mapAttrs
        (_: value: {
          flake = value;
        })
        inputs;

    nixPath =
      lib.mapAttrsToList
        (key: value:
          "${key}=${value.to.path}")
        config.nix.registry;

    settings = {
      trusted-users = [
        "root"
        "jeeves"
      ];

      experimental-features = "nix-command flakes";
      auto-optimise-store = true;
    };
  };

  programs.zsh.enable = true;

  environment.systemPackages = with pkgs; [
    git
    neovim
  ];

  # NOTE: made with `mkpasswd -m sha-516`
  age.secrets."jeeves.user.password" = {
    rekeyFile = "${inputs.self}/secrets/home/jeeves/user/password.age";
    generator = {
      script = { pkgs, ... }: ''
        ${pkgs.mkpasswd}/bin/mkpasswd -m sha-516
      '';
    };
  };

  users = {
    mutableUsers = true;
    users = {
      jeeves = {
        isNormalUser = true;
        shell = pkgs.zsh;
        hashedPasswordFile = config.age.secrets."jeeves.user.password".path;
        openssh.authorizedKeys.keys = [
          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW (none)"
        ];
        extraGroups = [
          "wheel"
          "networkmanager"
          "audio"
          "docker"
          "transmission"
        ];
      };
    };
  };

  # reo101.jellyfin = {
  #   enable = true;
  #   image = "docker.io/jellyfin/jellyfin:latest";
  #   volumes = [
  #     "/var/cache/jellyfin/config:/config"
  #     "/var/cache/jellyfin/cache:/cache"
  #     "/var/log/jellyfin:/log"
  #     "/data/media/jellyfin:/media:ro"
  #   ];
  #   ports = [
  #     "8096:8096"
  #   ];
  # };

  # security.sudo-rs = {
  #   enable = !config.security.sudo.enable;
  #   inherit (config.security.sudo) extraRules;
  # };
  security.sudo = {
    enable = true;
    extraRules = [
      {
        users = [
          "jeeves"
        ];
        commands = [
          {
            command = "ALL";
            options = [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea
          }
        ];
      }
    ];
  };

  services.openssh = {
    enable = true;
    settings = {
      PermitRootLogin = "no";
      PasswordAuthentication = false;
    };
  };

  boot.plymouth = {
    enable = true;
  };

  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
  system.stateVersion = "23.05";
}
feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`{ inputs, outputs, lib, pkgs, config, ... }:`
			`{`
			`imports = [`
feat(limonka)!: `jellyfin` and `transmission` config Add config for the `jellyfin` service Add config for the `transmission` service Fix networking issue (DNS died after some time) Rename `jeeves_password` secret Fix deprecated `passwordFile` -> `hashedPasswordFile` 2023-11-17 15:03:25 +01:00			`inputs.hardware.nixosModules.common-cpu-amd`
			`inputs.hardware.nixosModules.common-gpu-amd`
feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`./disko.nix`
feat(agenix): switch to `ragenix` 2023-12-26 00:14:25 +01:00			`inputs.ragenix.nixosModules.default`
feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`inputs.agenix-rekey.nixosModules.default`
feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`./network.nix`
feat(jeeves): wireguard Add separate module for `wireguard` Rekey `jeeves_password` (use all `users`' keys) Add secrets related to Wireguard: server public/private, cheetah public Add a `.gitignore` for the private `limonka_age` key 2023-10-23 07:47:06 +02:00			`./wireguard.nix`
feat(limonka)!: `jellyfin` and `transmission` config Add config for the `jellyfin` service Add config for the `transmission` service Fix networking issue (DNS died after some time) Rename `jeeves_password` secret Fix deprecated `passwordFile` -> `hashedPasswordFile` 2023-11-17 15:03:25 +01:00			`./jellyfin.nix`
feat(nixos): add `mindustry` module Also enable it for `jeeves` 2023-12-07 20:18:20 +01:00			`./mindustry.nix`
feat(jeeves): `home-assistant` modularization 2024-04-13 12:37:24 +02:00			`./home-assistant`
feat(jeeves): add `samba` 2024-01-22 18:22:50 +01:00			`./samba.nix`
feat(jeeves)!: add `ollama` and `open-webui` 2024-06-09 23:18:11 +02:00			`./ollama.nix`
feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`];`

feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`age.rekey = {`
			`hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPopSTZ81UyKp9JSljCLp+Syk51zacjh9fLteqxQ6/aB";`
			`masterIdentities = [ "${inputs.self}/secrets/privkey.age" ];`
feat(jeeves): `home-assistant` modularization 2024-04-13 12:37:24 +02:00			`storageMode = "derivation";`
			`# forceRekeyOnSystem = "aarch64-linux";`
feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`};`

feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`nixpkgs = {`
			`hostPlatform = "x86_64-linux";`
			`config = {`
			`allowUnfree = true;`
			`};`
			`overlays = [`
			`];`
			`};`

			`networking.hostName = "jeeves";`

			`boot = {`
			`loader.systemd-boot.enable = true;`
			`kernelPackages = pkgs.linuxPackages_latest;`
feat(jeeves): `home-assistant` modularization 2024-04-13 12:37:24 +02:00			`binfmt.emulatedSystems = [ "aarch64-linux" ];`
			`initrd = {`
			`availableKernelModules = [`
			`"nvme"`
			`];`
			`# kernelModules = [`
			`# "amdgpu"`
			`# ];`
			`};`
feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`};`

			`hardware.enableRedistributableFirmware = true;`
			`hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;`

			`nix = {`
			`registry =`
			`lib.mapAttrs`
			`(_: value: {`
			`flake = value;`
			`})`
			`inputs;`

			`nixPath =`
			`lib.mapAttrsToList`
			`(key: value:`
			`"${key}=${value.to.path}")`
			`config.nix.registry;`

			`settings = {`
fix(agenix-rekey)!: wrong `generator` syntax 2023-12-25 20:13:48 +01:00			`trusted-users = [`
			`"root"`
			`"jeeves"`
			`];`

feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`experimental-features = "nix-command flakes";`
			`auto-optimise-store = true;`
			`};`
			`};`

			`programs.zsh.enable = true;`

			`environment.systemPackages = with pkgs; [`
			`git`
			`neovim`
			`];`

			# NOTE: made with `mkpasswd -m sha-516`
feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`age.secrets."jeeves.user.password" = {`
			`rekeyFile = "${inputs.self}/secrets/home/jeeves/user/password.age";`
fix(agenix-rekey)!: wrong `generator` syntax 2023-12-25 20:13:48 +01:00			`generator = {`
style: format with `nix fmt` Currently uses `nixpkgs-fmt` 2024-01-25 16:39:43 +01:00			`script = { pkgs, ... }: ''`
fix(agenix-rekey)!: wrong `generator` syntax 2023-12-25 20:13:48 +01:00			`${pkgs.mkpasswd}/bin/mkpasswd -m sha-516`
			`'';`
			`};`
feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`};`
feat(limonka)!: `jellyfin` and `transmission` config Add config for the `jellyfin` service Add config for the `transmission` service Fix networking issue (DNS died after some time) Rename `jeeves_password` secret Fix deprecated `passwordFile` -> `hashedPasswordFile` 2023-11-17 15:03:25 +01:00
feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`users = {`
			`mutableUsers = true;`
			`users = {`
			`jeeves = {`
			`isNormalUser = true;`
			`shell = pkgs.zsh;`
feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`hashedPasswordFile = config.age.secrets."jeeves.user.password".path;`
feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`openssh.authorizedKeys.keys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBj8ZGcvI80WrJWV+dNy1a3L973ydSNqtwcVHzurDUaW (none)"`
			`];`
			`extraGroups = [`
			`"wheel"`
			`"networkmanager"`
			`"audio"`
			`"docker"`
feat(limonka)!: `jellyfin` and `transmission` config Add config for the `jellyfin` service Add config for the `transmission` service Fix networking issue (DNS died after some time) Rename `jeeves_password` secret Fix deprecated `passwordFile` -> `hashedPasswordFile` 2023-11-17 15:03:25 +01:00			`"transmission"`
feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00			`];`
			`};`
			`};`
			`};`

			`# reo101.jellyfin = {`
			`# enable = true;`
			`# image = "docker.io/jellyfin/jellyfin:latest";`
			`# volumes = [`
			`# "/var/cache/jellyfin/config:/config"`
			`# "/var/cache/jellyfin/cache:/cache"`
			`# "/var/log/jellyfin:/log"`
			`# "/data/media/jellyfin:/media:ro"`
			`# ];`
			`# ports = [`
			`# "8096:8096"`
			`# ];`
			`# };`

feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`# security.sudo-rs = {`
			`# enable = !config.security.sudo.enable;`
			`# inherit (config.security.sudo) extraRules;`
			`# };`
			`security.sudo = {`
			`enable = true;`
style: format with `nix fmt` Currently uses `nixpkgs-fmt` 2024-01-25 16:39:43 +01:00			`extraRules = [`
feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`{`
			`users = [`
			`"jeeves"`
			`];`
			`commands = [`
style: format with `nix fmt` Currently uses `nixpkgs-fmt` 2024-01-25 16:39:43 +01:00			`{`
			`command = "ALL";`
			`options = [ "NOPASSWD" ]; # "SETENV" # Adding the following could be a good idea`
			`}`
feat(agenix-rekey)!: first try Cannot `agenix rekey` / `deploy` `agenix rekey` rekeys separate keys successfully but canot build the derivation that contains them 2023-12-25 14:17:30 +01:00			`];`
			`}`
			`];`
			`};`
feat(jeeves)!: add config Automatic disk partitioning using `disko` Automatic secrets management using `agenix` Automatic deployment using `deploy-rs` 2023-10-16 20:42:10 +02:00
			`services.openssh = {`
			`enable = true;`
			`settings = {`
			`PermitRootLogin = "no";`
			`PasswordAuthentication = false;`
			`};`
			`};`

			`boot.plymouth = {`
			`enable = true;`
			`};`

			`# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion`
			`system.stateVersion = "23.05";`
			`}`