modular!

Flake lock file updates:

• Updated input 'home-manager':
    'github:nix-community/home-manager/d6bb9f934f2870e5cbc5b94c79e9db22246141ff?narHash=sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ%3D' (2024-04-06)
  → 'github:nix-community/home-manager/86853e31dc1b62c6eeed11c667e8cdd0285d4411?narHash=sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM%3D' (2024-04-25)
• Updated input 'nixpkgs':
    'github:NixOS/nixpkgs/b500489fd3cf653eafc075f9362423ad5cdd8676?narHash=sha256-KtvQeE12MSkCOhvVmnmcZCjnx7t31zWin2XVSDOwBDE%3D' (2024-04-22)
  → 'github:NixOS/nixpkgs/dd37924974b9202f8226ed5d74a252a9785aedf8?narHash=sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds%3D' (2024-04-24)

.forgejo/workflows/update.yml

@@ -0,0 +1,17 @@
+on:
+  schedule:
+    - cron: '0 2 * * *'
+jobs:
+    lockfile:
+        runs-on: docker
+        steps:
+            - uses: actions/checkout@v4
+            - uses: https://github.com/DeterminateSystems/nix-installer-action@main
+            - run: 'git config --unset-all extensions.worktreeconfig'
+            - run: 'nix flake update --commit-lock-file --commit-lockfile-summary "flake.lock: Update"'
+              env:
+                GIT_AUTHOR_NAME: Chris Dombroski
+                GIT_AUTHOR_EMAIL: cdombroski@gmail.com
+                GIT_COMMITTER_NAME: Chris Dombroski
+                GIT_COMMITTER_EMAIL: cdombroski@gmail.com
+            - run: 'git push'

.gitignore

@@ -1,2 +1,3 @@
 .direnv/
 result
+*.swp

.sops.yaml

@@ -0,0 +1,28 @@
+keys:
+  - &admin_cdombroski age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk
+  - &system_smolboi age1qmv6x6zwxhaks86nqtsvck56ucdyc9fakgp59a30afl95p6vp4aqyf22hp
+  - &system_zeus age1y06hfa8ctp3tr7g2rukmst4cl064hxaqfsx8w0yq4tgmcrv7qvksct7mnl
+  - &system_orangepihole age12g2kuerwhpyd4t0jrynfc0wlj66rltyp34lsca4y5llmly8jppcq5ug3kc
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_cdombroski
+        - *system_smolboi
+        - *system_zeus
+        - *system_orangepihole
+  - path_regex: secrets/smolboi/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_cdombroski
+        - *system_smolboi
+  - path_regex: secrets/zeus/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_cdombroski
+        - *system_zeus
+  - path_regex: secrets/orangepihole/[^/]+\.(yaml|json|env|ini)$
+    key_groups:
+      - age:
+        - *admin_cdombroski
+        - *system_orangepihole

flake.lock

@@ -61,11 +61,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1712386041,
+        "lastModified": 1714043624,
-        "narHash": "sha256-dA82pOMQNnCJMAsPG7AXG35VmCSMZsJHTFlTHizpKWQ=",
+        "narHash": "sha256-Xn2r0Jv95TswvPlvamCC46wwNo8ALjRCMBJbGykdhcM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d6bb9f934f2870e5cbc5b94c79e9db22246141ff",
+        "rev": "86853e31dc1b62c6eeed11c667e8cdd0285d4411",
         "type": "github"
       },
       "original": {
@@ -91,13 +91,29 @@
         "type": "github"
       }
     },
-    "nixpkgs_2": {
+    "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1713725259,
+        "lastModified": 1713638189,
-        "narHash": "sha256-9ZR/Rbx5/Z/JZf5ehVNMoz/s5xjpP0a22tL6qNvLt5E=",
+        "narHash": "sha256-q7APLfB6FmmSMI1Su5ihW9IwntBsk2hWNXh8XtSdSIk=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a5e4bbcb4780c63c79c87d29ea409abf097de3f7",
+        "rev": "74574c38577914733b4f7a775dd77d24245081dd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "release-23.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1713995372,
+        "narHash": "sha256-fFE3M0vCoiSwCX02z8VF58jXFRj9enYUSTqjyHAjrds=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "dd37924974b9202f8226ed5d74a252a9785aedf8",
         "type": "github"
       },
       "original": {
@@ -111,7 +127,29 @@
         "deploy-rs": "deploy-rs",
         "flake-utils": "flake-utils",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1713892811,
+        "narHash": "sha256-uIGmA2xq41vVFETCF1WW4fFWFT2tqBln+aXnWrvjGRE=",
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "rev": "f1b0adc27265274e3b0c9b872a8f476a098679bd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "Mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     },
     "systems": {

flake.nix

@@ -8,8 +8,12 @@
       url = github:nix-community/home-manager/release-23.11;
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    sops-nix = {
+      url = "github:Mic92/sops-nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
   };
-  outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, ... }:
+  outputs = inputs@{ self, nixpkgs, flake-utils, home-manager, deploy-rs, sops-nix, ... }:
   let
     pkgs = import nixpkgs { system = "x86_64-linux"; };
     aarch64Pkgs = import nixpkgs { system = "aarch64-linux"; };
@@ -32,6 +36,7 @@
     nixosConfigurations = {
       smolboi = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
         modules = [
           ./systems/smolboi/configuration.nix
           home-manager.nixosModules.home-manager
@@ -41,8 +46,14 @@
           }
         ];
       };
+      zeus = nixpkgs.lib.nixosSystem {
+        system = "x86_64-linux";
+        specialArgs = { inherit inputs; };
+        modules = [ ./systems/zeus/configuration.nix ];
+      };
       orangepihole = nixpkgs.lib.nixosSystem {
         system = "aarch64-linux";
+        specialArgs = { inherit inputs; };
         modules = [ ./systems/orangepihole/configuration.nix ];
       };
     };
@@ -54,6 +65,10 @@
           hostname = "smolboi";
           profiles.system.path = deployPkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.smolboi;
         };
+        zeus = {
+          hostname = "zeus";
+          profiles.system.path = deployPkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.zeus;
+        };
         orangepihole = {
           hostname = "orangepihole";
           profiles.system.path = deployAarch64Pkgs.deploy-rs.lib.activate.nixos self.nixosConfigurations.orangepihole;

modules/aarch64-emu.nix

@@ -0,0 +1,3 @@
+{...}: {
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+}

modules/common.nix

@@ -0,0 +1,3 @@
+{...}: {
+    imports = builtins.map (n: toString ./common + "/${n}") (builtins.attrNames (builtins.removeAttrs (builtins.readDir ./common) [(builtins.unsafeGetAttrPos "_" {_ = null;}).file]));
+}

modules/common/common.nix

@@ -0,0 +1,5 @@
+{...}: {
+  time.timeZone = "America/New_York";
+  i18n.defaultLocale = "en_US.UTF-8";
+  programs.vim.defaultEditor = true;
+}

modules/common/msmtp.nix

@@ -0,0 +1,26 @@
+{ config, ... }: {
+  sops.secrets."gmail/password" = {};
+  programs.msmtp = {
+    enable = true;
+    accounts.default = {
+      auth = true;
+      tls = true;
+      host = "smtp.gmail.com";
+      port = 587;
+      from = "${config.networking.hostName}@notification.icanttype.org";
+      user = "cdombroski";
+      passwordeval = "cat ${config.sops.secrets."gmail/password".path}";
+    };
+    defaults.aliases = "/etc/aliases";
+  };
+
+  environment.etc = {
+    "aliases" = {
+      text = ''
+        root: cdombroski@gmail.com
+        '';
+      mode = "0644";
+    };
+  };
+}
+

modules/common/nix.nix

@@ -0,0 +1,19 @@
+{pkgs, ...}: {
+  environment.systemPackages = with pkgs; [
+    git
+    nix-output-monitor
+  ];
+  nix = {
+    settings.experimental-features = [ "nix-command" "flakes" ];
+    gc = {
+      automatic = true;
+      options = "--delete-older-than 30d";
+      dates = "weekly";
+    };
+    optimise.automatic = true;
+  };
+  system.autoUpgrade = {
+    enable = true;
+    flake = "git+https://git.icanttype.org/cdombroski/nix-configs.git";
+  };
+}

modules/common/sops.nix

@@ -0,0 +1,7 @@
+{ inputs, ... } : {
+  imports = [ inputs.sops-nix.nixosModules.sops ];
+  sops.defaultSopsFile = ../../secrets/secret.yaml;
+  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+}

modules/common/sshd.nix

@@ -0,0 +1,6 @@
+{...}: {
+  services.openssh.enable = true;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc="
+  ];
+}

modules/networkd-base.nix

@@ -0,0 +1,8 @@
+{...}: {
+  systemd.network.enable = true;
+  networking.useNetworkd = true;
+  services.resolved = {
+    enable = true;
+    fallbackDns = [ "8.8.8.8" ];
+  };
+}

modules/smartd.nix

@@ -0,0 +1,6 @@
+{...}: {
+  services.smartd = {
+    enable = true;
+    defaults.monitored = "-a -o on -s (S/../.././02|L/../../7/04)";
+  };
+}

secrets/secret.yaml

@@ -0,0 +1,49 @@
+gmail:
+    password: ENC[AES256_GCM,data:rCL2RzU1INRT5KOyl1JriQ==,iv:jhFDcNHgIJnZTBN9msECQWvy75IH1wO5IFAxqR4Ugng=,tag:cK+A4Os/9xchpNjpb2KAbQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age15va8dthvmn30ymex0kkrrk034aq25drmsx4mkmf480a8uq4tvcyqw5s4uk
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRbEdQaDZhUVdIMUFjSVlK
+            WUF6NDU2SnUrRHNQUmNRKzVKV0NtYnljMjNJCkdIbGNvZVN5Mkl1Uk5qclZNcnBJ
+            MlBEbUlUdFIxM0krRnZ2ZWgwVThpYXMKLS0tIDVxZjRMUjBQM2oySmJFR2RnSWpT
+            TnprMkgzckJRUmF4VkJjMGJIWWdQbmcKr82c2dd+xN+aNA7dnH0ewD/Y3Ed8/qcE
+            JP5U19gTNah/DmeKB0X0J+iX5akjxNAfe2LmgYGJseLqqaIj9uyatg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1qmv6x6zwxhaks86nqtsvck56ucdyc9fakgp59a30afl95p6vp4aqyf22hp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRUpyOFJSeS9XN0NWUDI5
+            QS9nZDVOWGlRNmZXa0ZnSGNIMGtMTDV5TDBBCkkwcHBtcjVRLzhiejhreWxXS2Fj
+            dWpRaXByS1hlWCs4U2tQdCtWOWpSRzQKLS0tIFhheWxDNjNxOGlsdzNyN1FUblNa
+            ZEMrUmhYUXhZVStjRlhVYVB2U25PRW8KMruYhZ46Yf2K/DiUu6SUWMAWmCqKE6dm
+            ijtyMzEI5JLlQs8NfbujlGx9giVtUD9tHiNcNim2cb5m49nriaIuTg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1y06hfa8ctp3tr7g2rukmst4cl064hxaqfsx8w0yq4tgmcrv7qvksct7mnl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0WjBBMnRERWsyUkQ5WCt6
+            Tndvdml0UFlnS3RRY0FyT2thYkpDYmZFeTA4ClY5QXN1SWFxYWsydm55QmZIaldT
+            WFI4VC9CdjFqOUdWeDhOcDIveDN4ZjgKLS0tIEI0c3Y0SnlJTGl0T3JjSlRpYVpF
+            MW4rYXM5SFg2T1dRN2FBelRVQTBvMXcK32StTJfp44BepZ4pAZbZQJ0qZxF/FkZd
+            xhzpwvzG0ztrRA3uQy5tEhNYuge4hyn2gNV4lgT13RJSngXULXVt+A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12g2kuerwhpyd4t0jrynfc0wlj66rltyp34lsca4y5llmly8jppcq5ug3kc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1eFJSeVJQSjRmZ1cyUGRt
+            SXF3bUdLZjIrb1JHMzFQeVpaTFVxNk02b2lJCkVSUysyQVlNajNjNzhmUFhjTk1s
+            bzQ2VVU0RXhVNnYwTEhzRlRMK2NyK0kKLS0tIFdzN0xIOHM0YnRqaDBHRXBqeWJs
+            OFd1RTNYcGJGSXJOaFpnbjR6YzhjQzAKUZxz47g2MKCVTS1gGJ7p6XCubBu+/CUM
+            IPQ9uBaW99BB9W9JuIih34/qMVxd/1EHDVk3IDiNB3F3bM8f2LL1yA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-26T17:48:10Z"
+    mac: ENC[AES256_GCM,data:H2ZvNgVmtUgeNOvXGWxLFC6t8sCzingICyD6Raj42FIYRVaFLbrVblhESVrCYM2LclehBlSS9ceCk6+B/zaYyd5iE8ENzgz287S6t6RfZR9kfWFrtOJ4RINyGDKIFQ4mlt7+QB83DeW7jONeIRbrdI2Imx7fhXes3uHDc51wjGQ=,iv:PDiijPXwGneoo/QQBovxpoT5b0EBpgAGpExnrQ8lfvQ=,tag:PveY9JhZxpMHIbFHLGoSgA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

systems/orangepihole/configuration.nix

@@ -4,6 +4,8 @@
   imports =
     [ # Include the results of the hardware scan.
       ./hardware-configuration.nix
+      ../../modules/common.nix
+      ../../modules/networkd-base.nix
     ];
 
   boot.loader.grub.enable = false;
@@ -12,9 +14,7 @@
 
   networking = {
     hostName = "orangepihole"; # Define your hostname.
-    useNetworkd = true;
   };
-  systemd.network.enable = true;
   systemd.network.networks."40-end0" = {
     matchConfig.Name = "end0";
     address = [ "10.42.69.2/24" "fd72:3dd5:21ae:3c97::2/64" ];
@@ -28,17 +28,16 @@
       DNS = "10.42.69.2";
       EmitRouter = true;
       Router = "10.42.69.1";
+      SendOption = [ "15:string:icanttype.org" "119:string:icanttype.org" ];
     };
     networkConfig.IPv6SendRA = true;
     ipv6SendRAConfig.RouterLifetimeSec = 0;
     ipv6SendRAConfig.EmitDNS = false;
     ipv6Prefixes = [ { ipv6PrefixConfig.Prefix = "fd72:3dd5:21ae:3c97::/64"; } ];
   };
-  time.timeZone = "America/New_York";
 
   zramSwap.enable = true;
   swapDevices = [ {device="/swapfile"; size=1024;}];
-  services.resolved.enable = true;
   services.unbound = {
     enable = true;
     settings = {
@@ -66,23 +65,19 @@
       '';
     };
   };
-  users.users.root.openssh.authorizedKeys.keys = [ 
-    "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc="
-  ];
 
 
   environment.systemPackages = with pkgs; [
-    git
     vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
     wget
   ];
 
-  services.openssh.enable = true;
+  networking.firewall = {
-
+    allowedUDPPorts = [ 53 67 68 ];
-  networking.firewall.enable = false;
+    allowedTCPPorts = [ 53 ];
+  };
 
   system.stateVersion = "23.11"; # Did you read the comment?
-  system.autoUpgrade.allowReboot = false;
   nix.buildMachines = [ {
     hostName = "zeus";
     systems = [ "x86_64-linux" "aarch64-linux" ];
@@ -93,9 +88,5 @@
   }];
   nix.distributedBuilds = true;
   nix.extraOptions = "builders-use-substitutes = true";
-  nix.settings.experimental-features = [ "nix-command" "flakes" ];
-  nix.gc.automatic = true;
-  nix.gc.options = "--delete-older-than 7d";
-  nix.optimise.automatic = true;
 }
 

systems/smolboi/configuration.nix

@@ -1,27 +1,20 @@
-# Edit this configuration file to define what should be installed on
-# your system. Help is available in the configuration.nix(5) man page, on
-# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
-
 { config, lib, pkgs, ... }:
 
 {
   imports =
     [ # Include the results of the hardware scan.
     ./hardware-configuration.nix
+    ../../modules/common.nix
+    ../../modules/aarch64-emu.nix
+    ../../modules/smartd.nix
   ];
 
-  # Use the systemd-boot EFI boot loader.
   boot = {
     blacklistedKernelModules = [ "k10temp" ];
     extraModulePackages = with config.boot.kernelPackages; [ zenpower ];
     kernelParams = [ "amd_pstate=passive" ];
     loader.systemd-boot.enable = true;
     loader.efi.canTouchEfiVariables = true;
-    plymouth = {
-      enable = false;
-      theme = "breeze";
-    };
-    binfmt.emulatedSystems = [ "aarch64-linux" ];
     binfmt.registrations.appimage = {
       wrapInterpreterInShell = false;
       interpreter = "${pkgs.appimage-run}/bin/appimage-run";
@@ -36,23 +29,9 @@
 
   networking = {
     hostName = "smolboi"; # Define your hostname.
-    # Pick only one of the below networking options.
-    # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
     networkmanager.enable = true;  # Easiest to use and most distros use this by default.
     firewall.allowedTCPPorts = [ 22000 ];
   };
-  nix = {
-    settings = {
-      experimental-features = [ "nix-command" "flakes" ];
-      sandbox = true;
-    };
-    gc = {
-      automatic = true;
-      options = "--delete-older-than 30d";
-      dates = "weekly";
-    };
-    optimise.automatic = true;
-  };
   nixpkgs.config = {
     allowUnfree = true;
     permittedInsecurePackages = [
@@ -78,22 +57,7 @@
     };
   };
 
-  # Set your time zone.
-  time.timeZone = "America/New_York";
 
-  # Configure network proxy if necessary
-  # networking.proxy.default = "http://user:password@proxy:port/";
-  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
-
-  # Select internationalisation properties.
-  i18n.defaultLocale = "en_US.UTF-8";
-  # console = {
-  #   font = "Lat2-Terminus16";
-  #   keyMap = "us";
-  #   useXkbConfig = true; # use xkb.options in tty.
-  # };
-
-  # Enable the X11 windowing system.
   services = {
     xserver = {
       enable = true;
@@ -104,11 +68,6 @@
       desktopManager.plasma5.enable = true;
     };
 
-    # Configure keymap in X11
-    # services.xserver.xkb.layout = "us";
-    # services.xserver.xkb.options = "eurosign:e,caps:escape";
-
-    # Enable CUPS to print documents.
     printing = {
       enable = true;
       drivers = [ pkgs.gutenprint ];
@@ -128,7 +87,6 @@
     hardware.openrgb.enable = true;
     resolved.enable = true;
     btrfs.autoScrub.enable = true;
-    openssh.enable = true;
   };
   hardware = {
     sane = {
@@ -138,35 +96,15 @@
     bluetooth.enable = true;
   };
 
-  # Enable sound.
   security = {
     rtkit.enable = true;
   };
-  # hardware.pulseaudio.enable = true;
-
-  # Enable touchpad support (enabled default in most desktopManager).
-  # services.xserver.libinput.enable = true;
-
-  # Define a user account. Don't forget to set a password with ‘passwd’.
-  # users.users.alice = {
-  #   isNormalUser = true;
-  #   extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
-  #   packages = with pkgs; [
-  #     firefox
-  #     tree
-  #   ];
-  # };
-  users.users.root.openssh.authorizedKeys.keys = [ 
-    "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc="
-  ];
   users.users.cdombroski = {
     isNormalUser = true;
     extraGroups = [ "wheel" ];
     uid = 1000;
   };
 
-  # List packages installed in system profile. To search, run:
-  # $ nix search wget
   environment = {
     systemPackages = with pkgs; [
       vim-full # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
@@ -176,16 +114,12 @@
       chromium
       skanlite
       htop
-      git
       kate
       cifs-utils
     ];
     pathsToLink = [ "/share/bash-completion" ];
   };
 
-  # Some programs need SUID wrappers, can be configured further or are
-  # started in user sessions.
-  # programs.mtr.enable = true;
   programs = {
     gnupg.agent = {
       enable = true;
@@ -215,25 +149,11 @@
     };
     gamescope.enable = true;
   };
-  # List services that you want to enable:
   zramSwap = {
     enable = true;
     writebackDevice = "/dev/disk/by-partuuid/e8f5eaf8-46ca-40de-854a-f6dfe964b92d";
   };
 
-  # Enable the OpenSSH daemon.
-  # services.openssh.enable = true;
-
-  # Open ports in the firewall.
-  # networking.firewall.allowedTCPPorts = [ ... ];
-  # networking.firewall.allowedUDPPorts = [ ... ];
-  # Or disable the firewall altogether.
-  networking.firewall.enable = false;
-
-  # Copy the NixOS configuration file and link it from the resulting system
-  # (/run/current-system/configuration.nix). This is useful in case you
-  # accidentally delete configuration.nix.
-
   fileSystems = {
     "/".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ];
     "/nix".options = [ "compress=lzo" "autodefrag" "discard=async" "noatime" "defaults" ];
@@ -241,22 +161,6 @@
     "/home".options = [ "compress=lzo" "autodefrag" "discard=async" "defaults" ];
   };
 
-  # This option defines the first version of NixOS you have installed on this particular machine,
-  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
-  #
-  # Most users should NEVER change this value after the initial install, for any reason,
-  # even if you've upgraded your system to a new NixOS release.
-  #
-  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
-  # so changing it will NOT upgrade your system.
-  #
-  # This value being lower than the current NixOS release does NOT mean your system is
-  # out of date, out of support, or vulnerable.
-  #
-  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
-  # and migrated your data accordingly.
-  #
-  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
   system.stateVersion = "23.11"; # Did you read the comment?
 }
 

systems/smolboi/home.nix

@@ -75,32 +75,6 @@
     # '')
   ];
 
-  systemd.user = {
-    services = {
-      autoupgrade = {
-        Service = {
-          WorkingDirectory = "/home/cdombroski/work/nix-configs";
-          Type = "oneshot";
-          ExecStart = "${pkgs.writeShellScript "upgrade-system" ''
-            ${pkgs.nix}/bin/nix flake update
-            ${pkgs.git}/bin/git add .
-            ${pkgs.git}/bin/git commit -m "update flake"
-            ${pkgs.git}/bin/git push
-            ${pkgs.deploy-rs}/bin/deploy
-            ''}";
-        };
-      };
-    };
-    timers = {
-      autoupgrade = {
-        Timer = {
-          OnCalendar = "daily";
-        };
-        Install.WantedBy = [ "timers.target" ];
-      };
-    };
-  };
-
   nixpkgs.config = {
     allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
       "discord"

systems/zeus/configuration.nix

@@ -0,0 +1,290 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      ../../modules/common.nix
+      ../../modules/aarch64-emu.nix
+      ../../modules/networkd-base.nix
+      ../../modules/smartd.nix
+    ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.zfsSupport = true;
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+  boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" "/dev/sde" "/dev/sdf" ];
+
+  networking.hostName = "zeus"; # Define your hostname.
+  networking.hostId = "9e95b576";
+  systemd.network.netdevs = {
+    bond0 = {
+      netdevConfig = {
+        Name = "bond0";
+        Kind = "bond";
+      };
+      bondConfig = {
+        Mode = "active-backup";
+      };
+    };
+    lan-shim = {
+      netdevConfig = {
+        Name = "lan-shim";
+        Kind = "macvlan";
+        MACAddress = "3e:53:37:25:08:ef";
+      };
+      macvlanConfig = {
+        Mode = "bridge";
+      };
+    };
+    wg0 = {
+      netdevConfig = {
+        Name = "wg0";
+        Kind = "wireguard";
+      };
+      wireguardConfig = {
+        PrivateKeyFile = "/etc/nixos/wireguard.priv";
+        ListenPort = 51821;
+      };
+      wireguardPeers = [{
+        wireguardPeerConfig = {
+          PublicKey = "ZT+n0XONAZ6dkiIJR+2bmTT9y7WTxDNdnZo5S7b8vxE=";
+          AllowedIPs = [ "10.98.0.0/31" ];
+          PresharedKeyFile = "/etc/nixos/wireguard.psk";
+          PersistentKeepalive = 25;
+          Endpoint = "remote.kow.is:51821";
+        };
+      }];
+    };
+  };
+  systemd.network.networks = {
+    "00-bondage" = {
+      name = "en*";
+      networkConfig.Bond = "bond0";
+    };
+    bond0 = {
+      name = "bond0";
+      networkConfig.MACVLAN = "lan-shim";
+    };
+    lan-shim = {
+      name = "lan-shim";
+      address = [ "10.42.69.100/24" "fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01/64" ];
+      dns = [ "10.42.69.2" ];
+      domains = [ "icanttype.org" ];
+      gateway = [ "10.42.69.1" ];
+    };
+    wg0 = {
+      name = "wg0";
+      address = [ "10.98.0.0/31" "fd72:3dd5:21ae:ff1a::1/64" ];
+    };
+  };
+
+
+  virtualisation = {
+    containers.enable = true;
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      defaultNetwork.settings.dns_enabled = true;
+    };
+    oci-containers.containers = {
+      dockerproxy = {
+        image = "ghcr.io/tecnativa/docker-socket-proxy:latest";
+        volumes = [ "/var/run/podman/podman.sock:/var/run/docker.sock:ro" ];
+        environment = {
+          CONTAINERS="1";
+          POST="0";
+        };
+        extraOptions = [ "--pull=newer" "--network=www"];
+      };
+      swag = {
+        image = "lscr.io/linuxserver/swag:2.9.0-ls292";
+        volumes = [ "swag-config:/config" ];
+        environment = {
+          TZ="America/New_York";
+          URL="icanttype.org";
+          VALIDATION="dns";
+          SUBDOMAINS="wildcard";
+          DNSPLUGIN="cloudflare";
+          DOCKER_HOST="dockerproxy";
+          DOCKER_MODS="linuxserver/mods:swag-dashboard|linuxserver/mods:swag-auto-proxy|linuxserver/mods:universal-docker|linuxserver/mods:universal-cloudflared";
+          CF_ZONE_ID="4e68852334290a922718696a0986e75a";
+          CF_ACCOUNT_ID="5c1c252b9d9a9af6ea3a5de8590f36fa";
+          CF_API_TOKEN="mRfY8ubtFUxzVuehI6WFipSQFIcstCNds7RF5FTQ";
+          CF_TUNNEL_NAME="icanttype.org";
+          CF_TUNNEL_PASSWORD="iZh4UYxVSo3S2H3XwwboM2z@mJEqYJkQ5yMTfd5p";
+          FILE__CF_TUNNEL_CONFIG="/config/tunnelconfig.yml";
+          EMAIL="cdombroski@gmail.com";
+        };
+        ports = [ "80:80" "443:443" ];
+        extraOptions = [ "--pull=newer" "--network=www" "--cap-add" "NET_ADMIN" "--network-alias=icanttype.org" ];
+      };
+      jellyfin = {
+        image = "lscr.io/linuxserver/jellyfin:latest";
+        volumes = [ "jellyfin-config:/config" "/video-data/media:/data/media" ];
+        environment.TZ="America/New_York";
+        labels.swag = "enable";
+        ports = [ "1900:1900/udp" "7359:7359/udp" ];
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      zwave-js-ui = {
+        image = "docker.io/zwavejs/zwave-js-ui:latest";
+        volumes = [ "zwave-config:/usr/src/app/store" ];
+        environment.TZ = "America/New_York";
+        labels = { swag = "enable"; swag_url = "zwave.icanttype.org"; };
+        extraOptions = [ "--pull=newer" "--network=www" "--device=/dev/ttyACM0:/dev/zwave" ];
+      };
+      homeassistant = {
+        image = "lscr.io/linuxserver/homeassistant:latest";
+        volumes = [ "homeassistant-config:/config" ];
+        environment.TZ = "America/New_York";
+        labels.swag = "enable";
+        extraOptions = [ "--pull=newer" "--network=www" "--network=lan" ];
+      };
+      postgres = {
+        image = "docker.io/library/postgres:15";
+        volumes = [ "postgres-15:/var/lib/postgresql/data" ];
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      calibre = {
+        image = "lscr.io/linuxserver/calibre:latest";
+        volumes = [ "calibre-config:/config" "/video-data:/data" ];
+        environment.TZ = "America/New_York";
+        labels.swag = "enable";
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      calibre-web = {
+        image = "lscr.io/linuxserver/calibre-web:latest";
+        volumes = [ "calibre-web-config:/config" "/video-data:/data" ];
+        environment.TZ = "America/New_York";
+        labels.swag = "enable";
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      flaresolverr = {
+        image = "ghcr.io/flaresolverr/flaresolverr:latest";
+        environment.LOG_LEVEL = "info";
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      qbittorrent = {
+        image = "lscr.io/linuxserver/qbittorrent:latest";
+        volumes = [ "qbittorrent-config:/config" "/video-data/torrent:/data/torrent" ];
+        environment = {
+          TZ = "America/New_York";
+          UMASK_SET = "000";
+          DELUGE_LOGLEVEL = "error";
+        };
+        labels.swag = "enable";
+        ports = [ "34996:34996" "34996:34996/udp" ];
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      prowlarr = {
+        image = "lscr.io/linuxserver/prowlarr:latest";
+        volumes = [ "prowlarr-config:/config" ];
+        environment.TZ = "America/New_York";
+        labels.swag = "enable";
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      readarr = {
+        image = "lscr.io/linuxserver/readarr:develop";
+        volumes = [ "readarr-config:/config" "/video-data:/data" ];
+        environment.TZ = "America/New_York";
+        labels.swag = "enable";
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      radarr = {
+        image = "lscr.io/linuxserver/radarr:latest";
+        volumes = [ "radarr-config:/config" "/video-data:/data" ];
+        environment.TZ = "America/New_York";
+        labels.swag = "enable";
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      sonarr = {
+        image = "lscr.io/linuxserver/sonarr:latest";
+        volumes = [ "sonarr-config:/config" "/video-data:/data" ];
+        environment.TZ = "America/New_York";
+        labels.swag = "enable";
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      static = {
+        image = "docker.io/library/nginx:alpine";
+        volumes = [ "/srv/docker/nginx/static:/usr/share/nginx/html:ro" "/srv/docker/nginx/config/static/default.conf:/etc/nginx/config.d/default.conf:ro" ];
+        labels = {
+          swag = "enable";
+          swag_url = "www.icanttype.org";
+        };
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+      forgejo = {
+        image = "codeberg.org/forgejo/forgejo:7";
+        volumes = [ "forgejo-data:/data" "/etc/localtime:/etc/localtime:ro" ];
+        labels = {
+          swag = "enable";
+          swag_url = "git.icanttype.org";
+          swag_port = "3000";
+        };
+        ports = [ "10022:22" ];
+        extraOptions = [ "--pull=newer" "--network=www" ]; 
+      };
+      docker_dind = {
+        image = "docker.io/library/docker:dind";
+        cmd = [ "dockerd" "-H" "tcp://0.0.0.0:2375" "--tls=false" ];
+        extraOptions = [ "--pull=newer" "--privileged" "--network=www" ];
+      };
+      runner = {
+        image = "code.forgejo.org/forgejo/runner:3.4.1";
+        dependsOn = [ "docker_dind" ];
+        environment.DOCKER_HOST = "tcp://docker_dind:2375";
+        volumes = [ "forgejo-runner:/data" ];
+        cmd = [ "forgejo-runner" "daemon" ];
+        extraOptions = [ "--pull=newer" "--network=www" ];
+      };
+    };
+  };
+  networking.firewall = {
+    interfaces."podman+" = {
+      allowedUDPPorts = [ 53 ];
+      allowedTCPPorts = [ 53 ];
+    };
+    allowedUDPPorts = [ 137 138 ];
+    allowedTCPPorts = [ 139 445 ];
+  };
+
+  users.users.nixremote = {
+    description = "User for remote builds";
+    isNormalUser = true;
+    uid = 1100;
+    openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH7rvqA2VG9kOPHBNgfna0YA+jEjIR6ZAKrdgWVWQjCV root@orangepihole" ];
+  };
+  environment.systemPackages = with pkgs; [
+     vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+     dive
+     podman-tui
+     docker-compose
+     wireguard-tools
+  ];
+
+  services.samba.enable = true;
+  services.samba.shares = {
+    media = {
+      path = "/video-data";
+      browseable = "yes";
+      "read only" = "no";
+      "guest ok" = "yes";
+    };
+  };
+  services.zfs.autoScrub.enable = true;
+  services.zfs.zed.settings = {
+    ZED_EMAIL_ADDR = [ "root" ];
+    ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp";
+    ZED_EMAIL_OPTS = "@ADDRESS@";
+    ZED_NOTIFY_INTERVAL_SECS = 3600;
+    ZED_NOTIFY_VERBOSE = true;
+    ZED_USE_ENCLOSURE_LEDS = true;
+    ZED_SCRUB_AFTER_RESILVER = true;
+  };
+  services.zfs.zed.enableMail = false;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+  zramSwap.enable = true;
+}
+

systems/zeus/hardware-configuration.nix

@@ -0,0 +1,59 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "sata_nv" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "zroot/root";
+      fsType = "zfs";
+    };
+
+  fileSystems."/boot" =
+    { device = "zboot/boot";
+      fsType = "zfs";
+    };
+
+  fileSystems."/home" =
+    { device = "zroot/home";
+      fsType = "zfs";
+    };
+
+  fileSystems."/nix" =
+    { device = "zroot/nix";
+      fsType = "zfs";
+    };
+
+  fileSystems."/var" =
+    { device = "zroot/var";
+      fsType = "zfs";
+    };
+
+  fileSystems."/video-data" =
+    { device = "rpool/video-data";
+      fsType = "zfs";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/aecf6400-9c9f-43f9-8c57-08f3c8a633e7"; }
+      { device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault false;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}