machines: rename to 'hosts/nixos'

This will be more consistent in the future if I want to introduce darwin
or home-manager configurations.

hosts/nixos/aramis/boot.nix

@@ -0,0 +1,32 @@
+{ ... }:
+{
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "sd_mod"
+        "sdhci_pci"
+        "usb_storage"
+        "usbhid"
+        "xhci_pci"
+      ];
+      kernelModules = [
+        "dm-snapshot"
+      ];
+      luks.devices.crypt = {
+        device = "/dev/nvme0n1p1";
+        preLVM = true;
+      };
+    };
+
+    kernelModules = [
+      "kvm-intel"
+    ];
+    extraModulePackages = [ ];
+  };
+}

hosts/nixos/aramis/default.nix

@@ -0,0 +1,29 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{ ... }:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./home.nix
+    ./networking.nix
+    ./profiles.nix
+    ./programs.nix
+    ./services.nix
+    ./sound.nix
+  ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/London";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}

hosts/nixos/aramis/hardware.nix

@@ -0,0 +1,40 @@
+{ lib, modulesPath, ... }:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-label/boot";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/swap"; }
+  ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  my.hardware = {
+    firmware = {
+      cpuFlavor = "intel";
+    };
+  };
+
+  hardware = {
+    trackpoint = {
+      enable = true;
+
+      emulateWheel = true; # Holding middle buttons allows scrolling
+
+      device = "TPPS/2 Elan TrackPoint"; # Use the correct device name
+    };
+  };
+}

hosts/nixos/aramis/home.nix

@@ -0,0 +1,31 @@
+{ pkgs, ... }:
+{
+  my.home = {
+    # Some amount of social life
+    discord.enable = true;
+    # Image viewver
+    feh.enable = true;
+    # Firefo profile and extensions
+    firefox.enable = true;
+    # Blue light filter
+    gammastep.enable = true;
+    # Use a small popup to enter passwords
+    gpg.pinentry = "gtk2";
+    # Machine specific packages
+    packages.additionalPackages = with pkgs; [
+      element-desktop # Matrix client
+      jellyfin-media-player # Wraps the webui and mpv together
+      pavucontrol # Audio mixer GUI
+      quasselClient # IRC client
+      transgui # Transmission remote
+    ];
+    # Minimal video player
+    mpv.enable = true;
+    # Network-Manager applet
+    nm-applet.enable = true;
+    # Terminal
+    terminal.program = "alacritty";
+    # Zathura document viewer
+    zathura.enable = true;
+  };
+}

hosts/nixos/aramis/install.sh

@@ -0,0 +1,53 @@
+#!/bin/sh
+
+set -eu
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo "This script must be run as root" >&2
+    exit 1
+fi
+
+SWAP_SIZE=16GiB
+
+parted /dev/nvme0n1 --script -- \
+    mklabel gpt \
+    mkpart primary 512MiB 100% \
+    mkpart ESP fat32 1MiB 512MiB \
+    set 2 esp on
+
+cryptsetup luksFormat /dev/nvme0n1p1
+cryptsetup open /dev/nvme0n1p1 crypt
+
+pvcreate /dev/mapper/crypt
+vgcreate lvm /dev/mapper/crypt
+lvcreate -L "$SWAP_SIZE" -n swap lvm
+lvcreate -l 100%FREE -n root lvm
+
+mkfs.ext4 -L nixos /dev/lvm/root
+mkswap -L swap /dev/lvm/swap
+mkfs.vfat -n boot /dev/nvme0n1p2
+
+mount /dev/disk/by-label/nixos /mnt
+mkdir /mnt/boot
+mount /dev/nvme0n1p2 /mnt/boot
+swapon /dev/lvm/swap
+
+cat << EOF
+# Run the following commands as setup user
+nixos-generate-config --root /mnt
+
+# Change uuids to labels
+vim /mnt/etc/nixos/hardware-configuration.nix
+
+# Install system
+mkdir -p /mnt/home/ambroisie/git/nix/config
+cd /mnt/home/ambroisie/git/nix/config
+
+git clone <this-repo> .
+# Assuming you set up GPG key correctly
+git crypt unlock
+
+# Setup LUKS with 'boot.initrd.luks.devices.crypt', device is /dev/nvme0n1p1, preLVM = true
+
+# Use 'nixos-install --flake .#aramis --root /mnt --impure' because of home-manager issue
+EOF

hosts/nixos/aramis/networking.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  networking = {
+    hostName = "aramis";
+
+    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+    # Per-interface useDHCP will be mandatory in the future, so this generated config
+    # replicates the default behaviour.
+    useDHCP = false;
+  };
+
+  my.hardware.networking = {
+    # Which interface is used to connect to the internet
+    externalInterface = "enp0s3";
+
+    # Enable WiFi integration
+    wireless.enable = true;
+  };
+}

hosts/nixos/aramis/profiles.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  my.profiles = {
+    # Bluetooth configuration and GUI
+    bluetooth.enable = true;
+    # Mouse and keyboard configuration
+    devices.enable = true;
+    # GTK theme configuration
+    gtk.enable = true;
+    # Laptop specific configuration
+    laptop.enable = true;
+    # Printers are hell, but so is the unability to print
+    printing.enable = true;
+    # i3 configuration
+    wm.windowManager = "i3";
+    # X configuration
+    x.enable = true;
+  };
+}

hosts/nixos/aramis/programs.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  my.programs = {
+    # Steam configuration
+    steam.enable = true;
+  };
+}

hosts/nixos/aramis/services.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  config.my.services = {
+    wireguard = {
+      enable = true;
+    };
+  };
+}

hosts/nixos/aramis/sound.nix

@@ -0,0 +1,8 @@
+{ ... }:
+{
+  my.hardware.sound = {
+    pipewire = {
+      enable = true;
+    };
+  };
+}

hosts/nixos/porthos/boot.nix

@@ -0,0 +1,23 @@
+# Boot configuration
+{ ... }:
+
+{
+  boot = {
+    # Use the GRUB 2 boot loader.
+    loader.grub = {
+      enable = true;
+      version = 2;
+      # Define on which hard drive you want to install Grub.
+      device = "/dev/sda";
+    };
+
+    initrd = {
+      availableKernelModules = [ "uhci_hcd" "ahci" "usbhid" ];
+      kernelModules = [ "dm-snapshot" ];
+    };
+
+    kernelModules = [ "kvm-intel" ];
+
+    extraModulePackages = [ ];
+  };
+}

hosts/nixos/porthos/default.nix

@@ -0,0 +1,24 @@
+# Porthos specific settings
+{ ... }:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./home.nix
+    ./networking.nix
+    ./services.nix
+    ./users.nix
+  ];
+
+  # Set your time zone.
+  time.timeZone = "Europe/Paris";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "20.09"; # Did you read the comment?
+}

hosts/nixos/porthos/hardware.nix

@@ -0,0 +1,19 @@
+# Hardware configuration
+{ lib, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/swap"; }
+  ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}

hosts/nixos/porthos/home.nix

@@ -0,0 +1,7 @@
+{ ... }:
+{
+  my.home = {
+    # Always start a tmux session when opening a shell session
+    zsh.launchTmux = true;
+  };
+}

hosts/nixos/porthos/install.sh

@@ -0,0 +1,55 @@
+#!/bin/sh
+
+SWAP_SIZE=16GiB
+
+parted /dev/sda --script -- \
+    mklabel msdos \
+    mkpart primary 512MiB -$SWAP_SIZE \
+    mkpart primary linux-swap -$SWAP_SIZE 100% \
+    mkpart ESP fat32 1MiB 512MiB \
+    set 3 esp on
+
+parted /dev/sdb --script -- \
+    mklabel gpt \
+    mkpart primary 0MiB 100%
+
+mkfs.ext4 -L media1 /dev/sda1
+mkfs.ext4 -L media2 /dev/sdb1
+
+pvcreate /dev/sda1
+pvcreate /dev/sdb1
+vgcreate lvm /dev/sda1 /dev/sdb1
+lvcreate -l 100%FREE -n media lvm
+
+mkfs.ext4 -L nixos /dev/mapper/lvm-media
+mkswap -L swap /dev/sda2
+mkfs.fat -F 32 -n boot /dev/sda3
+
+mount /dev/disk/by-label/nixos /mnt
+swapon /dev/sda2
+
+apt install sudo
+useradd -m -G sudo setupuser
+su setupuser
+
+cat << EOF
+# Run the following commands as setup user
+curl -L https://nixos.org/nix/install | sh
+. $HOME/.nix-profile/etc/profile.d/nix.sh
+nix-channel --add https://nixos.org/channels/nixos-20.09 nixpkgs
+sudo `which nixos-generate-config` --root /mnt
+
+# Change uuids to labels
+vim /mnt/etc/nixos/hardware-configuration.nix
+
+# Install system
+mkdir -p /mnt/home/ambroisie/git/nix/config
+cd /mnt/home/ambroisie/git/nix/config
+
+nix-env -iA nixos.git nixos.nix nixos.git-crypt
+git clone <this-repo> .
+# Assuming you set up GPG key correctly
+git crypt unlock
+
+nixos-install --root /mnt --flake '.#<hostname>'
+EOF

hosts/nixos/porthos/networking.nix

@@ -0,0 +1,35 @@
+# Networking configuration
+{ ... }:
+
+{
+  networking = {
+    hostName = "porthos"; # Define your hostname.
+    domain = "belanyi.fr"; # Define your domain.
+
+
+    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+    # Per-interface useDHCP will be mandatory in the future, so this generated config
+    # replicates the default behaviour.
+    useDHCP = false;
+
+    interfaces = {
+      bond0.useDHCP = true;
+      bonding_masters.useDHCP = true;
+      dummy0.useDHCP = true;
+      erspan0.useDHCP = true;
+      eth0.useDHCP = true;
+      eth1.useDHCP = true;
+      gre0.useDHCP = true;
+      gretap0.useDHCP = true;
+      ifb0.useDHCP = true;
+      ifb1.useDHCP = true;
+      ip6tnl0.useDHCP = true;
+      sit0.useDHCP = true;
+      teql0.useDHCP = true;
+      tunl0.useDHCP = true;
+    };
+  };
+
+  # Which interface is used to connect to the internet
+  my.hardware.networking.externalInterface = "eth0";
+}

hosts/nixos/porthos/services.nix

@@ -0,0 +1,152 @@
+# Deployed services
+{ config, lib, ... }:
+let
+  secrets = config.age.secrets;
+in
+{
+  # List services that you want to enable:
+  my.services = {
+    # Hosts-based adblock using unbound
+    adblock = {
+      enable = true;
+    };
+    # Backblaze B2 backup
+    backup = {
+      enable = true;
+      repository = "b2:porthos-backup";
+      # Backup every 6 hours
+      timerConfig = {
+        OnActiveSec = "6h";
+        OnUnitActiveSec = "6h";
+      };
+      passwordFile = secrets."backup/password".path;
+      credentialsFile = secrets."backup/credentials".path;
+    };
+    # My blog and related hosts
+    blog.enable = true;
+    calibre-web = {
+      enable = true;
+      libraryPath = "/data/media/library";
+    };
+    drone = {
+      enable = true;
+      runners = [ "docker" "exec" ];
+      secretFile = secrets."drone/gitea".path;
+      sharedSecretFile = secrets."drone/secret".path;
+    };
+    # Auto-ban spammy bots and incorrect logins
+    fail2ban = {
+      enable = true;
+    };
+    # Flood UI for transmission
+    flood = {
+      enable = true;
+    };
+    # Gitea forge
+    gitea = {
+      enable = true;
+      mail = {
+        enable = true;
+        host = "smtp.migadu.com:465";
+        user = lib.my.mkMailAddress "gitea" "belanyi.fr";
+        passwordFile = secrets."gitea/mail-password".path;
+      };
+    };
+    # Grocy ERP
+    grocy = {
+      enable = true;
+    };
+    # Meta-indexers
+    indexers = {
+      prowlarr.enable = true;
+    };
+    # Jellyfin media server
+    jellyfin.enable = true;
+    # Gitea mirrorig service
+    lohr = {
+      enable = true;
+      sharedSecretFile = secrets."lohr/secret".path;
+      sshKeyFile = secrets."lohr/ssh-key".path;
+    };
+    # Matrix backend and Element chat front-end
+    matrix = {
+      enable = true;
+      mailConfigFile = secrets."matrix/mail".path;
+      # Only necessary when doing the initial registration
+      # secret = "change-me";
+    };
+    miniflux = {
+      enable = true;
+      credentialsFiles = secrets."miniflux/credentials".path;
+    };
+    # Various monitoring dashboards
+    monitoring = {
+      enable = true;
+      grafana = {
+        passwordFile = secrets."monitoring/password".path;
+      };
+    };
+    # FLOSS music streaming server
+    navidrome = {
+      enable = true;
+      musicFolder = "/data/media/music";
+    };
+    # Nextcloud self-hosted cloud
+    nextcloud = {
+      enable = true;
+      passwordFile = secrets."nextcloud/password".path;
+    };
+    nginx = {
+      enable = true;
+      acme = {
+        credentialsFile = secrets."acme/dns-key".path;
+      };
+      sso = {
+        authKeyFile = secrets."sso/auth-key".path;
+        users = {
+          ambroisie = {
+            passwordHashFile = secrets."sso/ambroisie/password-hash".path;
+            totpSecretFile = secrets."sso/ambroisie/totp-secret".path;
+          };
+        };
+        groups = {
+          root = [ "ambroisie" ];
+        };
+      };
+    };
+    paperless = {
+      enable = true;
+      documentPath = "/data/media/paperless";
+      passwordFile = secrets."paperless/password".path;
+      secretKeyFile = secrets."paperless/secret-key".path;
+    };
+    # The whole *arr software suite
+    pirate.enable = true;
+    # Podcast automatic downloader
+    podgrab = {
+      enable = true;
+      passwordFile = secrets."podgrab/password".path;
+      port = 9598;
+    };
+    # Regular backups
+    postgresql-backup.enable = true;
+    # An IRC client daemon
+    quassel.enable = true;
+    # RSS provider for websites that do not provide any feeds
+    rss-bridge.enable = true;
+    # Usenet client
+    sabnzbd.enable = true;
+    # Because I stilll need to play sysadmin
+    ssh-server.enable = true;
+    # Torrent client and webui
+    transmission = {
+      enable = true;
+      credentialsFile = secrets."transmission/credentials".path;
+    };
+    # Simple, in-kernel VPN
+    wireguard = {
+      enable = true;
+      startAtBoot = true; # Server must be started to ensure clients can connect
+    };
+  };
+}

hosts/nixos/porthos/ssh/drone.pub

@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDWVUvOT1/triPcj7wiLAmiVkPZ71crySbReetHaGxMYYdKNFurJQsP6BqsdCAwrGbduLUDJovLtjOM7SxghjkGqh2RZucj/zqpja8YoFqYTcLutlqa1NwUqQTq21azKBDSdvkBPWWyZhOKssnag+0bZRN3vVajoDrwAU6zJLhHh9eNESTEytAnZnllXsHB1dKF1p7FWVwYTGAc1PdHHSQNMkjg9aCM+VBzTHhp8nF+GOtGzt0A0XnoZGdhn6KqhKyH7KxwPMmeD3RNeCEmQY/TXjthOx/mBkgTEa8LWOBxdy/Rs6edUenvPcQ5tK5nX0GSxxqtbORlhT+tGiqq1UHeIUhXirBUaS7pnDo+Edc0m8ruLcwHwyQ5yVn2ts3daKxb87+PyjYiRxxeQXvbF84ef7ZOkLTEn0tnftFHLqszBfOjoV1DmMNSWPDULD3krObzNbr1I0xHE7bDRXw2t8L1cwHOLHTL9KwsTCw1d25JSxINp2wAZxlGVZLXoXVMKTjfx1xSGbUuRzA1Q6+1IH9WDvSSixDzvc2Dqnj91/xardivApK+T+OxTBurwWsxzEezIAbTCpoKW9ulzu06xWGWhxATkzUmVh/qhFUHAVlmhEvn0KqlYbWteEcUxgKS1uSAoA6+pZh5NMG1u1hLEktBQbDnS0VdyKYBUHZidLuR4w== ambroisie@porthos

hosts/nixos/porthos/users.nix

@@ -0,0 +1,12 @@
+# User setup
+{ ... }:
+{
+  users.users.blog = {
+    description = "Blog Publisher";
+    isNormalUser = true;
+    group = "nginx";
+    createHome = false; # Messes with permissions
+    home = "/var/www/";
+    openssh.authorizedKeys.keyFiles = [ ./ssh/drone.pub ];
+  };
+}