improve hosts documentation

move misc data files to misc directory

apps/encrypt-secret.nix

@@ -11,7 +11,7 @@
     tmpfile=$(mktemp)
     echo "''${secret}" > ''${tmpfile}
     ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-      builtins.toString ../public-keys
+      builtins.toString ../misc/public-keys
     } $tmpfile
     rm $tmpfile
   '');

apps/reencrypt-secrets.nix

@@ -17,7 +17,7 @@
         --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
       echo "Encrypting ''${encryptedfile}..."
       ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-        builtins.toString ../public-keys
+        builtins.toString ../misc/public-keys
       } $tmpfile > $encryptedfile
       rm $tmpfile
     done

hosts/flame/default.nix

@@ -3,6 +3,7 @@
 
 # How to install:
 # https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
+# These days, probably use nixos-anywhere instead.
 
 { inputs, globals, overlays, ... }:
 
@@ -21,32 +22,38 @@ inputs.nixpkgs.lib.nixosSystem {
       server = true;
       networking.hostName = "flame";
 
+      # Not sure what's necessary but too afraid to remove anything
       imports = [ (inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
       boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" ];
 
+      # File systems must be declared in order to boot
+
+      # This is the root filesystem containing NixOS
+      # I forgot to set a clean label for it
       fileSystems."/" = {
         device = "/dev/disk/by-uuid/e1b6bd50-306d-429a-9f45-78f57bc597c3";
         fsType = "ext4";
       };
 
+      # This is the boot filesystem for systemd-boot
       fileSystems."/boot" = {
         device = "/dev/disk/by-uuid/D5CA-237A";
         fsType = "vfat";
       };
 
       # Theming
-      gui.enable = false;
-      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
-      # Disable passwords, only use SSH key
+      # Server doesn't require GUI
-      publicKey =
+      gui.enable = false;
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
+
+      # Still require colors for programs like Neovim, K9S
+      theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
       # Programs and services
       cloudflare.enable = true; # Proxy traffic with Cloudflare
       dotfiles.enable = true; # Clone dotfiles
       neovim.enable = true;
-
+      giteaRunner.enable = true;
       services.caddy.enable = true;
       services.grafana.enable = true;
       services.openssh.enable = true;
@@ -55,6 +62,7 @@ inputs.nixpkgs.lib.nixosSystem {
       services.vaultwarden.enable = true;
       services.minecraft-server.enable = true; # Setup Minecraft server
 
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "bd250ee1-ed2e-42d2-b627-039f1eb5a4d2";
@@ -63,8 +71,6 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK/6oyVqjFGX3Uvrc3VS8J9sphxzAnRzKC85xgkHfYgR3TK6qBGXzHrknEj21xeZrr3G2y1UsGzphWJd9ZfIcdA= open-ssh-ca@cloudflareaccess.org";
       };
 
-      giteaRunner.enable = true;
-
       # Nextcloud backup config
       backup.s3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
@@ -72,8 +78,9 @@ inputs.nixpkgs.lib.nixosSystem {
         accessKeyId = "0026b0e73b2e2c80000000005";
       };
 
-      # # Grant access to Jellyfin directories from Nextcloud
+      # Disable passwords, only use SSH key
-      # users.users.nextcloud.extraGroups = [ "jellyfin" ];
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
 
       # # Wireguard config for Transmission
       # wireguard.enable = true;
@@ -104,9 +111,6 @@ inputs.nixpkgs.lib.nixosSystem {
       # # VPN port forwarding
       # services.transmission.settings.peer-port = 57599;
 
-      # # Grant access to Transmission directories from Jellyfin
-      # users.users.jellyfin.extraGroups = [ "transmission" ];
-
     }
   ];
 }

hosts/hydra/default.nix

@@ -22,7 +22,7 @@ inputs.nixpkgs.lib.nixosSystem {
         colors = (import ../../colorscheme/gruvbox).dark;
         dark = true;
       };
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
       wsl = {
         enable = true;
         wslConf.automount.root = "/mnt";

hosts/swan/default.nix

@@ -13,11 +13,14 @@ inputs.nixpkgs.lib.nixosSystem {
     ../../modules/common
     ../../modules/nixos
     {
+      nixpkgs.overlays = overlays;
+
       # Hardware
       server = true;
       physical = true;
       networking.hostName = "swan";
 
+      # Not sure what's necessary but too afraid to remove anything
       boot.initrd.availableKernelModules =
         [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
 
@@ -30,29 +33,43 @@ inputs.nixpkgs.lib.nixosSystem {
         "amdgpu.cik_support=1"
         "amdgpu.dc=1"
       ];
+
+      # Required binary blobs to boot on this machine
       hardware.enableRedistributableFirmware = true;
 
+      # Prioritize efficiency over performance
       powerManagement.cpuFreqGovernor = "powersave";
+
+      # Allow firmware updates
       hardware.cpu.intel.updateMicrocode = true;
 
       # ZFS
       zfs.enable = true;
       # Generated with: head -c 8 /etc/machine-id
       networking.hostId = "600279f4"; # Random ID required for ZFS
+
+      # Sets root ext4 filesystem instead of declaring it manually
       disko = {
         enableConfig = true;
         devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });
       };
+
+      # Automatically load the ZFS pool on boot
       boot.zfs.extraPools = [ "tank" ];
 
+      # Theming
+
+      # Server doesn't require GUI
       gui.enable = false;
+
+      # Still require colors for programs like Neovim, K9S
       theme = { colors = (import ../../colorscheme/gruvbox).dark; };
-      nixpkgs.overlays = overlays;
+
+      # Programs and services
       neovim.enable = true;
       cloudflare.enable = true;
       dotfiles.enable = true;
       arrs.enable = true;
-
       services.bind.enable = true;
       services.caddy.enable = true;
       services.jellyfin.enable = true;
@@ -63,6 +80,7 @@ inputs.nixpkgs.lib.nixosSystem {
       services.vmagent.enable = true;
       services.samba.enable = true;
 
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
@@ -71,6 +89,7 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
       };
 
+      # Send regular backups and litestream for DBs to an S3-like bucket
       backup.s3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
         bucket = "noahmasur-backup";

hosts/tempest/default.nix

@@ -17,14 +17,25 @@ inputs.nixpkgs.lib.nixosSystem {
       physical = true;
       networking.hostName = "tempest";
 
+      # Not sure what's necessary but too afraid to remove anything
       boot.initrd.availableKernelModules =
         [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
+
+      # Graphics and VMs
       boot.initrd.kernelModules = [ "amdgpu" ];
       boot.kernelModules = [ "kvm-amd" ];
       services.xserver.videoDrivers = [ "amdgpu" ];
+
+      # Required binary blobs to boot on this machine
       hardware.enableRedistributableFirmware = true;
+
+      # Prioritize performance over efficiency
       powerManagement.cpuFreqGovernor = "performance";
+
+      # Allow firmware updates
       hardware.cpu.amd.updateMicrocode = true;
+
+      # Helps reduce GPU fan noise under idle loads
       hardware.fancontrol.enable = true;
       hardware.fancontrol.config = ''
         # Configuration file generated by pwmconfig, changes will be lost
@@ -41,22 +52,31 @@ inputs.nixpkgs.lib.nixosSystem {
         MAXPWM=hwmon0/pwm1=240
       '';
 
+      # File systems must be declared in order to boot
+
+      # This is the root filesystem containing NixOS
       fileSystems."/" = {
         device = "/dev/disk/by-label/nixos";
         fsType = "ext4";
       };
 
+      # This is the boot filesystem for Grub
       fileSystems."/boot" = {
         device = "/dev/disk/by-label/boot";
         fsType = "vfat";
       };
 
-      # Must be prepared ahead
+      # Secrets must be prepared ahead before deploying
+      # The SSH key will need to be added manually with: nix run .#loadkey
       identityFile = "/home/${globals.user}/.ssh/id_ed25519";
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
 
       # Theming
+
+      # Turn on all features related to desktop and graphical applications
       gui.enable = true;
+
+      # Set the system-wide theme, also used for non-graphical programs
       theme = {
         colors = (import ../../colorscheme/gruvbox-dark).dark;
         dark = true;
@@ -91,9 +111,12 @@ inputs.nixpkgs.lib.nixosSystem {
         leagueoflegends.enable = true;
         ryujinx.enable = true;
       };
-      services.vmagent.enable = true;
 
+      # Services will require the identityFile to work
+      services.vmagent.enable = true; # Enables Prometheus metrics
       services.openssh.enable = true; # Required for Cloudflare tunnel
+
+      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
@@ -103,6 +126,8 @@ inputs.nixpkgs.lib.nixosSystem {
       };
 
       # Allows requests to force machine to wake up
+      # This network interface might change, needs to be set specifically for each machine.
+      # Or set usePredictableInterfaceNames = false
       networking.interfaces.enp5s0.wakeOnLan.enable = true;
 
     }

misc/libratbag-profile

@@ -0,0 +1,23 @@
+Profile 1: (active)
+Name: n/a
+Report Rate: 1000Hz
+Resolutions:
+  0: 400dpi (active) (default)
+  1: 800dpi
+  2: 1600dpi
+  3: 2400dpi
+  4: 0dpi
+Button: 0 is mapped to 'button 1'
+Button: 1 is mapped to 'button 2'
+Button: 2 is mapped to 'button 3'
+Button: 3 is mapped to 'button 4'
+Button: 4 is mapped to 'button 5'
+Button: 5 is mapped to macro '↕F11'
+Button: 6 is mapped to macro '↕VOLUMEDOWN'
+Button: 7 is mapped to macro '↕VOLUMEUP'
+Button: 8 is mapped to 'unknown'
+Button: 9 is mapped to 'wheel-right'
+Button: 10 is mapped to 'wheel-left'
+LED: 0, depth: monochrome, mode: on, color: 000000
+LED: 1, depth: monochrome, mode: on, color: 000000
+LED: 2, depth: monochrome, mode: on, color: 000000