apps/encrypt-secret.nix

@@ -11,7 +11,7 @@
     tmpfile=$(mktemp)
     echo "''${secret}" > ''${tmpfile}
     ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-      builtins.toString ../misc/public-keys
+      builtins.toString ../public-keys
     } $tmpfile
     rm $tmpfile
   '');

apps/reencrypt-secrets.nix

@@ -17,7 +17,7 @@
         --identity ~/.ssh/id_ed25519 $encryptedfile > $tmpfile
       echo "Encrypting ''${encryptedfile}..."
       ${pkgs.age}/bin/age --encrypt --armor --recipients-file ${
-        builtins.toString ../misc/public-keys
+        builtins.toString ../public-keys
       } $tmpfile > $encryptedfile
       rm $tmpfile
     done

hosts/flame/default.nix

@@ -3,7 +3,6 @@
 
 # How to install:
 # https://blog.korfuri.fr/posts/2022/08/nixos-on-an-oracle-free-tier-ampere-machine/
-# These days, probably use nixos-anywhere instead.
 
 { inputs, globals, overlays, ... }:
 
@@ -22,38 +21,32 @@ inputs.nixpkgs.lib.nixosSystem {
       server = true;
       networking.hostName = "flame";
 
-      # Not sure what's necessary but too afraid to remove anything
       imports = [ (inputs.nixpkgs + "/nixos/modules/profiles/qemu-guest.nix") ];
       boot.initrd.availableKernelModules = [ "xhci_pci" "virtio_pci" "usbhid" ];
 
-      # File systems must be declared in order to boot
-
-      # This is the root filesystem containing NixOS
-      # I forgot to set a clean label for it
       fileSystems."/" = {
         device = "/dev/disk/by-uuid/e1b6bd50-306d-429a-9f45-78f57bc597c3";
         fsType = "ext4";
       };
 
-      # This is the boot filesystem for systemd-boot
       fileSystems."/boot" = {
         device = "/dev/disk/by-uuid/D5CA-237A";
         fsType = "vfat";
       };
 
       # Theming
-
-      # Server doesn't require GUI
       gui.enable = false;
-
-      # Still require colors for programs like Neovim, K9S
       theme = { colors = (import ../../colorscheme/gruvbox).dark; };
 
+      # Disable passwords, only use SSH key
+      publicKey =
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
+
       # Programs and services
       cloudflare.enable = true; # Proxy traffic with Cloudflare
       dotfiles.enable = true; # Clone dotfiles
       neovim.enable = true;
-      giteaRunner.enable = true;
+
       services.caddy.enable = true;
       services.grafana.enable = true;
       services.openssh.enable = true;
@@ -62,7 +55,6 @@ inputs.nixpkgs.lib.nixosSystem {
       services.vaultwarden.enable = true;
       services.minecraft-server.enable = true; # Setup Minecraft server
 
-      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "bd250ee1-ed2e-42d2-b627-039f1eb5a4d2";
@@ -71,6 +63,8 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK/6oyVqjFGX3Uvrc3VS8J9sphxzAnRzKC85xgkHfYgR3TK6qBGXzHrknEj21xeZrr3G2y1UsGzphWJd9ZfIcdA= open-ssh-ca@cloudflareaccess.org";
       };
 
+      giteaRunner.enable = true;
+
       # Nextcloud backup config
       backup.s3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
@@ -78,9 +72,8 @@ inputs.nixpkgs.lib.nixosSystem {
         accessKeyId = "0026b0e73b2e2c80000000005";
       };
 
-      # Disable passwords, only use SSH key
+      # # Grant access to Jellyfin directories from Nextcloud
-      publicKey =
+      # users.users.nextcloud.extraGroups = [ "jellyfin" ];
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s";
 
       # # Wireguard config for Transmission
       # wireguard.enable = true;
@@ -111,6 +104,9 @@ inputs.nixpkgs.lib.nixosSystem {
       # # VPN port forwarding
       # services.transmission.settings.peer-port = 57599;
 
+      # # Grant access to Transmission directories from Jellyfin
+      # users.users.jellyfin.extraGroups = [ "transmission" ];
+
     }
   ];
 }

hosts/hydra/default.nix

@@ -22,7 +22,7 @@ inputs.nixpkgs.lib.nixosSystem {
         colors = (import ../../colorscheme/gruvbox).dark;
         dark = true;
       };
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
       wsl = {
         enable = true;
         wslConf.automount.root = "/mnt";

hosts/swan/default.nix

@@ -13,14 +13,11 @@ inputs.nixpkgs.lib.nixosSystem {
     ../../modules/common
     ../../modules/nixos
     {
-      nixpkgs.overlays = overlays;
-
       # Hardware
       server = true;
       physical = true;
       networking.hostName = "swan";
 
-      # Not sure what's necessary but too afraid to remove anything
       boot.initrd.availableKernelModules =
         [ "xhci_pci" "ahci" "nvme" "usb_storage" "sd_mod" ];
 
@@ -33,43 +30,29 @@ inputs.nixpkgs.lib.nixosSystem {
         "amdgpu.cik_support=1"
         "amdgpu.dc=1"
       ];
-
-      # Required binary blobs to boot on this machine
       hardware.enableRedistributableFirmware = true;
 
-      # Prioritize efficiency over performance
       powerManagement.cpuFreqGovernor = "powersave";
-
-      # Allow firmware updates
       hardware.cpu.intel.updateMicrocode = true;
 
       # ZFS
       zfs.enable = true;
       # Generated with: head -c 8 /etc/machine-id
       networking.hostId = "600279f4"; # Random ID required for ZFS
-
-      # Sets root ext4 filesystem instead of declaring it manually
       disko = {
         enableConfig = true;
         devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });
       };
-
-      # Automatically load the ZFS pool on boot
       boot.zfs.extraPools = [ "tank" ];
 
-      # Theming
-
-      # Server doesn't require GUI
       gui.enable = false;
-
-      # Still require colors for programs like Neovim, K9S
       theme = { colors = (import ../../colorscheme/gruvbox).dark; };
-
+      nixpkgs.overlays = overlays;
-      # Programs and services
       neovim.enable = true;
       cloudflare.enable = true;
       dotfiles.enable = true;
       arrs.enable = true;
+
       services.bind.enable = true;
       services.caddy.enable = true;
       services.jellyfin.enable = true;
@@ -80,7 +63,6 @@ inputs.nixpkgs.lib.nixosSystem {
       services.vmagent.enable = true;
       services.samba.enable = true;
 
-      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
@@ -89,7 +71,6 @@ inputs.nixpkgs.lib.nixosSystem {
           "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
       };
 
-      # Send regular backups and litestream for DBs to an S3-like bucket
       backup.s3 = {
         endpoint = "s3.us-west-002.backblazeb2.com";
         bucket = "noahmasur-backup";

hosts/tempest/default.nix

@@ -17,25 +17,14 @@ inputs.nixpkgs.lib.nixosSystem {
       physical = true;
       networking.hostName = "tempest";
 
-      # Not sure what's necessary but too afraid to remove anything
       boot.initrd.availableKernelModules =
         [ "nvme" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
-
-      # Graphics and VMs
       boot.initrd.kernelModules = [ "amdgpu" ];
       boot.kernelModules = [ "kvm-amd" ];
       services.xserver.videoDrivers = [ "amdgpu" ];
-
-      # Required binary blobs to boot on this machine
       hardware.enableRedistributableFirmware = true;
-
-      # Prioritize performance over efficiency
       powerManagement.cpuFreqGovernor = "performance";
-
-      # Allow firmware updates
       hardware.cpu.amd.updateMicrocode = true;
-
-      # Helps reduce GPU fan noise under idle loads
       hardware.fancontrol.enable = true;
       hardware.fancontrol.config = ''
         # Configuration file generated by pwmconfig, changes will be lost
@@ -52,31 +41,22 @@ inputs.nixpkgs.lib.nixosSystem {
         MAXPWM=hwmon0/pwm1=240
       '';
 
-      # File systems must be declared in order to boot
-
-      # This is the root filesystem containing NixOS
       fileSystems."/" = {
         device = "/dev/disk/by-label/nixos";
         fsType = "ext4";
       };
 
-      # This is the boot filesystem for Grub
       fileSystems."/boot" = {
         device = "/dev/disk/by-label/boot";
         fsType = "vfat";
       };
 
-      # Secrets must be prepared ahead before deploying
+      # Must be prepared ahead
-      # The SSH key will need to be added manually with: nix run .#loadkey
       identityFile = "/home/${globals.user}/.ssh/id_ed25519";
-      passwordHash = inputs.nixpkgs.lib.fileContents ../../misc/password.sha512;
+      passwordHash = inputs.nixpkgs.lib.fileContents ../../password.sha512;
 
       # Theming
-
-      # Turn on all features related to desktop and graphical applications
       gui.enable = true;
-
-      # Set the system-wide theme, also used for non-graphical programs
       theme = {
         colors = (import ../../colorscheme/gruvbox-dark).dark;
         dark = true;
@@ -111,12 +91,9 @@ inputs.nixpkgs.lib.nixosSystem {
         leagueoflegends.enable = true;
         ryujinx.enable = true;
       };
+      services.vmagent.enable = true;
 
-      # Services will require the identityFile to work
-      services.vmagent.enable = true; # Enables Prometheus metrics
       services.openssh.enable = true; # Required for Cloudflare tunnel
-
-      # Allows private remote access over the internet
       cloudflareTunnel = {
         enable = true;
         id = "ac133a82-31fb-480c-942a-cdbcd4c58173";
@@ -126,8 +103,6 @@ inputs.nixpkgs.lib.nixosSystem {
       };
 
       # Allows requests to force machine to wake up
-      # This network interface might change, needs to be set specifically for each machine.
-      # Or set usePredictableInterfaceNames = false
       networking.interfaces.enp5s0.wakeOnLan.enable = true;
 
     }

misc/libratbag-profile

@@ -1,23 +0,0 @@
-Profile 1: (active)
-Name: n/a
-Report Rate: 1000Hz
-Resolutions:
-  0: 400dpi (active) (default)
-  1: 800dpi
-  2: 1600dpi
-  3: 2400dpi
-  4: 0dpi
-Button: 0 is mapped to 'button 1'
-Button: 1 is mapped to 'button 2'
-Button: 2 is mapped to 'button 3'
-Button: 3 is mapped to 'button 4'
-Button: 4 is mapped to 'button 5'
-Button: 5 is mapped to macro '↕F11'
-Button: 6 is mapped to macro '↕VOLUMEDOWN'
-Button: 7 is mapped to macro '↕VOLUMEUP'
-Button: 8 is mapped to 'unknown'
-Button: 9 is mapped to 'wheel-right'
-Button: 10 is mapped to 'wheel-left'
-LED: 0, depth: monochrome, mode: on, color: 000000
-LED: 1, depth: monochrome, mode: on, color: 000000
-LED: 2, depth: monochrome, mode: on, color: 000000