Fresh start to clean history after subtree experiments

nixos/homeserver/configuration.nix

@@ -0,0 +1,258 @@
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  unstablePkgs,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./filesystems.nix
+    ./firewall.nix
+  ];
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+
+  networking.hostName = "homeserver"; # Define your hostname.
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/Dublin";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_IE.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_IE.UTF-8";
+    LC_IDENTIFICATION = "en_IE.UTF-8";
+    LC_MEASUREMENT = "en_IE.UTF-8";
+    LC_MONETARY = "en_IE.UTF-8";
+    LC_NAME = "en_IE.UTF-8";
+    LC_NUMERIC = "en_IE.UTF-8";
+    LC_PAPER = "en_IE.UTF-8";
+    LC_TELEPHONE = "en_IE.UTF-8";
+    LC_TIME = "en_IE.UTF-8";
+  };
+
+  nix = {
+    registry = (lib.mapAttrs (_: flake: {inherit flake;})) ((lib.filterAttrs (_: lib.isType "flake")) inputs);
+    nixPath = ["nixpkgs=${inputs.nixpkgs}"];
+    settings = {
+      experimental-features = "nix-command flakes";
+      auto-optimise-store = true;
+    };
+    extraOptions = ''
+      trusted-users = root cianh
+    '';
+  };
+
+  environment.etc =
+    lib.mapAttrs'
+    (name: value: {
+      name = "nix/path/${name}";
+      value.source = value.flake;
+    })
+    config.nix.registry
+    // {
+      "justfile" = {
+        text = ''
+          default:
+              @just -g --list
+
+          update-root:
+              if `/usr/bin/env grep -Rq "nixos" /etc/*-release`; then \
+                  nixos-rebuild switch --flake /home/cianh/.config/nix/#$HOSTNAME; \
+              fi
+        '';
+        mode = "0644";
+      };
+      "root_gitconfig" = {
+        text = ''
+          [safe]
+              directory = /home/cianh/.config/nix
+        '';
+      };
+    };
+
+  system.activationScripts.linkRootJustfile = {
+    text = ''
+      ln -sf /etc/justfile /root/.justfile
+      mkdir -p /root/.config/git
+      ln -sf /etc/root_gitconfig /root/.config/git/config
+    '';
+    deps = [];
+  };
+
+  # Configure console keymap
+  console.keyMap = "uk";
+
+  users.users = {
+    cianh = {
+      isNormalUser = true;
+      hashedPasswordFile = "/etc/hashedPasswordFile";
+      description = "Cian Hughes";
+      extraGroups = ["networkmanager" "wheel" "docker" "podman" "nixcfg"];
+      shell = unstablePkgs.nushell;
+      openssh.authorizedKeys.keyFiles = [
+        ./ssh/authorized_keys
+      ];
+    };
+
+    root = {
+      shell = pkgs.bashInteractive;
+      openssh.authorizedKeys.keyFiles = [
+        ./ssh/authorized_keys
+      ];
+      extraGroups = ["docker" "podman" "nixcfg"];
+    };
+  };
+
+  # $ nix search wget
+  environment.systemPackages =
+    (with pkgs; [
+      atuin
+      bat
+      bitwarden-cli
+      bottom
+      delta
+      du-dust
+      duf
+      fastfetch
+      fd
+      fzf
+      gh
+      git
+      git-extras
+      glab
+      glow
+      gnupg
+      hexyl
+      killall
+      less
+      libsecret
+      netcat-gnu
+      nix-index
+      openssl
+      ouch
+      pass
+      passh
+      pinentry-tty
+      pkg-config
+      podman-compose
+      powertop
+      pueue
+      ripgrep
+      rm-improved
+      starship
+      tealdeer
+      wget
+      wl-clipboard
+      xclip
+      xcp
+      zellij
+      zoxide
+      monaspace
+      nerdfonts
+      brotli
+      gcc
+      gnumake
+      micro
+    ])
+    ++ (with unstablePkgs; [
+      just
+      neovim
+      nushell
+      onefetch
+      serie
+      yazi
+    ]);
+
+  programs.neovim = {
+    enable = true;
+    defaultEditor = true;
+    viAlias = true;
+    vimAlias = true;
+    withPython3 = true;
+    withNodeJs = true;
+    withRuby = true;
+  };
+
+  # Enable the OpenSSH daemon and other remote tools.
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+    extraConfig = "UsePAM yes";
+  };
+  # Modify the SSH service to prioritise because server is headless
+  systemd.services.sshd = {
+    requires = []; # Remove any non-essential dependencies
+    after = ["network.target"]; # Only need to wait for networking (obviously)
+    serviceConfig = {
+      # If SSH dies, we want to restart it asap
+      Restart = "always";
+      RestartSec = "3";
+      StartLimitIntervalSec = "0";
+      # The CPU should never be too busy to respond to SSH
+      CPUSchedulingPolicy = "rr";
+      CPUSchedulingPriority = "99";
+      IOSchedulingClass = "realtime";
+      IOSchedulingPriority = "0";
+      # Finally, if the system hits an OOM, for the love of god dont kill SSH until last
+      OOMScoreAdjust = "-1000";
+    };
+  };
+
+  # Add custom services
+  systemd.services.pueued = {
+    enable = true;
+    description = "Pueue Daemon - CLI process scheduler and manager";
+    wantedBy = ["default.target"];
+    serviceConfig = {
+      Restart = "no";
+      ExecStart = "${pkgs.pueue.outPath}/bin/pueued -vv";
+    };
+  };
+
+  # Enable GPG signing
+  services.pcscd.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    pinentryPackage = pkgs.pinentry-tty;
+    enableSSHSupport = true;
+  };
+
+  virtualisation = {
+    containers.enable = true;
+
+    podman = {
+      enable = true;
+      # Create a `docker` alias for podman, to use it as a drop-in replacement
+      dockerCompat = true;
+      dockerSocket.enable = true;
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  system.stateVersion = "24.11"; # Did you read the comment?
+  system.autoUpgrade.enable = true;
+
+  # Set user config settings
+  users.defaultUserShell = pkgs.nushell;
+  fonts = {
+    enableDefaultPackages = true;
+    fontDir.enable = true;
+    fontconfig.defaultFonts.monospace = ["MonaspiceArNerdFontMono"];
+  };
+}

nixos/homeserver/filesystems.nix

@@ -0,0 +1,21 @@
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  unstablePkgs,
+  ...
+}: {
+  fileSystems = {
+    "/home/cianh/TV_Archive" = {
+      device = "/dev/disk/by-uuid/2ac3aa3e-91bf-4a98-9fb6-3c0235545be9";
+      fsType = "ext4";
+      options = ["nofail" "x-systemd.automount"];
+    };
+    "/home/cianh/Nextcloud" = {
+      device = "/dev/disk/by-uuid/10ebaf9a-f519-4990-b814-9d6825ad692f";
+      fsType = "ext4";
+      options = ["nofail" "x-systemd.automount"];
+    };
+  };
+}

nixos/homeserver/firewall.nix

@@ -0,0 +1,29 @@
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  unstablePkgs,
+  ...
+}: {
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      22 # SSH
+      80 # Webpage
+      3000 # Grafana
+      3005 # Plex
+      8096 # Jellyfin
+      8324 # Plex
+      32400 # Plex
+      32469 # Plex
+    ];
+    allowedUDPPorts = [
+      1900 # Plex
+      32410 # Plex
+      32412 # Plex
+      32413 # Plex
+      32414 # Plex
+    ];
+  };
+}

nixos/homeserver/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "sdhci_pci" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/b6757b17-330d-4820-a45f-bad5e7f06516";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/AAE3-7115";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/173de2f3-09e8-4175-9f52-c8b6ea970ad5"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nixos/homeserver/ssh/authorized_keys

@@ -0,0 +1,4 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDasyiBOJEJvM0OsRJVqTdNzbVnv7sf8yFz8DGmb3Jl1YdCdDnH7GI6VA0Z0WyMsaKy0xSC0JDkjEoWWr2aLCRoYb49x/WDCVPM6Kj2C9c29YUDvA2binE6PTFQyXNJ/p/uAov9QSTGaVUH4eG91S/4LILXwlgUR6tMrhbit+UlAWAPRUa8H/dwWBxXKjCpolIiFpDE7nRqpG85js3zlde5BBH/xso5koeNaS7hpkzbuhpF+9WyscWKWqJzUhYWSdb1VsXM6lrRRgBdPwnwPc5rV0h3xQw3XxBuYAAxEAd4RygCNO1WO2Z6P2b7g/tJfdSqSOeVVFgMUYB0f/OT2X3uP4nm/sR9KQ3w8J9N7Kz7Ql6a/ZAyBLAaRRSfIbiXfYL2J3CT9/mQnlWFOlE2t09pMF0GeoxBKGDwZRKeMyZOSvjkHXqKXTWg7VUJs36ixl4G1liqKsVpLBPfh5vw1RCqi9ZnuTru8HOmJE39vEu2NrSrmsfq5l/WzBd59Ns3Mu0bEfuLj2JEsxa8Xg/fMERGXukaLLZcNuxLQsVgQtIBC6VH2MUpEXEUNHXcrDh4Nj6lTGqHxQxQToa9fEsUozVSSRIhLMk35NdlSbAX5YWG5lisf9A/hzxPzLrQ+9K6gaqrTdeS1DBdl6pz1a9lUv1tAsLvtqhnAJ1zc0XHRiDksw==
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQContOwJDn+AlqueILooXw3nyPG/J/gEHMXWYiZKHpXxupzWCXEMFUa/Mkg5HKIlPZ06SrNGL+IpnLesEX+5tMCv2B5oFXz/nr1GzxlZwPOO3l61uttKAL/4KJW27Pgha5c8Z6TJctYWCPWzHj6YYb8ni3SEr1chjJ5bHNihScN/whFSdZMADws92Z86h5Z7onWbTlSaHZVy2yZZX/bCLcr4fTp1hMcQozv0Rt0NWD7bOtX7ghKgwfN+p3Nt7xbRWyyRvhXotiD7YMcaZAwT4+i+9g4nvpFd4zw4KvxXg7wCId2nKaY6P75jvfADzXNZhEJWKXjtDYrCiPBd2kEgDgyRsPypEwZvmKyL+SNYTjv1j4AlFJMS4/EWziq3CA+0qeY9osSQCpCzUSZlhNtQafugR7xYdMx5wUeWc/g9qNGmUlLkSib3gBU/mCVgHYPjuTMby25zDpBMmlrXxRbA185y4hLuj1F/8YhNzj0fAzKeSJpsbivl/FTso/hGCNOntCts1nikbVldSftWVxx7Dz2o0YhVWPyoCUeVLc1DInyhxrv+uMJbn8nuC1u003fZPlm0HpvR+ZVLP1ZiWM33pShEbX7XsKkmlFtw73dGkROlbenMl+ulA+ERNkoWD7g0ZKhUN+TNU7VmmzlXUpuimZjpiE68bGY6MZHrLBX6gTE3w== homeserver|chughes000@gmail.com
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDle7kPrzRNiwiO4JOgzBFxLOil0k+qeQttv+2ofvkGLBCOS5N06E3/bx1ZJ1kuDPZvWZgEQ8SUycgQXk7h1jiHMzMl/TMHm2p2+mu4z59eTPe+XtQaZFbx+ChCUeBTgBoyf/kyUfyqLY9ml4UTSLjBH5RqoBcxS3EDIuKH4ePDVBfHUO2Q+MAtr28cu4niqrVf2A+h0Co5OQp0TP++1cHfaRJbOdNJmX8xKIIeVbeAZyNMfsx5yDITkYv2VnMCIupiXhopu83IgY7UPRxGU31FFYKx7gtWo+gj/lGwddxwi77vOg9M7ygNXs28zMoHpULkiRs6m8TNI4zD8lKr3vHFWbflPjjjVPH9GphHxHvQJI4Crca0+ayoJzNPuWeAEK0DykzHRzM5HvM8x3jQGZbwz6lTj+6VSdlOI1mKsKP9d4NiM6PQ6xLt2kktIIwDbvtPHwMhVwbh8QrKiH7/lXoBmUe/hCxVEsL78aatrpj/T4P1+28gVzKoSPeL6+kL0/j/5OU0l3Z3Pu9jVG9GyVV3a5hP4jQfJy0FsCQejHinsltpWraKM1d1At/Wb9KJcG47xw8MDaj/OQXduzcBPpfsbwosn5mLiDMfF6taRwxVqLjPksx81dQ7siXFOuulNJpEZ3S4evSkffpU7j2484uGbrqFeX2vFm1qiZC5/59z/w== cianh@Rainbow-Laptop
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDCEbctM0NQsW+69JPrTm4LhaA7r1S+cnXaTKyKdJF1giKMPW3IxK/w/A6jQwKphdQRMyXuwqdF9OWfZJ5zYVUJJj8ktHYdi4NttGbgLJw5UqFP5o1/oLi06LvENZglpice6OccOo0gKT2y3uBZ91Ifzb6yGhEdZL4fORS4SsUpPeb5W8TJi6FHHcPRuSggscZfRCLp08iiXSVM46o8fmQBuO9XZsu9KSoKgSE2oqgIPa4upOYiFhD8b4e4nUpDGCFTkRc8nFcCPQVnN1z4+13iRAg/gTKuertqeGaD7wqGZfSJpgp9BjyL4QLdgUP+EUXREJeVHGw5EYMRE8gjg5NAzXXn+DIGULjhUDJ5SneZ8jbZJXkMThFMHdK/iUJ5XZOJFJxDMtClGMZ1e25N+HZbrtCokDFHD6BcH5tf2CJusYgvmY3dUTl1iOxkF4mFyjY9OqO6BwgWjRKTAWzQsUrzE1/Q4zeWqaxb4+GkbgniHu6gkjHlBm058DKJ1zM2GzwDlBcFyvtTg2e9bD84o6VQamhuexkG2YGR/RhCLQykmDT4WLUywukaBblbonJemk82RgVHKx2434osXKh7zplQIlyN63UUtn9JLgiaRklKNTL4wVbe+qBWn+od97EFRQAd5oQlUFDz7H5wt1cx0YeoADHwB/omMSQq+PSnxS8S3Q== cianh@raspberrypi