feat(elcafe): add new server configuration

2026-02-08 00:20:44 +01:00
parent e90fb1fa0d
commit 35541ea5ae
41 changed files with 366 additions and 172 deletions
--- a/hosts/alys/configuration.nix
+++ b/hosts/alys/configuration.nix
@@ -20,10 +20,7 @@
      domain = "phundrak.com";
      id = "41157110";
    };
-    packages.nix = {
-      gc.automatic = true;
-      trusted-users = ["root" "phundrak"];
-    };
+    packages.nix.gc.automatic = true;
    services = {
      endlessh.enable = true;
      ssh = {
@@ -34,7 +31,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
+        enable = true;
+        trusted = true;
+      };
    };
  };
  system.stateVersion = "23.11";
--- a/hosts/elcafe/configuration.nix
+++ b/hosts/elcafe/configuration.nix
@@ -0,0 +1,71 @@
+{
+  inputs,
+  config,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    inputs.home-manager.nixosModules.default
+    ../../system
+  ];
+
+  sops.secrets = {
+    "elcafe/traefik/env".restartUnits = ["traefik.service"];
+    "elcafe/traefik/dynamic".restartUnits = ["traefik.service"];
+  };
+
+  mySystem = {
+    boot = {
+      kernel = {
+        hardened = true;
+        cpuVendor = "intel";
+      };
+      grub = {
+        enable = true;
+        device = "/dev/sdh";
+      };
+      zfs = {
+        enable = true;
+        pools = ["tank"];
+      };
+    };
+    dev.docker = {
+      enable = true;
+      storage = "/tank/docker/";
+    };
+    misc.keymap = "fr";
+    networking = {
+      hostname = "elcafe";
+      id = "501c7fb9";
+    };
+    packages.nix.gc.automatic = true;
+    services = {
+      endlessh.enable = true;
+      ssh = {
+        enable = true;
+        allowedUsers = ["phundrak"];
+        passwordAuthentication = true;
+      };
+      traefik = {
+        enable = false;
+        environmentFiles = [config.sops.secrets."elcafe/traefik/env".path];
+        dynamicConfigFile = config.sops.secrets."elcafe/traefik/dynamic".path;
+      };
+    };
+    users = {
+      root.disablePassword = true;
+      phundrak = {
+        enable = true;
+        trusted = true;
+      };
+    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It's perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
--- a/hosts/elcafe/hardware-configuration.nix
+++ b/hosts/elcafe/hardware-configuration.nix
@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
+      kernelModules = [];
+    };
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/d2e703f7-90e0-43e7-9872-ce036f201c4b";
+    fsType = "ext4";
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/gampo/configuration.nix
+++ b/hosts/gampo/configuration.nix
@@ -49,8 +49,8 @@
      appimage.enable = true;
      flatpak.enable = true;
      nix = {
+        gc.automatic = true;
        nix-ld.enable = true;
-        trusted-users = ["root" "phundrak"];
      };
    };
    programs.steam.enable = true;
@@ -60,7 +60,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
+        enable = true;
+        trusted = true;
+      };
    };
  };

--- a/hosts/marpa/configuration.nix
+++ b/hosts/marpa/configuration.nix
@@ -98,10 +98,7 @@
    packages = {
      appimage.enable = true;
      flatpak.enable = true;
-      nix = {
-        nix-ld.enable = true;
-        trusted-users = ["root" "phundrak"];
-      };
+      nix.nix-ld.enable = true;
    };
    programs.steam.enable = true;
    services = {
@@ -116,7 +113,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
+        enable = true;
+        trusted = true;
+      };
    };
  };

--- a/hosts/naromk3/configuration.nix
+++ b/hosts/naromk3/configuration.nix
@@ -29,10 +29,7 @@
        ];
      };
    };
-    packages.nix = {
-      gc.automatic = true;
-      trusted-users = ["phundrak"];
-    };
+    packages.nix.gc.automatic = true;
    services = {
      endlessh.enable = false;
      ssh = {
@@ -44,7 +41,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
+        enable = true;
+        trusted = true;
+      };
    };
  };

--- a/hosts/naromk3/hardware-configuration.nix
+++ b/hosts/naromk3/hardware-configuration.nix
@@ -10,25 +10,31 @@
    (modulesPath + "/profiles/qemu-guest.nix")
  ];

-  boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
-  boot.initrd.kernelModules = [];
-  boot.kernelModules = [];
-  boot.extraModulePackages = [];
-
-  fileSystems."/" = {
-    device = "/dev/disk/by-uuid/28b965a5-940b-4990-87fe-039c9f373bf0";
-    fsType = "ext4";
+  boot = {
+    initrd = {
+      availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+      kernelModules = [];
+    };
+    kernelModules = [];
+    extraModulePackages = [];
  };

-  fileSystems."/boot" = {
-    device = "/dev/disk/by-uuid/EBAD-6B85";
-    fsType = "vfat";
-    options = ["fmask=0022" "dmask=0022"];
-  };
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/28b965a5-940b-4990-87fe-039c9f373bf0";
+      fsType = "ext4";
+    };

-  fileSystems."/tank" = {
-    device = "/dev/disk/by-uuid/ed00871e-a14a-428f-b6e4-5b56febd756a";
-    fsType = "ext4";
+    "/boot" = {
+      device = "/dev/disk/by-uuid/EBAD-6B85";
+      fsType = "vfat";
+      options = ["fmask=0022" "dmask=0022"];
+    };
+
+    "/tank" = {
+      device = "/dev/disk/by-uuid/ed00871e-a14a-428f-b6e4-5b56febd756a";
+      fsType = "ext4";
+    };
  };

  swapDevices = [];
--- a/hosts/tilo/configuration.nix
+++ b/hosts/tilo/configuration.nix
@@ -30,10 +30,7 @@
        ];
      };
    };
-    packages.nix = {
-      gc.automatic = true;
-      trusted-users = ["root" "phundrak"];
-    };
+    packages.nix.gc.automatic = true;
    services = {
      calibre.enable = true;
      endlessh.enable = true;
@@ -50,7 +47,10 @@
    };
    users = {
      root.disablePassword = true;
-      phundrak.enable = true;
+      phundrak = {
+        enable = true;
+        trusted = true;
+      };
    };
  };