feat(hosts): add NaroMk3 to the existing hosts

.sops.yaml

@@ -5,6 +5,8 @@ keys:
   - &marpa-host age1cnnpnglkvgw5ffv8qpgwpqvj203lh4uwt698y9mxjwklxt8nysmsa8hepn
   - &tilo age1g68hxv73llkyc7etzh499ztcrt93pwawy0n8p93px4taqu58mehsp88vjq
   - &tilo-host age1awytvphvty4f9wmdn86xnjg9kgetqjx8qlwj5d2882t4fyyzy58s3vg5k4
+  - &NaroMk3 age1erkn7dd022e90ktyj66aux9j9xvl0uzd6ru5cmrjsvcm5rtr5pfs7q6k9h
+  - &NaroMk3-host age16crkeglm3j3f6rveylytuerptjf9mwtv3hl89ywkmnnvdkntfchsuvrsk5
 creation_rules:
   - path_regex: secrets/secrets.yaml$
     key_groups:
@@ -15,3 +17,5 @@ creation_rules:
       - *marpa-host
       - *tilo
       - *tilo-host
+      - *NaroMk3
+      - *NaroMk3-host

flake.lock

@@ -296,6 +296,22 @@
         "type": "github"
       }
     },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1764767520,
+        "narHash": "sha256-gs0x3CIkBN/2ALvfNkKZ82NJe/k/WrddcwT/NstLpUo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "511f22afbfaccda862e13f8f2441c717bc962e89",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable-small",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "pumo-system-info": {
       "inputs": {
         "flake-utils": "flake-utils_2",
@@ -348,6 +364,7 @@
         "pumo-system-info": "pumo-system-info",
         "quickshell": "quickshell",
         "sops-nix": "sops-nix",
+        "srvos": "srvos",
         "zen-browser": "zen-browser"
       }
     },
@@ -392,6 +409,24 @@
         "type": "github"
       }
     },
+    "srvos": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_2"
+      },
+      "locked": {
+        "lastModified": 1764811239,
+        "narHash": "sha256-O98nsREqOegA/ckOi1lj5cC8+FlzZmgE2q2RD9eKrnw=",
+        "owner": "nix-community",
+        "repo": "srvos",
+        "rev": "0ed5a0abca19cb199796e77180499cb9b6cca493",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "srvos",
+        "type": "github"
+      }
+    },
     "systems": {
       "locked": {
         "lastModified": 1681028828,

flake.nix

@@ -34,6 +34,8 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
 
+    srvos.url = "github:nix-community/srvos";
+
     claude-desktop = {
       url = "github:k3d3/claude-desktop-linux-flake";
       inputs.nixpkgs.follows = "nixpkgs";
@@ -55,6 +57,7 @@
     nixpkgs,
     home-manager,
     devenv,
+    srvos,
     ...
   } @ inputs: let
     inherit (self) outputs;
@@ -100,13 +103,17 @@
         inherit extraSpecialArgs pkgs;
         modules = withUserModules ./users/phundrak/host/alys.nix;
       };
+      "phundrak@gampo" = home-manager.lib.homeManagerConfiguration {
+        inherit extraSpecialArgs pkgs;
+        modules = withUserModules ./users/phundrak/host/gampo.nix;
+      };
       "phundrak@marpa" = home-manager.lib.homeManagerConfiguration {
         inherit extraSpecialArgs pkgs;
         modules = withUserModules ./users/phundrak/host/marpa.nix;
       };
-      "phundrak@gampo" = home-manager.lib.homeManagerConfiguration {
+      "phundrak@NaroMk3" = home-manager.lib.homeManagerConfiguration {
         inherit extraSpecialArgs pkgs;
-        modules = withUserModules ./users/phundrak/host/gampo.nix;
+        modules = withUserModules ./users/phundrak/host/naromk3.nix;
       };
       "phundrak@tilo" = home-manager.lib.homeManagerConfiguration {
         inherit extraSpecialArgs pkgs;
@@ -133,6 +140,15 @@
         inherit specialArgs;
         modules = withSystemModules ./hosts/marpa/configuration.nix;
       };
+      NaroMk3 = nixpkgs.lib.nixosSystem {
+        inherit specialArgs;
+        modules = withSystemModules [
+          srvos.nixosModules.server
+          srvos.nixosModules.hardware-hetzner-cloud
+          srvos.nixosModules.mixins-terminfo
+          ./hosts/naromk3/configuration.nix
+        ];
+      };
       tilo = nixpkgs.lib.nixosSystem {
         inherit specialArgs;
         modules = withSystemModules ./hosts/tilo/configuration.nix;

hosts/naromk3/configuration.nix

@@ -0,0 +1,75 @@
+{inputs, ...}: {
+  imports = [
+    ./hardware-configuration.nix
+    inputs.home-manager.nixosModules.default
+    ../../system
+  ];
+
+  mySystem = {
+    boot = {
+      kernel = {
+        hardened = true;
+        cpuVendor = "amd";
+      };
+      grub = {
+        enable = true;
+        device = "/dev/sdb";
+      };
+    };
+    dev.docker.enable = true;
+    misc.keymap = "fr-bepo";
+    networking = {
+      hostname = "NaroMk3";
+      id = "0003beef";
+      firewall = {
+        openPorts = [
+          22 # Gitea SSH
+          80 # HTTP
+          443 # HTTPS
+        ];
+      };
+    };
+    packages.nix = {
+      gc.automatic = true;
+      trusted-users = ["phundrak"];
+    };
+    services = {
+      endlessh.enable = false;
+      ssh = {
+        enable = true;
+        allowedUsers = ["phundrak"];
+        passwordAuthentication = false;
+        port = 2222; # port 22 will be used by Gitea
+      };
+    };
+    users = {
+      root.disablePassword = true;
+      phundrak.enable = true;
+    };
+  };
+
+  # This option defines the first version of NixOS you have installed
+  # on this particular machine, and is used to maintain compatibility
+  # with application data (e.g. databases) created on older NixOS
+  # versions.
+  #
+  # Most users should NEVER change this value after the initial
+  # install, for any reason, even if you've upgraded your system to a
+  # new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and
+  # OS are pulled from, so changing it will NOT upgrade your system -
+  # see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT
+  # mean your system is out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all
+  # the changes it would make to your configuration, and migrated your
+  # data accordingly.
+  #
+  # For more information, see `man configuration.nix` or
+  # https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion
+  system.stateVersion = "25.05"; # Did you read the comment?
+}

hosts/naromk3/hardware-configuration.nix

@@ -0,0 +1,46 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/28b965a5-940b-4990-87fe-039c9f373bf0";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/EBAD-6B85";
+    fsType = "vfat";
+    options = ["fmask=0022" "dmask=0022"];
+  };
+
+  fileSystems."/tank" = {
+    device = "/dev/disk/by-uuid/ed00871e-a14a-428f-b6e4-5b56febd756a";
+    fsType = "ext4";
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hosts/tilo/configuration.nix

@@ -1,6 +1,3 @@
-# Edit this configuration file to define what should be installed on your
-# system.  Help is available in the configuration.nix(5) man page and in
-# the NixOS manual (accessible by running ‘nixos-help’).
 {inputs, ...}: {
   imports = [
     ./hardware-configuration.nix

keys/id_naromk3.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID8C2Upks4/feloFsgZkQ6iOZBEJ6o87NdXdHeBYNUhg lucien@phundrak.com

secrets/secrets.yaml

@@ -1,67 +1,85 @@
-extraHosts: ENC[AES256_GCM,data:i2B5DEjVm7P0V77oVzGIgU08dcpmxy8EgoJz4nPuhfpOBZI1BQpRTOOoSVRZzY6SNpLQCcNDVCwvuhtS12w7NAgIFvBhSigzwJVaWZiC78qTjXanbjSW6fvT1SQqb+YOD+4qkpuuxT5pdBKkyHZvjGM6elyA0K6JzpiCE33+Ag/4SIFTyDrdhJN2HQule54aBDVObg5s7zmPnDo9bCX0XXXCbFpdOfJMKI+89c+Gfm0dJrnDwHcks3p1ZrrSfLn3NhC+Rryc8FHMCtw936WKv+TcP124XGYxXrdEFKngB/pJLhUZlzDeC4v33xtPemOdQrK7vGjO0YZ7WBbO5oXvHw6R1pqC7iMDWjKQBbPit8IB3rngXeMOPEHxbEp1W0MEHbp3bg4GH/SAnxKkfeAFxhMNMBolO12KTntaLCurTSKXhXCIn9SSxFcoWK6kIeo6cpejcHdqGbtV8eL3znZ+MXzvEDRwiy5Sofxa31aAoItwX7kK1YHbpMT95jfr8rKc4yR7tkJWmJkmU494x/lhLkyQbXj25cNcJE7v+hLtQkJ1gdHRgYxYJFxG+VbroSS5HjkRvameuLMfk5dHxg+0bifXEV1FjhKtZqM5JQNEFOHUzvrs5u8m3NKNr13onuT5soh3GKAlh8AMX7p5Etud0BpQPdU7HT5WXRyuP7JMZL5wsjRsGWRxnQaQbnV6qg1b1JP25b6iRj0DFHZJeIEEOU20wDwDQDCoXzJS8vlMbZOC0W9/NVWgwz+UAWQz/yxzRGbconWr6zUhvwcwYBtDhYb6KD0GFxn6yfB/zfMvRHZz8AFF4w00Bx4F2L3nvF4lltnkHkdy9Qql6RsshsVFpPjrhzCrABFBrP0js1OCRw==,iv:Mx7LgF/1z/aZtyvIYafELx2tg2VZ3wTpV0zI04DLxU0=,tag:ZZImkH5/6atDOIzaXJC0Bg==,type:str]
+extraHosts: ENC[AES256_GCM,data:P6Ho3CVFpJcJEVd8MVq9K0X4/OU4kJ270ZrzU+gdhlzeULzkYMcWBIa1mmMixbRnyuc+8wCeT1RpKSfl0zQNVjSazyj+V1C5+ZS8qboxD/8ehRMWnVtAFuyL4sruuyxpiXC+8op+sjAAWJWBfvQ0KCRD2H83+txz335XZZPYPmHvYjZ0FS3A23Zf4yVZHGXY6oxbUWhmeOhDf3vaARQe9MEqp/dPn/4QFrq8LwwEghnukbBPHY49VZ+pRV4HTOUnwjLjgfflqxXLqTHIYRu5GPEzRjC3ZT/5Hr4syLzPAFW12mVEOBjT4wpKLdnZypjlYaF0MfvUTE+qkTAACObUvcm1q+GT1qGmVr5M1VqOvSaWi+QgM9mlZBSJQzwrQ5tcBQ/GdrahyxjyVJOsz//mYRWqNerSIFr06znaAhAeZN2YRQRckzIPj+Crmdy2BNW8KDCWBiOjrgAb7MQOIVQ53JBwN0F/hgABKFgUd9lTSao3CEJEx9RooIezvu7SbXD3vxHSzrfhpyoSlJMx8hPNUoPqs0VnKdpGs4nudiMAgrdPG4eDsHqXZ6qVa4a3LpODFEDpsnstQuF8MgMmQFiEHJBID7j/uXyvcye7ZY3GQv6mAo5YkHjUts9j0UH+EkRD84AxVDv+TyroLKAgSZqZQVr3uUBS0CK50BPflwoP2scU+giTWm6L947LhHBIJvxfxtsHVj39kiCLjUJTKU1sLsb779938kXuEa/kd9XpMU4MQcMhD/gSzf0eemDPEe47HNYLjgDypPxkqnV/cNk+LkGOELLuvzqESsgUQLULG1rIS1kXYMJF1OZ9RRswf39AQnlZSovkw+phX8jOpvwfJHIax+35tkH+rkf621klXA==,iv:oAsOGZHilhBZYewYoWPxfloNjqLL92fvhcU+agd+oQA=,tag:2cuosGghq/+5akitPp4C4g==,type:str]
 mopidy:
-    spotify: ENC[AES256_GCM,data:SaDT0iSWhsgVOi1s+Nzbr0Mur3t2Zd9z/KIUshGWtbPfkXXIoiJeJFtoZIz5NL/t5FooYsNfU1mGYgDeVYSD4BPibW8hiCYrX6L6OX+Q6ZEWXXx/1eBEs2/q0BrWGvy7frcurq/Px4R3ax0dXJe/YKbpAtU7+bQl,iv:F2zT+uMVBMnSEZqgcRmV8/fc3G/g2fKDuHuBzkyBRN0=,tag:CD8fuOQfe6QCrj4BUh0/xw==,type:str]
-    bandcamp: ENC[AES256_GCM,data:diEx2fbkOR1oUav81jU5bNt/KNmbOaVzLV+G3zBUVXE7nEQpZNqVom0rgNrEVDGzH3u/IaA5eqG5ce9lE0BomeY8Z4MWI1xujhX5KsXdv21aw4UwsNgyLPuWhkN2POUMfCJlvekc/TFfFvJHyysx8aKxeI4dsg==,iv:cxx0cVkjOPG+hMD8JctJHdcICJt7ozpfRBVSCDBo6Ro=,tag:JRjwwvieGaGZJ+k56HWFaw==,type:str]
-emailPassword: ENC[AES256_GCM,data:LALAvyuNN9bfa8D6ZK1YiFXRfxLOBi9kXA0N0Kr7h18eAI4hWQ==,iv:WtidILFfWCMKylax52JP+X57GfZyYlxJtiwrC6SADik=,tag:NvOrsL3fbmxQZp06GZhUZA==,type:str]
+    spotify: ENC[AES256_GCM,data:89vPpgJ53eYou01qgxfqxOO6G/raBA0Vzck31PLchE4Jhi6HcNnoW4wwhHW3pG0AfCu5sE1CuryhRpWTc62fXIBoenKiCiU7chFhBF0UNq3Fcie26l6hdEx+XYVcM/MNBBbkb8VZq1mR0sgGmUESuZVzeI3LMykF,iv:n+LxuijWCZGW2YacrYQ2QIF2BTSilLmJ72piFRK25vw=,tag:iOQatj2UJdlMvn6C40IILg==,type:str]
+    bandcamp: ENC[AES256_GCM,data:Sas5Sk0gNaq2E1XnsK8lvaZEzsaFZKY+zDxvgTiqTm2hrI2BnWieRWcZV6u1yRKjLAhh1rdSYhnZJHWUGIAY9qnFOk4vUVUHLtxnkxO/bJN/sykc4qwXRg4/NNap+8TcsN/S1AFJYKmXYn1Otx/02wbMEzHIuw==,iv:VGC7COqF3goMyyJvasiT0yVxOk4QKLOuXd2FbHjuRwk=,tag:pvyX4Q+dvlWFkdSJzTlgwA==,type:str]
+emailPassword: ENC[AES256_GCM,data:RXmfWKIm5CzZrqhT6bAPZdijByO1NvrSwN1YO4/huVQnQh5p1g==,iv:lh/mxH5sPce+to6TsK2f0SrpHJuuGUiKWzrNmQfJcY0=,tag:EyR7Nml7Jyh4Modsq7DuBw==,type:str]
 ssh:
-    hosts: ENC[AES256_GCM,data:nuMA50lZVxi/b2Y95Om00DIXkfHV+5epXzgFJTUk1r78y71/q/1wDa0bb9bqaMhElivDrX2mzS7IplLqLry43VkGAiE00WrdT7pLM+NSDtm7VV3kake7qorkpydxczHeVg5VP/b1FMzpQ1gFoAVg6iY9tYBnfTa5MdQI3ktQBRYWU5XmVMFNquTBG10wOKxgTUdkh6smcYmU5YlDUdeM6gTt9QPSHlglOGCe/w3tuXOWkBNcNtNiwQoaKTwIkhisu8R6h/qwtOBBt0wEpOv+KtdYQ0Y9o7/KiN2mG24+/mASfAYTAhifSnCY0vDe145gkrQzFttzZDI6l4OgjYF9rIsP+hKwUChGObW90HVVKQbJ8oDoG+l9L+IxLxs8v/v1690Xtra+PPvZCgGqhXqpoqBL/OgNdR26p/G8Oid81Nb0ob8DstYLjYlcg7ZjPiruMtRwhKoa4z++pe+poepGAPHdKkLvAvzFUKwcqRfR7RNgNgZR8hFAe7Tg5m3ApF+koGWjcoKCyALgc/hP6LTBmiJuj6OySFl1cTtkKHPsYXa49St+lOB32MXCH2ysAI6860ZcJqpAFTQ1Yd2XYu+Xrbxcm381mE02Tw20+VP2OPyEYt+ida2TKAzM3aXiMGTRpSkwzkKXsRoBskVQxv3z+6c+w87I9ZmoZHqHM7dWcRAuj2bT2ZWeExPyEmUFczMjCcFFEepnlKWOYmkUZmjDfqZ1mtR3bBK271AnVHakS5jajbhhyu6VDMLYIQmBPDFpZnyCE2qgb9FbXBbqoq+qc/9w+7gCdXNnb1tDdiJ8E4k7no6oU5jrRMGHNX3UOMDs/Y9NS0vPsnqBpr7Pf+H6bxncXWoaimijoi1OxvUFMbRvT5uUgP/JNDZDGBhlY3zRiUnDhTuHF5vP8wisqsba7zwpoqIchI3hbxm+lWXt09ZTnR2A1uR3DTlEEjGUMpD5K5CWkgTalgaHYI9jh9n66rYop9evlngZlg5Cth/Lieh/34fcIUzHAQMbxUKqoRU9zHHQJ51AZIovTtegXmgPmQ8fw6F3uBQ5gg+T1CiaCqs5nUd9ERM=,iv:DNg2EEPmylLf2CqR9eqJYzngGizTraPNImIGTJwl8kI=,tag:StZ6H+1ec/i0l94Cv+AhOA==,type:str]
+    hosts: ENC[AES256_GCM,data:0KRAZyfgcO2HRio7GFKgZ0DeRdbLkawEpS2+UT6aWvDM7MrTXvA0sCkn57Y8Akq3+Lg+90eWgBNOWwkPG36S2+2dLgH7HdILUuqLY56QXJiv1lLf/JM9F6zDoJOoXBf4gwCBZ0wwRBJFbtMCkRGVtkYKeWMvDDnkrdyDjn9bFcJrECbb3c4upGp7kCCo43ATi1QL4HWTUhbt24gVnFHHH993vH3rNrgVBdX3GzzHh4M/aLcMaVXaAvf6F2dSCCzdruB3giYt0n0TciVDcINnbnOpBHnVJwzKNY387PYLlgeDfA1qL5ak4FUeNg+e79qXIqeLeQ0Gmmbjrq3jJl3jEDu/m2Ze6T2UTDDjSvs6Nq20lxarWCpa814oLzU7Ih5t+3Tpy99KDkFtfrawPm4GuEceGW6anGV5EAPFxIjSxZMCnsZaAFlhe17ZeHnSMdF/kDhcaAVNjFexXv5xwD9R4ga9eqDPwmawhpLjecooXws+u322MFheinI4mxaIuoPpSN26z4Svpxf2qL0NnQh0IAVEJ0S4PRp6FfAktuJbCE93YxJzCpgOrLbesyrRM6L/JN2Apv6ERU6VfkS6E25aO1O1l3lWII3YFpfn+6BXBMnb7y4e2nvABluyp9vJDjWuc1W7qE4tPOOp6a10Gy5sWi1vXz2DI5UtmjrPpYiLAbwZVpqyuaPMoVeeRpSPReIrOqdJtlU9Hu06fOMj7zm7FR6redSfXdL8UsV0ct1kI4W2ITy+NR8DTIe1aJCe+ES0J7WNtAZkEdLAfA1Urq9Gxvxt1c6U4sSNXPzvqFNrqfz+dzUSrOlFkWudJMxarXt3fRBgRIt0hE/gVoeOjRpAzJTurtyvOotDVKlszIQrQ8nN4aAD4t1v5bsVwgUc2lnhFjfNa38BZjNdiXf/6E0UpkB2GrofKWmP02sXVsD0NGI0hGOOKzJn3vbuhaXDPD0KSHkVjOZGUXYizwqxgyOQtMIOE9+w42xVCYht9M3A7USQ69Fcm9FvxUfSYNxPznSdZ2zNHxRheowrmX10S9fxEA9vxvic8H86TuAVfZ1S+P6GqpgSH7FDikSLyJNj3PyznRTBar7M65BCCN2zA9aM+SgnSAvkrmz1qQjd3jedcm9xdqvMXw5fYaLFHpYHDdZsi8w=,iv:eRcfkOg5vNI+HxsNELJe20cmKSThtBXwc7c69Jaj/3M=,tag:t0ux5jZRBx9DQbTzr9YHKg==,type:str]
 sops:
     age:
         - recipient: age1ajemtm502nn2n4q7v4j8meyd5mxtcqngkkedxq2pqzuwu78zp93qnw8q48
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiYU1MR2w4Njh2cVBocmJq
-            YkxvSmVsWDdGT0h0S3NSbDYxb21EVTlxT21nCjB3WlVmK0hkR1B6Z2lhbndvNFdC
-            aE9YMHphU1JoV2hwZ0RITXhHZnJmeTAKLS0tIDk4akc0T1FvbURLRFpXNHlRQ3Vx
-            TUZMTENMbVNjeVFxMGVSc2FpZ0dXcDgKcacaFS2diAKeKwmVz7KghKjkNI2ij4Ns
-            fYSd8sq/bEDTvn1wNpF1zLmzX9jmoXc5iORuRKaYcT8OaoUX7SsFvQ==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMG1wWDcrSjN0NjEzY05q
+            YVBWbXJ1ZTlMYkdxZmRMakNZdm9qQnFxYzBFClMzS3RUVzM1aVRoazhXNkxwZFdv
+            OVVIQWlWS0dLS2puN0ZZVjNwaGpWeE0KLS0tIGtaVWJoZmN3bnFtbWt6RmhvUnpK
+            NnlaM2VmdnRVQitxUXZueGxXeWdhQlkK99cfnUusVZO/icWY2pDLExVveLtf1xPp
+            43QVMMWTnkF8fS1SyM6KT7T12gFOeCIxa06IDKs1AIvuOuaq6OxEhw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age197lfdanym647wdaz9uy8hrfqjwj9fs8rm7vs3fsrctceu8mr9gms2jedhz
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUNlhkZzFoa21tR244dVJ0
-            cXJWbDA0eVBrZWU4QVRVQm85bVVScFdYbHdnCjRWQWRNajIyQ0JoYTFFQ3RsOFA4
-            cTZGNVhCN2k0NHBMb1Z4VmVqRzNjbEkKLS0tIFhJTVBCM0E4dTkweld6WUx5Z1hQ
-            WXdwVFJ3cXQzUnFPUnV2NzdqcWwwZkkKqS9IQpB/MjnsVQ4IfIRtH6FESzLkdHq/
-            GJnMHt0VcLt/gYrz+lrPc1ecQwNvVGH2Qt++BbSJxUFftoDLdEMlig==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SjlaZGdmNWZOKzRUYU5B
+            NlpDeEREOUlkamhINnREeVFoYUJqSkNlc1U0CkU2QUpBTi9DUDI0RmV3M3U3Vmgv
+            UTJ5ZXBlaEcxeUtzUjcwcGw0MG9xKzAKLS0tIFpWeHRMWDlDekVMOWtLWFR2S05y
+            MHNUYUlJVHc4cnRwdGpKYXJOUE9ydWcKrJmvP3y+xVMGvS17iIzAzrKjvO4LAFOH
+            mQV2c2WwZpNFYb63zwKKVxxRsTMCZjQviMXywCB7GRuUk1/aCEjZyA==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age17pn6suvz2f7zmrm9zxj5hr0putvcvdamqxqt7ewhncgg6ccgmp2qr00xm2
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtcVZPWVNBc1pFWm8zN3hm
-            M1RtenlCbGl3Q0xhWlRWN1BmOUNDK3I0cVQwCk82Vm5IcmZZeVRBdlVUb0NtTXdz
-            QTlVMEhCWkpJN0JOM09mSGtqbzl5ZUkKLS0tIE4vTGhEQlRDZ1Vma0VEQ0xtcU9V
-            MitPc29VYUV3UmJSNXdmMUhwck9MOXMKLXHEKpNvzModiTR1Q6cE1xKSGewV/9PJ
-            rEbTgsa0E9C4vm5sDKjSjuvpSF9tNOSByf5So5kzX0ZTxgjdTjsFbw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMlUrWnFoZGZuZi8yVUJW
+            R1lJeUYydHZCMWZFeTZBNGVVRDQxTmlGZ0RjCmVKZ3BocEVLTUl3M1VoWjRvTi96
+            SzNaWUIrUkxpVjZPVytJTmNEV2g5SkkKLS0tIDlyY1E4T1cxSXNuZDFtT3lhdFVl
+            c2pDd2hCUE9RWHRCN1pXZ2prRk9iNFEKFWnDpPTFbi/l+aJnILF5NWwXLdpzzA7P
+            RWoYja2qWNyIH8+6p+hazvezEVOpGECK5EVCH1dkLv52utuznmwsYg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1cnnpnglkvgw5ffv8qpgwpqvj203lh4uwt698y9mxjwklxt8nysmsa8hepn
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkeUlIL2QxQlhGN3RqOFZR
-            K1p1bjc5R00yclEzL0hYY0c2OFJhRmN4Y0JvCkpIL0Q4Y1Nic3pFYjNIM1hMK2w2
-            cFNGNVhHcW85R2loZ3JveVVZNGptd1kKLS0tIGYvYjlTMzRzUUNlM3padDJHNkFm
-            VGJHL2c4Z05pTWlxellFMG4rRlp1MkUK4mwb2jMlfHb0ISInZKwbm9+EqBzWfZNU
-            +L/WahvTo4Fe9uSOJffpSMleH0ZJS35loCJE5WIdmGnRQB6Mw7LWag==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtMkZ6dC84cHY5ZGtOd0cv
+            RERqSXI3ejB2andMcldDVmp2SjNVc1hzZlIwCmVoWEFwMXdtVUU3dTVZZ05mRkhB
+            Z2ZCMnY3SUlkV0xRQUVlUDE3VE1aTzgKLS0tIHdiYXh1aE5nb3FSZTlpdVNZOUlF
+            ZEpsL25rcGFZaXBaTXFKbjd2UFpYRzQKNytlpy3cD1OC3FOSfSADjMMzD9qcsLrg
+            A4w6NqhU8E1DJBln/AiElZ58AhzAb5okPsKRGWMQSb73XN0pLLRwXw==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1g68hxv73llkyc7etzh499ztcrt93pwawy0n8p93px4taqu58mehsp88vjq
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIR3FWcElFL2RBRmdFS1cy
-            emRTM201a1ltWndUcDJ5RXptd1RTNHdvWXpNCkxBTXZCNUxvd1dXMDhHK0ZFVUI1
-            c2VkRlJJbDNYSzF0djJXN0J4YXltam8KLS0tIEFTZjdWd0NQTVEyU1Q4UCtQVGhy
-            K3VUdlpjd0M3RVBHOVVjc04yZzV4UkUKcB8r+FiqZqwsxj40hCtVePnfIZ3S8DFR
-            tgSRDMp8eEm6vXHbbf49E/cpV4iBwVel9zAe64tYs7atk9dcgMmOpw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4M1hKditZLytKeVErbit5
+            UEwyQW13bG1jakphRVA1WEd0WUtFa0I1UUc0ClV6NlUwRkZpZlhmY2t4RVliVExK
+            a2k4RkFFampEUUFkQVhvSWJwd1JPVVEKLS0tIDVzdGV4NFFveStkVUROWE1mUHAz
+            Z3R3MTRIRVZPc0pNVVhHYWhaSXdtbW8KorG+7fRAt1RT1fUD8Z4b2CJaIwCb+1br
+            Wt1E8hWeYVoHGnZuuJgrorv/GnqpRDkMrXix/qqGKuBlAgTDab5eYg==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1awytvphvty4f9wmdn86xnjg9kgetqjx8qlwj5d2882t4fyyzy58s3vg5k4
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TkVLUnFDMnVoT3BUM0kr
-            ZU5hZE1teGF1M21SbmY5MHZTMytKeWpkYnk0CmkwNXlBMDR1cEp2MkZPeWUyU0hZ
-            Wlp4SFIwZUNQa25BRENsYWNoZmZoNjQKLS0tIEtIU3NRVS94SW80VXVGZy9hRkNQ
-            QmJKNDJUY0RSakhwNWlkOVpib0trc1kK0tQxD9I82pjfs54eruu+IjzVUmcVBCPw
-            9mp1xKiYRRMXt3YQn6MPiyuuX3l3UB5MH0RJMNtRq0D961rs+iiS5A==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxTDRWRUJNelRPMitSTm1H
+            U1FTY0xsTXZrWnF2VXdsQWNLcE5zeHJ6bGg4CkRZckY3Q0hBNTgxMUVDdUh3YWZS
+            STgwOEZ5cGFkVHFEOWNnNjNONDZIZm8KLS0tIGg1TUZjbmQ5MFU2bG1sZFcycnRR
+            cDVwRVIxeTVmcmJLekpXcG13cTZJVG8KwXR0NOiHcd0njWwRWzEyGf0vb1kXp766
+            FhBxX0RoUToq/UgTQGBWvEODrZTnNd/zXr1J8gA1TeacTEbkoWEkpA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-11-28T12:26:45Z"
-    mac: ENC[AES256_GCM,data:T4/aWHN9ILjaI1WAyO8VUQz87H0dmWjC3E6WnlNaRmTr5kDgpm6nYJHFGnrEEFUTPzAGluMTJzC3Sji6CqLKX7opOUtoDgUqiNHgz0oz7B28+RFGqxspo3IoCM4lJNrKBkZHnrKJFPUooYKc8aNm/goWWHQ/dL2uQ46Hvx9zK+o=,iv:Xq5XcYxkBCWMLFCgCYmkPgwBWMXpLFBPZY3iTTnXRcs=,tag:ZAPZAAv+qy4BM47aCgK89g==,type:str]
+        - recipient: age1erkn7dd022e90ktyj66aux9j9xvl0uzd6ru5cmrjsvcm5rtr5pfs7q6k9h
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZQUwxenU2aFN5My9wcHpu
+            c2prSCtvbW4xanlxZGhDT1dpT0V2ZUtmcGlvCkNrRkJ2OXVOSFhFcGxSYUdJMHBn
+            M2VydHhVSW5MWTdvTW8vSWlXT3ZnV1UKLS0tIGpydEc5TXNpdXc4czVvNk54K0JO
+            RTlDblJHcUczdmtOdGc4VjUrYk1PTWMKVM07fdDfLWf4T3ELq8G4jsPhR4ZukOjP
+            SATCHMTn3wG4qeGTI4R+4m4iqa3k7CFJUJapmBNHqXWOZeO5w9IonA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16crkeglm3j3f6rveylytuerptjf9mwtv3hl89ywkmnnvdkntfchsuvrsk5
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1SUtkZysyMU05Q0tlSHZh
+            V21acktNUTA1SjBMNFJtcE9XVHVFWWFvcEhNCm9hRFY3QjZkTk05UTJXZkpyTytE
+            N01WS3E1TERmcVlCTEluT2RoODR0RFUKLS0tIHpoNmkxNlc0YmcvTHBZNUZPRks0
+            VkdKMUVOemNhUnpYSFFocnZRQmxPaUEKgCne7JJRIuvFtDMtaqO21IKjRoDW8D+3
+            V5tGfZOQADuef3n8ZG1j5t1OtNNBu4PjpxZynGx3/nR7+FThsK4vMg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-12-07T10:51:49Z"
+    mac: ENC[AES256_GCM,data:9LYnzgwB/QpEdZ7uDxfT+G+oUB0CJLFuigeocZNjoxb9U0PuckuLWuGOtcWBN0mkSF/Yc/rJS9D3a5ut5svwQ3111ROGvjGMF568+8IBJjejoxJepqz23F901rHBDfEVhBPnLImpIapIR/KJDbD+eW9ETlp/RN2LvIk8Zm91YTg=,iv:9+88oTT5UZBHYjzbDtqMqytcXV/bEjUZeqGxolgm0LY=,tag:ywqu25dQ8BcbPvphTqE78g==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0

system/boot/boot.nix

@@ -38,9 +38,17 @@ in {
     };
     systemd-boot = mkOption {
       type = types.bool;
-      default = true;
+      default = !cfg.grub.enable;
       description = "Does the system use systemd-boot?";
     };
+    grub = {
+      enable = mkEnableOption "Does the system use GRUB? (Disables systemd-boot)";
+      device = mkOption {
+        type = types.str;
+        description = "The GRUB device";
+        default = "";
+      };
+    };
     zfs = {
       enable = mkEnableOption "Enables ZFS";
       pools = mkOption {
@@ -55,6 +63,9 @@ in {
     loader = {
       systemd-boot.enable = cfg.systemd-boot;
       efi.canTouchEfiVariables = cfg.systemd-boot;
+      grub = mkIf cfg.grub.enable {
+        inherit (cfg.grub) enable device;
+      };
     };
     supportedFilesystems = mkIf cfg.zfs.enable ["zfs"];
     zfs.extraPools = mkIf cfg.zfs.enable cfg.zfs.pools;

system/services/default.nix

@@ -9,5 +9,6 @@
     ./printing.nix
     ./ssh.nix
     ./sunshine.nix
+    ./traefik.nix
   ];
 }

system/services/ssh.nix

@@ -18,9 +18,14 @@ in {
       example = true;
       default = false;
     };
+    port = mkOption {
+      type = types.int;
+      default = 22;
+    };
   };
   config.services.openssh = mkIf cfg.enable {
     inherit (cfg) enable;
+    ports = [cfg.port];
     settings = {
       AllowUsers = cfg.allowedUsers;
       PermitRootLogin = "no";

system/services/traefik.nix

@@ -0,0 +1,60 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.traefik;
+in {
+  options.mySystem.services.traefik = {
+    enable = mkEnableOption "Enable Traefik";
+    dataDir = mkOption {
+      type = types.path;
+      default = "/tank/traefik";
+    };
+    email = mkOption {
+      type = types.str;
+      default = "";
+    };
+  };
+  config.services.traefik = {
+    inherit (cfg) enable;
+    dynamicConfigFile = "${cfg.dataDir}/dynamic_config.toml";
+    staticConfigOptions = {
+      api.dashboard = true;
+      log = {
+        level = "INFO";
+        filePath = "${cfg.dataDir}/traefik.log";
+        format = "json";
+      };
+      accessLog.filePath = "${cfg.dataDir}/access.log";
+      entryPoints = {
+        http = {
+          address = ":80";
+          asDefault = true;
+          http.redirections.entrypoint = {
+            to = "https";
+            scheme = "https";
+          };
+        };
+        https = {
+          address = ":443";
+          asDefault = true;
+          httpChallenge.entryPoint = "https";
+        };
+      };
+      providers.docker = {
+        endpoint = "unix:///var/run/docker.sock";
+        exposedByDefault = false;
+      };
+      certificatesResolvers.cloudflare.acme = {
+        inherit (cfg) email;
+        storage = "${cfg.dataDir}/acme.json";
+        dnsChallenge = {
+          provider = "cloudflare";
+          resolvers = ["1.1.1.1:53" "1.0.0.1:53"];
+        };
+      };
+    };
+  };
+}

users/phundrak/host/naromk3.nix

@@ -0,0 +1,7 @@
+{
+  imports = [../light-home.nix];
+  home = {
+    cli.nh.flake = "/home/phundrak/.dotfiles";
+    phundrak.sshKey.content = builtins.readFile ../../../keys/id_naromk3.pub;
+  };
+}

users/phundrak/host/tilo.nix

@@ -1,7 +1,7 @@
 {
   imports = [../light-home.nix];
   home = {
-    cli.nh.flake = "/tank/phundrak/nixos";
+    cli.nh.flake = "/tank/phundrak/.dotfiles";
     phundrak.sshKey.content = builtins.readFile ../../../keys/id_tilo.pub;
   };
 }