feat(elcafe): add new server configuration

flake.nix

@@ -132,6 +132,13 @@
           inputs.sops-nix.nixosModules.sops
         ];
       };
+      elcafe = nixpkgs.lib.nixosSystem {
+        inherit specialArgs;
+        modules = [
+          ./hosts/elcafe/configuration.nix
+          inputs.sops-nix.nixosModules.sops
+        ];
+      };
       gampo = nixpkgs.lib.nixosSystem {
         inherit specialArgs;
         modules = [

hosts/elcafe/configuration.nix

@@ -0,0 +1,74 @@
+{
+  inputs,
+  config,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    inputs.home-manager.nixosModules.default
+    ../../system
+  ];
+
+  sops.secrets = {
+    "elcafe/traefik/env".restartUnits = ["traefik.service"];
+    "elcafe/traefik/dynamic".restartUnits = ["traefik.service"];
+  };
+
+  mySystem = {
+    boot = {
+      kernel = {
+        hardened = true;
+        cpuVendor = "intel";
+      };
+      zfs = {
+        enable = true;
+        pools = ["tank"];
+      };
+    };
+    dev.docker = {
+      enable = true;
+      extraDaemonSettings.data-root = "/tank/docker/";
+    };
+    misc.keymap = "fr";
+    networking = {
+      hostname = "elcafe";
+      id = "501c7fb9";
+    };
+    packages.nix = {
+      gc.automatic = true;
+      trusted-users = [
+        "root"
+        "phundrak"
+      ];
+    };
+    services = {
+      endlessh.enable = true;
+      plex = {
+        enable = true;
+        dataDir = "/tank/web/plex-config";
+      };
+      ssh = {
+        enable = true;
+        allowedUsers = ["phundrak"];
+        passwordAuthentication = false;
+      };
+      traefik = {
+        enable = true;
+        envFiles = [config.sops.secrets."elcafe/traefik/env".path];
+        dynConf = config.sops.secrets."elcafe/traefik/dynamic".path;
+      };
+    };
+    users = {
+      root.disablePassword = true;
+      phundrak.enable = true;
+    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.11"; # Did you read the comment?
+}

hosts/elcafe/hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["ahci" "xhci_pci" "ehci_pci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod"];
+      kernelModules = [];
+    };
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/d2e703f7-90e0-43e7-9872-ce036f201c4b";
+    fsType = "ext4";
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno2.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno3.useDHCP = lib.mkDefault true;
+  # networking.interfaces.eno4.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

secrets/secrets.yaml

@@ -1,3 +1,7 @@
+elcafe:
+    traefik:
+        env: ENC[AES256_GCM,data:Mfm4Wt/7UWrpWGGa/rmC1wY6QtI2G/a6cbZiNjZz1gOTrREehFBZxH5JJ9ZgsxCMSuh/XCQa/75cPg==,iv:nrtTmtdFfTrCYzxFHDVMuaDdoa8SDi+pn4kghP4r9xE=,tag:gjlv8ohv1aDx2PB1rwx6fQ==,type:str]
+        dynamic: ENC[AES256_GCM,data:AYUojopOSi2kZ4ORxs4KrWHgqXZTMVtShb7T2iQ4JDyrlrIWCTpynt8/El9uoDaSryTgqxM8z3g4DIe5nrovh7pcFGVm/QYXfsfAx4kIm//7CwL9UISiyERirJo053Ilut0/lAdw3rlqa9aBYC2fS6AlrHN1ZFzqBttTeyykvZe0qmiW4hPNZ3axXW66juXwe9cxm24bE9bJZuuV9RYbafQ2Om76p/92E42hu6twWaUz/n6QgwaE2ymCekroKaq8+Umohj1XL6UdEEcLSnmc1qRblshhhSssNEtzbKERujt2SH/ppf/LLoohp8v4VbSpVOkx+6fqvyKWvbi2RU3C7eusee+gnBe2mGxGj34Q35iU4RM6dEwwmvzfmCAYy+27SlNVffI8yo8JXACp1aLxqBxLDDU7LokoSUb62/w/mX3NlzYf5a6NeIrHzoh+qHmEXUq63+gsNJaiJPp6DxtAKByg23t1LxSpFhxW7LaYIjh+KjaYZgNYTFR1BerqDu2pyzIrzZQTdtCveX3eiEZ3p9SJxfiuBVKlfQ2FpvJ9JPl9ACTFK6AI4s61ZgiNEeXzqQwo9zt8QrruiixdxPaclOfrBrFxq1mWGBGGXaAryiuZjo4G0KlNVvg/s5YiecYi8prQxXVozti7YI0sGJdGVjDiHwXfnUn+eQD2YBrOH9FlRwO3Vd/yd+42Xf06Hv7IbbYMogcu5y9ZbiXWesVd/TgB+Hu2oWkWxBU3sn6i3rMiZ0z+V/74xCwmfElugGCQ97ga6tQ92UbSBbteoiXpZiH7Z7Wja39rWKPyypH1h71Sccy1rSWrcEVHLC9swtLcB4dzt2JvVdXQ37pmEElfusY0yEb/y0W20vxNArDy035gCXdhUyP65NfrlhcAXoiKQaayL3NO81vBLP+X9+zgKsAV/eINPzM3gsF12QJaaQSL6CIlIF7qdwX8GZwoIg60rE2ogR0XxLcN9CGdMMuILpB9UsSOoPNwgMZd3KIwEB2LJabLKtUwuyKuA0iF6ZwHSghpnkxAIkIGFsbIxslvgCLkVihoSR97lhFpOJbC6n8u408wLD6qxoS6IRAXbIbErkyNyrt9PvbwSiHyWRjF8APCZD2WuQ22GmfBK0t6lM2hF8q7vRKN+SFOvLpql6NFT4n8/Odfr7i+4JqJahRH33RnDqYtRiqgqSSZtq3DOn1aYCivfEMKZrVxP+c6COqpPELDpjBfGWjLhqE/rV48N9x7UZNQKflBlMtaGnB1uEcVuMuZfTRFYQLqYs2p8f5vVXXWF7vSP9mBSHB3oz0seEfLd65y2hppF3J/8F/+QlAyGDrAZFhCYYMRE4eY2dy2cxLNP2M9tGVZMXQSNfys5cDnkYZzvofK7b2scgC9HcCUmBKv8ZxoSa4qyIOzH9XJupY4rlemlJbJQ9paXgAiiTdvLPcncVVnlCPRbEngCDKvoplVnzH9Hd6mIgRCZLyyIeAR8FwikGuZEuQETWanbe4S60KdMpofGM/ysz6eD67q9iVKL1zHCDtpzYQAhKurFUfgcxNOXnWYi8MWdRY9CAvIUJgRgg+IHOV76Nl8ljV6wpgn0qFR0IoQPblI3W8zJ4UASSgvUkf0meR9KLN3pA1D/AnYxi+Zblcz6SuXqBBARkXfW84iJOVanbNxyZpJDEnio6cJmNXX8VJxP0zqlA80FpcMNAvNOYsKx5yEwx3MEAlP7lLU35xgMx/BOgErf9f8XfbxINXPH0an+xQqAm99gbaKamflNQqpXXV+1ViWVWlx7xwqSUq0qy7A2sjs6prZRTR1sTt4i7MONEaRN65zgaPtL8zbO3BCbUecUdzCTmBy/XVnfa2krF8dN4LjBs6/ZswW/KYqc8TU6udiCb6Y1H9kXKsg3l9/5+ftcFB/YC6LzS9ynpOYhw12BJtjEuIuwiKa5J/UTp3IULQDZ2rCKBL09GT1/DGwB5AU8Dc9E9X2OOvWowme/eyYiiX9q+B9yLMYxP6rTsq7vJ8cjwnNRCz8UJbVzTlM9MwntUnyqv1L8E8xD438m0P+soqOc99NwXsuM/aJ6ndctfFNwHYfuau7BJrMRPfjc65yMiayfCxUJmnAsp309ODNS9D6VZkf/l5cBzbd+9xsnK/WA8I7f9bTZgi2/HSNOdEAlwBfRZXrLQAbeixG4qNmRqtOjILYkSkb13Ug/Yx+IFlMIgTxiZzXMduxbloNQU4VqEVY6Qrogu4qlaCWsqICX0SabXFZXUFUHgwswkNqV0G8977QSFTyYkMNr7FZTuFegYjzZZHaOtCJ/2FAJFX/e76rWcoz8GK7lsEqvQnCrqDfGtaSDF0LcJojKXEFg2E6rwENuMumdDJzkHj5dFzGdsf2ogeHqB2+sKpaHAgVjWzfk8CevSKnPDR/6UMhNoi2luW+xbV/DmDLJ5GzO6uGdcSmaQsFcNuFsuQZkC/q3zTf/TqbfH/V/eXR6YS0Etn73/xwVh9b59KazNb7JJ+rXahVHP3aUWocpu7/92Qwh/Odf3qGBJ/KT4a2VWYfBXLq6N0H8g1SI/aRJIAe3JCq2j+ln1PRegcqmwFqJpwp3TebdJEroCZU63Cl6vXm0XHm75MVXz7kYXBnOWeYv63oVyCvRc/yoOTBsCYPiyRxaoLXHUI2e0zCrbSAmAmb5WOUqxq4dJKGZXYYzHlR+aAjBbqmLFyCm92DW0sWlXPBhEeXysOK6IP8NEHatdyCnkpiHsQZyuBITw==,iv:Ooq6tK6nMGuRFJ1ElGCJhOMQVyMNtGBSguQVFSm71fA=,tag:iJviKci+i3tif+sH8UxRZg==,type:str]
 extraHosts: ENC[AES256_GCM,data:YRHvHINgAQv4z+8awMzHY1uZS/K9qSaFsk8G5J2zF5P5YOt4x62eefXgmhWeKZzJI5AIi0312iMQl5qGv+lAkP+VC7j/h1rh7peBDEBU6LvcMgFU2XqxidM/CoKfMkJF8+/4bb+3r1LC/rEeXITTUQsOmoacdyCeKe5yxLaHyic/FaZIJq13wCg/QQSLfenc2Db0Pbxv5/cbRILhKT+ssElVipA40aZpgL7QmD542vObSEa6K4fZd0rawF/nOyibfpPN7Ak8DrYvfygNMw/QAGKY2XosxC86tjxhrIBHRakqmWpV+smoUO6XBFjU2sbwalafYVFdrvYL9BVAPtMZ25Sc5QMm87RCHqzqYdQHKs8C3JpVBHWnyL+0e5DNQrFrml0/FD5nFYsT6zDKVb/rN3YmxvTvKl7FpPKpv3Kke9WG+HnPs90hPy8Jpmg52vLMhaybx6dpJxzcF+ctBSI3J78hfweOCGvNGshCKpME1dujMPctH/kfYcm2j/ixKLjl0ZSbYeI9+l9oURBDwKzmKjAqhwnjuo3sL++ZsRU5Ue1zz9gsxS40R9eYevbq7JiQPX331pY2du1SRoKOxvPpXsDqe+CY5pW2RgPszjEIuDxyoveZolXg/zjlk0Ic/cOxrbflp7bTfQCQqEC7YJ5tRmtctk2lRGQkOFIg9Tn8ReifFxfhDrPFzc8X5vZgH73aqZSd/OkVybI3vEILV5uas0fPL7AHAKnBmeDV3mBNvF8aoZhD5CG8iRd1otta/3AQ660QV8IDoauq8fySC8Kee5B3kG75sqHvwF4Gu6CpSChXkjpiIqVmW0PntJueVHifuGJYkvhkX/CTHK7xm1HhtANnGrk6cr2APjWk1vpOaCmjFNqKTOV9d1HjaNWYTz4AZ+Uq2Za3UzN3oZCtZb96,iv:Z64+4oR/AfSgA7oZ/NPDLOtcmcXO5B4OQIGjOEK1Pf4=,tag:0I/1gXnBH7u6HTbQUz5Fpw==,type:str]
 mopidy:
     spotify: ENC[AES256_GCM,data:SaDT0iSWhsgVOi1s+Nzbr0Mur3t2Zd9z/KIUshGWtbPfkXXIoiJeJFtoZIz5NL/t5FooYsNfU1mGYgDeVYSD4BPibW8hiCYrX6L6OX+Q6ZEWXXx/1eBEs2/q0BrWGvy7frcurq/Px4R3ax0dXJe/YKbpAtU7+bQl,iv:F2zT+uMVBMnSEZqgcRmV8/fc3G/g2fKDuHuBzkyBRN0=,tag:CD8fuOQfe6QCrj4BUh0/xw==,type:str]
@@ -61,7 +65,7 @@ sops:
             QmJKNDJUY0RSakhwNWlkOVpib0trc1kK0tQxD9I82pjfs54eruu+IjzVUmcVBCPw
             9mp1xKiYRRMXt3YQn6MPiyuuX3l3UB5MH0RJMNtRq0D961rs+iiS5A==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-08-07T09:16:46Z"
-    mac: ENC[AES256_GCM,data:3PIJps2hoavPJ6ig+943FE73lBhCfxv8vuzmgTtooH386V12/PQN+Opt/ZoIbXU9w21XelZ/C5xPr8rcuw5ADx9K/KjdMm8jyLCO6/+iBf6SjnbC3E0DyiDit50UtWxKc32ryiJ8m5hYfX6O2H8WIGFa+6wp5KISV9pkc09CNZA=,iv:xzwEhhBJQOlde8Ib+tZpv+2CHfR83dFevdwERkYTsTE=,tag:SzdcZH19kSTnNs16754IMw==,type:str]
+    lastmodified: "2025-11-02T00:42:02Z"
+    mac: ENC[AES256_GCM,data:0rYURFETR06JRNY/vE89jEI+dovFNxsjSOalf1Id3H+yzl4UYdsHN1T3mD1EfssFwCloBxOo+188RkUe7JlNV7hC+tvO3nBrDNuqjzFBQu/IHEz+nTI3mwB7ZsywubvFMG65dohM8H9hB2bUXSSqtEUpFEiz7Ugn2BfGyex4BbI=,iv:vFJk6mz60d6CzSetd+bNvxTEWfGBPaBS4sYj/AiYbq4=,tag:2nHBGQ5P3mxLyzllvstBqg==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.11.0

system/dev/docker.nix

@@ -9,6 +9,13 @@ with lib; let
 in {
   options.mySystem.dev.docker = {
     enable = mkEnableOption "Enable Docker";
+    extraDaemonSettings = mkOption {
+      type = types.nullOr (types.attrsOf types.str);
+      default = {};
+      example = {
+        data-root = "/custom/path";
+      };
+    };
     podman.enable = mkEnableOption "Enable Podman rather than Docker";
     nvidia.enable = mkEnableOption "Activate Nvidia support";
     autoprune.enable = mkEnableOption "Enable autoprune";

system/hardware/default.nix

@@ -1,3 +1,4 @@
+{lib, ...}:
 {
   imports = [
     ./amdgpu.nix
@@ -7,4 +8,5 @@
     ./opentablet.nix
     ./sound.nix
   ];
+  hardware.enableRedistributableFirmware = lib.mkDefault true;
 }

system/services/default.nix

@@ -9,5 +9,6 @@
     ./printing.nix
     ./ssh.nix
     ./sunshine.nix
+    ./traefik.nix
   ];
 }

system/services/traefik.nix

@@ -0,0 +1,65 @@
+{
+  config,
+  lib,
+  ...
+}:
+with lib; let
+  cfg = config.mySystem.services.traefik;
+in {
+  options.mySystem.services.traefik = {
+    enable = mkEnableOption "Enable Traefikse";
+    email = mkOption {
+      type = types.str;
+      default = "lucien@phundrak.com";
+      example = "admin@example.com";
+    };
+    envFiles = mkOption {
+      type = types.listOf types.path;
+      example = ["/run/secrets/traefik.env"];
+      default = [];
+    };
+    dynConf = mkOption {
+      type = types.path;
+      example = "/var/traefik/dynamic.yaml";
+    };
+  };
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [80 443];
+    services.traefik = {
+      inherit (cfg) enable;
+      environmentFiles = cfg.envFiles;
+      dynamicConfigFile = cfg.dynConf;
+      staticConfigOptions = {
+        log = {
+          level = "WARN";
+          filePath = "/var/log/traefik/traefik.log";
+        };
+        accessLog.filePath = "/var/log/traefik/access.log";
+        api.dashboard = true;
+        entryPoints = {
+          web = {
+            address = ":80";
+            http.redirections.entryPoint = {
+              to = "websecure";
+              scheme = "https";
+            };
+          };
+          websecure.address = ":443";
+        };
+        certificatesResolvers.cloudflare.acme = {
+          inherit (cfg) email;
+          storage = "/var/lib/traefik/acme.json";
+          dnsChallenge = {
+            provider = "cloudflare";
+            resolvers = ["1.1.1.1:53" "1.0.0.1:53"];
+            propagation.delayBeforeChecks = 60;
+          };
+        };
+        providers.docker = {
+          endpoint = "unix:///var/run/docker.sock";
+          exposedByDefault = false;
+        };
+      };
+    };
+  };
+}