Re-add nixedo as a media server

flake.nix

@@ -72,6 +72,19 @@
           ];
         };
 
+        nixedo = nixpkgs.lib.nixosSystem {
+          specialArgs = specialArgs // {
+            headless = true;
+            hostname = "nixedo";
+          };
+
+          modules = [
+            agenix.nixosModules.default
+
+            ./nix/hosts/nixedo
+          ];
+        };
+
         t490 = nixpkgs.lib.nixosSystem {
           specialArgs = specialArgs // {
             hostname = "t490";

nix/home/opdavies/hosts/nixedo.nix

@@ -0,0 +1,13 @@
+{ ... }:
+
+{
+  features = {
+    cli = {
+      direnv.enable = true;
+    };
+
+    desktop = {
+      gtk.enable = true;
+    };
+  };
+}

nix/hosts/lemp11/default.nix

@@ -26,8 +26,5 @@
     ../common
 
     ./configuration.nix
-    ./secrets.nix
-
-    ./modules/nginx.nix
   ];
 }

nix/hosts/nixedo/configuration.nix

@@ -0,0 +1,147 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+
+{
+  headless,
+  hostname,
+  inputs,
+  outputs,
+  pkgs,
+  self,
+  system,
+  username,
+  ...
+}:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+  ];
+
+  # home-manager.backupFileExtension
+  home-manager = {
+    backupFileExtension = "bak2";
+    extraSpecialArgs = {
+      inherit
+        hostname
+        inputs
+        outputs
+        headless
+        self
+        system
+        username
+        ;
+    };
+    useGlobalPkgs = true;
+    useUserPackages = true;
+
+    users."${username}" = import "${self}/nix/home/${username}";
+  };
+
+  nixpkgs = {
+    config = {
+      allowUnfree = true;
+
+      permittedInsecurePackages = [ "electron-27.3.11" ];
+    };
+
+    overlays = [
+      outputs.overlays.additions
+      outputs.overlays.modifications
+      outputs.overlays.stable-packages
+    ];
+  };
+
+  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs}" ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.efi.efiSysMountPoint = "/boot/efi";
+
+  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+  # Configure network proxy if necessary
+  # networking.proxy.default = "http://user:password@proxy:port/";
+  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
+
+  # Enable networking
+  networking.networkmanager.enable = true;
+
+  # Set your time zone.
+  time.timeZone = "Europe/London";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_GB.UTF-8";
+
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "en_GB.UTF-8";
+    LC_IDENTIFICATION = "en_GB.UTF-8";
+    LC_MEASUREMENT = "en_GB.UTF-8";
+    LC_MONETARY = "en_GB.UTF-8";
+    LC_NAME = "en_GB.UTF-8";
+    LC_NUMERIC = "en_GB.UTF-8";
+    LC_PAPER = "en_GB.UTF-8";
+    LC_TELEPHONE = "en_GB.UTF-8";
+    LC_TIME = "en_GB.UTF-8";
+  };
+
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "gb";
+    variant = "";
+  };
+
+  # Configure console keymap
+  console.keyMap = "uk";
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.opdavies = {
+    isNormalUser = true;
+    description = "Oliver Davies";
+    extraGroups = [
+      "docker"
+      "media"
+      "networkmanager"
+      "wheel"
+    ];
+    packages = with pkgs; [
+      cryptsetup
+    ];
+  };
+
+  users.groups.media = { };
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    #  wget
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  system.stateVersion = "24.11";
+}

nix/hosts/nixedo/default.nix

@@ -0,0 +1,28 @@
+{
+  features = {
+    cli = {
+      docker.enable = true;
+    };
+
+    homelab = {
+      forgejo.enable = true;
+      gitea.enable = true;
+      immich.enable = true;
+      jellyfin.enable = true;
+      paperless.enable = true;
+      pihole.enable = true;
+      tubearchivist-container.enable = true;
+      # vaultwarden.enable = true;
+    };
+  };
+
+  imports = [
+    ../common
+
+    ./configuration.nix
+    ./secrets.nix
+    ./extra.nix
+
+    ./modules/nginx.nix
+  ];
+}

nix/hosts/nixedo/extra.nix

@@ -0,0 +1,9 @@
+{
+  programs.dconf.enable = true;
+
+  services.logind.lidSwitchExternalPower = "ignore";
+
+  age.identityPaths = [
+    "/home/opdavies/.ssh/id_rsa"
+  ];
+}

nix/hosts/nixedo/hardware-configuration.nix

@@ -0,0 +1,54 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "thunderbolt"
+    "nvme"
+    "usb_storage"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelParams = [ "i8042.reset" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/7c6d69ec-ba06-4ddb-b9c4-62b3994fda91";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot/efi" = {
+    device = "/dev/disk/by-uuid/B729-9A75";
+    fsType = "vfat";
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/5db0a0e6-93fb-4d0b-8fb0-fdb3cb76b89d"; }
+  ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s13f0u1.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

nix/modules/nixos/autorandr.nix

@@ -16,6 +16,15 @@
             desktop.name = "HDMI-1";
           };
 
+          nixedo = {
+            internal = {
+              fingerprint = "00ffffffffffff000dae081400000000251d0104a51f117802ee95a3544c99260f505400000001010101010101010101010101010101363680a0703820403020350035ad1000001a000000fe004e3134304843472d4551310a20000000fe00434d4e0a202020202020202020000000fe004e3134304843472d4551310a200084";
+              name = "eDP-1";
+            };
+
+            desktop.name = "HDMI-1";
+          };
+
           t490 = {
             internal = {
               fingerprint = "00ffffffffffff0030e4fa0500000000001c0104a51f117802aa95955e598e271b5054000000010101010101010101010101010101012e3680a070381f403020350035ae1000001ab62c80f4703816403020350035ae1000001a000000fe004c4720446973706c61790a2020000000fe004c503134305746412d53504432004d";

nix/secrets/secrets.nix

@@ -2,6 +2,7 @@ let
   hosts = {
     hetznix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMk8n03VeShc0q4ztcaNrmScwM7u0j6fFVtmupy2RlM2";
     lemp11 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEZ+ljJKd6uqdAk+fqxwtObI4Stab2N9Bjo4QFHY/v8n";
+    nixedo = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvtcGJnc94k6wCPfvK9oBvGey0WWVCR8IYSqg5vqage";
     t490 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILvtcGJnc94k6wCPfvK9oBvGey0WWVCR8IYSqg5vqage";
   };
 
@@ -12,11 +13,13 @@ in
 {
   "cloudflare.age".publicKeys = [
     hosts.hetznix
+    hosts.t490
     users.opdavies
   ];
 
   "tubearchivist.age".publicKeys = [
     hosts.lemp11
+    hosts.nixedo
     users.opdavies
   ];
 }