phase 2: move host files to hosts/{mreow,yarn,muffin}/

hosts/muffin/default.nix

@@ -0,0 +1,328 @@
+{
+  config,
+  lib,
+  pkgs,
+  hostname,
+  username,
+  eth_interface,
+  service_configs,
+  options,
+  ...
+}:
+{
+  imports = [
+    ./modules/hardware.nix
+    ./modules/zfs.nix
+    ./modules/impermanence.nix
+    ./modules/usb-secrets.nix
+    ./modules/age-secrets.nix
+    ./modules/secureboot.nix
+    ./modules/no-rgb.nix
+    ./modules/security.nix
+    ./modules/ntfy-alerts.nix
+    ./modules/power.nix
+
+    ./services/postgresql.nix
+    ./services/jellyfin
+    ./services/caddy
+    ./services/immich.nix
+    ./services/gitea.nix
+    ./services/gitea-actions-runner.nix
+    ./services/minecraft.nix
+
+    ./services/wg.nix
+    ./services/qbittorrent.nix
+    ./services/bitmagnet.nix
+
+    ./services/arr/prowlarr.nix
+    ./services/arr/sonarr.nix
+    ./services/arr/radarr.nix
+    ./services/arr/bazarr.nix
+    ./services/arr/jellyseerr.nix
+    ./services/arr/recyclarr.nix
+    ./services/arr/arr-search.nix
+    ./services/arr/torrent-audit.nix
+    ./services/arr/init.nix
+
+    ./services/soulseek.nix
+
+    # ./services/llama-cpp.nix
+    ./services/trilium.nix
+
+    ./services/ups.nix
+
+    ./services/grafana
+
+    ./services/bitwarden.nix
+    ./services/firefox-syncserver.nix
+
+    ./services/matrix
+
+    ./services/monero
+
+    ./services/graphing-calculator.nix
+
+    ./services/ssh.nix
+
+    ./services/syncthing.nix
+
+    ./services/ntfy
+
+    ./services/mollysocket.nix
+
+    ./services/harmonia.nix
+
+    ./services/ddns-updater.nix
+  ];
+
+  # Hosts entries for CI/CD deploy targets
+  networking.hosts."192.168.1.50" = [ "server-public" ];
+  networking.hosts."192.168.1.223" = [ "desktop" ];
+
+  # SSH known_hosts for CI runner (pinned host keys)
+  environment.etc."ci-known-hosts".text = ''
+    server-public ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
+    192.168.1.50 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
+    git.sigkill.computer ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
+    git.gardling.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
+  '';
+
+  services.kmscon.enable = true;
+
+  # Disable serial getty on ttyS0 to prevent dmesg warnings
+  systemd.services."serial-getty@ttyS0".enable = false;
+
+  # srvos enables vim, i don't want to use vim, disable it here:
+  programs.vim = {
+    defaultEditor = false;
+  }
+  // lib.optionalAttrs (options.programs.vim ? enable) {
+    enable = false;
+  };
+
+  # https://github.com/NixOS/nixpkgs/issues/101459#issuecomment-758306434
+  security.pam.loginLimits = [
+    {
+      domain = "*";
+      type = "soft";
+      item = "nofile";
+      value = "4096";
+    }
+  ];
+
+  nix = {
+    # optimize the store
+    optimise.automatic = true;
+
+    # garbage collection
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+  };
+
+  # Intel Arc A380 (DG2, 56a5) uses the i915 driver on kernel 6.12.
+  # The xe driver's iHD media driver integration has buffer mapping
+  # failures on this GPU/kernel combination. i915 works correctly for
+  # VAAPI transcode as long as ASPM deep states are disabled for the
+  # GPU (see modules/power.nix).
+  hardware.intelgpu.driver = "i915";
+
+  # Per-service 2MB hugepage budget calculated in service-configs.nix.
+  boot.kernel.sysctl."vm.nr_hugepages" = service_configs.hugepages_2m.total_pages;
+
+  boot = {
+    # 6.12 LTS until 2027-03. Kernel 6.18 causes a reproducible ZFS deadlock
+    # in dbuf_evict due to page allocator changes (__free_frozen_pages).
+    # https://github.com/openzfs/zfs/issues/18426
+    kernelPackages = pkgs.linuxPackages_6_12;
+
+    loader = {
+      # Use the systemd-boot EFI boot loader.
+      # Disabled: ASRock B550M Pro4 AMI UEFI hangs on POST when NixOS
+      # writes EFI variables (NVRAM corruption). Lanzaboote boot entries
+      # are discovered via BLS Type #2 on the ESP, so this is not needed.
+      efi.canTouchEfiVariables = false;
+
+      # 1s timeout
+      timeout = 1;
+    };
+
+    initrd = {
+      compressor = "zstd";
+      supportedFilesystems = [ "f2fs" ];
+    };
+  };
+
+  environment.etc = {
+    "issue".text = "";
+  };
+
+  # Set your time zone.
+  time.timeZone = "America/New_York";
+
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      libva-vdpau-driver
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+      vpl-gpu-rt # QSV on 11th gen or newer
+    ];
+  };
+
+  #fwupd for updating firmware
+  services.fwupd = {
+    enable = true;
+    extraRemotes = [ "lvfs-testing" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    helix
+    lm_sensors
+    bottom
+    htop
+
+    doas-sudo-shim
+    neofetch
+
+    borgbackup
+    smartmontools
+
+    ripgrep
+
+    intel-gpu-tools
+    iotop
+    iftop
+
+    tmux
+
+    wget
+
+    powertop
+
+    lsof
+
+    reflac
+
+    pfetch-rs
+
+    sbctl
+
+    # add `skdump`
+    libatasmart
+  ];
+
+  networking = {
+    nameservers = [
+      "1.1.1.1"
+      "9.9.9.9"
+    ];
+
+    hostName = hostname;
+    hostId = "0f712d56";
+    firewall.enable = true;
+
+    useDHCP = false;
+
+    # Disabled because of Jellyfin (various issues)
+    enableIPv6 = false;
+
+    interfaces.${eth_interface} = {
+      ipv4.addresses = [
+        {
+          address = "192.168.1.50";
+          # address = "10.1.1.102";
+          prefixLength = 24;
+        }
+      ];
+      ipv6.addresses = [
+        {
+          address = "fe80::9e6b:ff:fe4d:abb";
+          prefixLength = 64;
+        }
+      ];
+    };
+    defaultGateway = {
+      #address = "10.1.1.1";
+      address = "192.168.1.1";
+      interface = eth_interface;
+    };
+    # TODO! fix this
+    # defaultGateway6 = {
+    #   address = "fe80::/64";
+    #   interface = eth_interface;
+    # };
+  };
+
+  users.groups.${service_configs.media_group} = { };
+
+  users.users.gitea-runner = {
+    isSystemUser = true;
+    group = "gitea-runner";
+    home = "/var/lib/gitea-runner";
+    description = "Gitea Actions CI runner";
+  };
+  users.groups.gitea-runner = { };
+
+  users.users.${username} = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "video"
+      "render"
+      service_configs.media_group
+    ];
+    hashedPasswordFile = config.age.secrets.hashedPass.path;
+  };
+
+  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
+  programs.fish.enable = true;
+  programs.bash = {
+    interactiveShellInit = ''
+      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
+      then
+        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
+        exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
+      fi
+    '';
+  };
+
+  security = {
+    #lets use doas and not sudo!
+    doas.enable = true;
+    sudo.enable = false;
+    # Configure doas
+    doas.extraRules = [
+      {
+        users = [ username ];
+        keepEnv = true;
+        persist = true;
+      }
+    ];
+  };
+
+  services.murmur = {
+    enable = true;
+    openFirewall = true;
+    welcometext = "meow meow meow meow meow :3 xd";
+    password = "$MURMURD_PASSWORD";
+    environmentFile = config.age.secrets.murmur-password-env.path;
+    port = service_configs.ports.public.murmur.port;
+  };
+
+  # services.botamusique = {
+  #   enable = true;
+  #   settings = {
+  #     server = {port = config.services.murmur.port;
+  #       password = config.services.murmur.password;
+  #     };
+  #   };
+  # };
+
+  # systemd.tmpfiles.rules = [
+  #   "Z /tank/music 775 ${username} users"
+  # ];
+
+  system.stateVersion = "24.11";
+}