chore: another refactoring to split desktops and server

README.md

@@ -4,13 +4,21 @@
 
 Provisioning for my NixOS systems based on [Nix][nix].
 
-## Chnum
-
-### Bootstrap
+## Prepare
 
 Copy `/etc/ssh/ssh_host_ed25519_key.pub` into [secrets](./secrets/secrets.nix)
 and rekey the secrets via [agenix][agenix]. After pushing the rekeyed secrets
-execute these commands:
+execute the commands below.
+
+## Desktops
+
+Generally after the installation I'm cloning this repository somewhere onto the
+desktop machine and just execute `make switch` within that repository to apply
+updates, if this is not the case I can always execute
+`nixos-rebuild switch --flake github:tboerger/nixos-config#name` to get the
+latest changes pulled in.
+
+### Chnum
 
 ```console
 sudo loadkeys de
@@ -23,23 +31,39 @@ cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
 nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#chnum
 ```
 
-### Updates
-
-If the repository had been cloned you could just execute `make switch`,
-otherwise there is still this long option to update the deployment:
+### Hathor
 
 ```console
-nixos-rebuild switch \
-    --flake github:tboerger/nixos-config#chnum
+sudo loadkeys de
+sudo nix-shell --packages nixUnstable
+
+bash -c "$(curl -fsSL https://raw.githubusercontent.com/tboerger/nixos-config/master/scripts/hathor-partitions)"
+
+mkdir -p /mnt/etc/ssh
+cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
+nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#hathor
 ```
 
-## Niflheim
+### Osiris
 
-### Bootstrap
+```console
+sudo loadkeys de
+sudo nix-shell --packages nixUnstable
 
-Copy `/etc/ssh/ssh_host_ed25519_key.pub` into [secrets](./secrets/secrets.nix)
-and rekey the secrets via [agenix][agenix]. After pushing the rekeyed secrets
-execute these commands:
+bash -c "$(curl -fsSL https://raw.githubusercontent.com/tboerger/nixos-config/master/scripts/osiris-partitions)"
+
+mkdir -p /mnt/etc/ssh
+cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
+nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#osiris
+```
+
+## Servers
+
+Currently I'm applying the updates manually by cloning the repository into the
+machine and executing `make switch`, but on longterm it should also just work to
+use the `deploy #name` command, at least if it's executed from a NixOS desktop.
+
+### Niflheim
 
 ```console
 sudo loadkeys de
@@ -52,23 +76,7 @@ cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
 nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#niflheim
 ```
 
-### Updates
-
-If the repository had been cloned you could just execute `make switch`,
-otherwise there is still this long option to update the deployment:
-
-```console
-nixos-rebuild switch \
-    --flake github:tboerger/nixos-config#niflheim
-```
-
-## Asgard
-
-### Bootstrap
-
-Copy `/etc/ssh/ssh_host_ed25519_key.pub` into [secrets](./secrets/secrets.nix)
-and rekey the secrets via [agenix][agenix]. After pushing the rekeyed secrets
-execute these commands:
+### Asgard
 
 ```console
 sudo loadkeys de
@@ -81,23 +89,7 @@ cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
 nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#asgard
 ```
 
-### Updates
-
-If the repository had been cloned you could just execute `make switch`,
-otherwise there is still this long option to update the deployment:
-
-```console
-nixos-rebuild switch \
-    --flake github:tboerger/nixos-config#asgard
-```
-
-## Utgard
-
-### Bootstrap
-
-Copy `/etc/ssh/ssh_host_ed25519_key.pub` into [secrets](./secrets/secrets.nix)
-and rekey the secrets via [agenix][agenix]. After pushing the rekeyed secrets
-execute these commands:
+### Utgard
 
 ```console
 sudo loadkeys de
@@ -110,23 +102,7 @@ cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
 nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#utgard
 ```
 
-### Updates
-
-If the repository had been cloned you could just execute `make switch`,
-otherwise there is still this long option to update the deployment:
-
-```console
-nixos-rebuild switch \
-    --flake github:tboerger/nixos-config#utgard
-```
-
-## Midgard
-
-### Bootstrap
-
-Copy `/etc/ssh/ssh_host_ed25519_key.pub` into [secrets](./secrets/secrets.nix)
-and rekey the secrets via [agenix][agenix]. After pushing the rekeyed secrets
-execute these commands:
+### Midgard
 
 ```console
 sudo loadkeys de
@@ -139,16 +115,6 @@ cp /etc/ssh/ssh_host_* /mnt/etc/ssh/
 nixos-install --no-root-password --root /mnt --flake github:tboerger/nixos-config#midgard
 ```
 
-### Updates
-
-If the repository had been cloned you could just execute `make switch`,
-otherwise there is still this long option to update the deployment:
-
-```console
-nixos-rebuild switch \
-    --flake github:tboerger/nixos-config#midgard
-```
-
 ## Security
 
 If you find a security issue please contact thomas@webhippie.de first.

desktops/chnum/default.nix

@@ -2,8 +2,9 @@
 
 {
   imports = [
-    ../modules
-    ../services
+    ../../shared/modules
+    ../../shared/programs
+    ../../shared/services
 
     ./filesystems.nix
     ./boot.nix
@@ -12,10 +13,13 @@
   ];
 
   personal = {
-    services = {
+    programs = {
       citrix = {
-        enable = config.personal.services.enable;
+        enable = config.personal.programs.enable;
       };
+    };
+
+    services = {
       desktop = {
         enable = config.personal.services.enable;
       };

desktops/chnum/hardware.nix

@@ -21,10 +21,4 @@
       };
     };
   };
-
-  environment = {
-    systemPackages = with pkgs; [
-      intel-gpu-tools
-    ];
-  };
 }

desktops/hathor/boot.nix

@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot = {
+    binfmt = {
+      emulatedSystems = [
+        "aarch64-linux"
+      ];
+    };
+
+    kernelPackages = lib.mkDefault pkgs.linuxPackages;
+    cleanTmpDir = true;
+
+    loader = {
+      efi = {
+        canTouchEfiVariables = true;
+      };
+
+      systemd-boot = {
+        enable = true;
+        consoleMode = "2";
+        configurationLimit = 5;
+        editor = false;
+      };
+    };
+
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+
+    initrd = {
+      availableKernelModules = [ ];
+      kernelModules = [ "dm-snapshot" ];
+    };
+  };
+}

desktops/hathor/default.nix

@@ -2,8 +2,9 @@
 
 {
   imports = [
-    ../modules
-    ../services
+    ../../shared/modules
+    ../../shared/programs
+    ../../shared/services
 
     ./filesystems.nix
     ./boot.nix
@@ -12,11 +13,20 @@
   ];
 
   personal = {
+    programs = {
+      citrix = {
+        enable = config.personal.programs.enable;
+      };
+    };
+
     services = {
+      desktop = {
+        enable = config.personal.services.enable;
+      };
       docker = {
         enable = config.personal.services.enable;
       };
-      shares = {
+      libvirt = {
         enable = config.personal.services.enable;
       };
       tailscale = {

desktops/hathor/filesystems.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+{
+  swapDevices = [{
+    device = "/dev/disk/by-label/swap";
+  }];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+    options = [
+      "noatime"
+      "discard"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/nix";
+    fsType = "ext4";
+    options = [
+      "noatime"
+      "discard"
+    ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/home";
+    fsType = "ext4";
+    options = [
+      "noatime"
+      "discard"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+}

desktops/hathor/hardware.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  hardware = {
+    enableAllFirmware = true;
+    enableRedistributableFirmware = true;
+
+    cpu = {
+      intel = {
+        updateMicrocode = lib.mkDefault true;
+      };
+    };
+
+    video = {
+      hidpi = {
+        enable = lib.mkDefault true;
+      };
+    };
+  };
+}

desktops/hathor/networking.nix

@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking = {
+    hostName = "hathor";
+
+    networkmanager = {
+      enable = true;
+    };
+  };
+}

desktops/osiris/boot.nix

@@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+
+{
+  boot = {
+    binfmt = {
+      emulatedSystems = [
+        "aarch64-linux"
+      ];
+    };
+
+    kernelPackages = lib.mkDefault pkgs.linuxPackages;
+    cleanTmpDir = true;
+
+    loader = {
+      efi = {
+        canTouchEfiVariables = true;
+      };
+
+      systemd-boot = {
+        enable = true;
+        consoleMode = "2";
+        configurationLimit = 5;
+        editor = false;
+      };
+    };
+
+    kernelModules = [ ];
+    extraModulePackages = [ ];
+
+    initrd = {
+      availableKernelModules = [ ];
+      kernelModules = [ "dm-snapshot" ];
+    };
+  };
+}

desktops/osiris/default.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ../../shared/modules
+    ../../shared/programs
+    ../../shared/services
+
+    ./filesystems.nix
+    ./boot.nix
+    ./networking.nix
+    ./hardware.nix
+  ];
+
+  personal = {
+    programs = {
+      citrix = {
+        enable = config.personal.programs.enable;
+      };
+    };
+
+    services = {
+      desktop = {
+        enable = config.personal.services.enable;
+      };
+      docker = {
+        enable = config.personal.services.enable;
+      };
+      libvirt = {
+        enable = config.personal.services.enable;
+      };
+      tailscale = {
+        enable = config.personal.services.enable;
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "21.11";
+  };
+}

desktops/osiris/filesystems.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, ... }:
+
+{
+  swapDevices = [{
+    device = "/dev/disk/by-label/swap";
+  }];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/root";
+    fsType = "ext4";
+    options = [
+      "noatime"
+      "discard"
+    ];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-label/nix";
+    fsType = "ext4";
+    options = [
+      "noatime"
+      "discard"
+    ];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-label/home";
+    fsType = "ext4";
+    options = [
+      "noatime"
+      "discard"
+    ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/boot";
+    fsType = "vfat";
+  };
+}

desktops/osiris/hardware.nix

@@ -0,0 +1,24 @@
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  hardware = {
+    enableAllFirmware = true;
+    enableRedistributableFirmware = true;
+
+    cpu = {
+      intel = {
+        updateMicrocode = lib.mkDefault true;
+      };
+    };
+
+    video = {
+      hidpi = {
+        enable = lib.mkDefault true;
+      };
+    };
+  };
+}

desktops/osiris/networking.nix

@@ -0,0 +1,11 @@
+{ config, lib, pkgs, ... }:
+
+{
+  networking = {
+    hostName = "osiris";
+
+    networkmanager = {
+      enable = true;
+    };
+  };
+}

flake.nix

@@ -78,7 +78,27 @@
     {
       nixosConfigurations = {
         chnum = mkComputer
-          ./machines/chnum
+          ./desktops/chnum
+          "x86_64-linux"
+          [
+            ./profiles/thomas
+            # ./profiles/anna
+            # ./profiles/adrian
+            # ./profiles/tabea
+          ];
+
+        hathor = mkComputer
+          ./desktops/hathor
+          "x86_64-linux"
+          [
+            ./profiles/thomas
+            # ./profiles/anna
+            # ./profiles/adrian
+            # ./profiles/tabea
+          ];
+
+        osiris = mkComputer
+          ./desktops/osiris
           "x86_64-linux"
           [
             ./profiles/thomas
@@ -88,7 +108,7 @@
           ];
 
         niflheim = mkComputer
-          ./machines/niflheim
+          ./servers/niflheim
           "x86_64-linux"
           [
             ./profiles/thomas
@@ -98,7 +118,7 @@
           ];
 
         asgard = mkComputer
-          ./machines/asgard
+          ./servers/asgard
           "x86_64-linux"
           [
             ./profiles/thomas
@@ -108,7 +128,7 @@
           ];
 
         utgard = mkComputer
-          ./machines/utgard
+          ./servers/utgard
           "x86_64-linux"
           [
             ./profiles/thomas
@@ -118,7 +138,7 @@
           ];
 
         midgard = mkComputer
-          ./machines/midgard
+          ./servers/midgard
           "aarch64-linux"
           [
             hardware.nixosModules.raspberry-pi-4
@@ -130,6 +150,9 @@
       };
 
       chnum = self.nixosConfigurations.chnum.config.system.build.toplevel;
+      hathor = self.nixosConfigurations.hathor.config.system.build.toplevel;
+      osiris = self.nixosConfigurations.osiris.config.system.build.toplevel;
+
       niflheim = self.nixosConfigurations.niflheim.config.system.build.toplevel;
       asgard = self.nixosConfigurations.asgard.config.system.build.toplevel;
       utgard = self.nixosConfigurations.utgard.config.system.build.toplevel;

machines/modules/prowlarr.nix

@@ -1,24 +0,0 @@
-{ pkgs, lib, config, options, ... }:
-with lib;
-
-let
-  cfg = config.services.prowlarr;
-
-in
-{
-  config = mkIf cfg.enable {
-    systemd.services.prowlarr = {
-      description = "Prowlarr";
-      after = [ "network.target" ];
-      wantedBy = [ "multi-user.target" ];
-
-      serviceConfig = mkForce {
-        Type = "simple";
-        User = cfg.user;
-        Group = cfg.group;
-        ExecStart = "${cfg.package}/bin/Prowlarr -nobrowser -data='${cfg.dataDir}'";
-        Restart = "on-failure";
-      };
-    };
-  };
-}

machines/services/default.nix

@@ -1,33 +0,0 @@
-{ pkgs, lib, config, options, ... }:
-with lib;
-
-{
-  imports = [
-    ./acme.nix
-    ./adguard.nix
-    ./citrix.nix
-    ./coredns.nix
-    ./desktop.nix
-    ./docker.nix
-    ./hass.nix
-    ./haveged.nix
-    ./libvirt.nix
-    ./media.nix
-    ./nixbuild.nix
-    ./openssh.nix
-    ./shares.nix
-    ./tailscale.nix
-    ./timesyncd.nix
-    ./webserver.nix
-  ];
-
-  options = {
-    personal = {
-      services = {
-        enable = mkEnableOption "Services" // {
-          default = true;
-        };
-      };
-    };
-  };
-}

servers/asgard/default.nix

@@ -2,8 +2,9 @@
 
 {
   imports = [
-    ../modules
-    ../services
+    ../../shared/modules
+    ../../shared/programs
+    ../../shared/services
 
     ./filesystems.nix
     ./boot.nix
@@ -13,7 +14,7 @@
 
   personal = {
     services = {
-      docker = {
+      shares = {
         enable = config.personal.services.enable;
       };
       tailscale = {

servers/asgard/filesystems.nix

@@ -13,6 +13,14 @@
     ];
   };
 
+  # fileSystems."/nix" = {
+  #   device = "/dev/disk/by-label/nix";
+  #   fsType = "ext4";
+  #   options = [
+  #     "noatime"
+  #   ];
+  # };
+
   fileSystems."/home" = {
     device = "/dev/disk/by-label/home";
     fsType = "ext4";
@@ -39,7 +47,9 @@
 
   fileSystems."/exports/shares" = {
     device = "/var/lib/shares";
-    options = [ "bind" ];
+    options = [
+      "bind"
+    ];
   };
 
   fileSystems."/var/lib/photos" = {
@@ -52,7 +62,9 @@
 
   fileSystems."/exports/photos" = {
     device = "/var/lib/photos";
-    options = [ "bind" ];
+    options = [
+      "bind"
+    ];
   };
 
   fileSystems."/var/lib/videos" = {
@@ -65,7 +77,9 @@
 
   fileSystems."/exports/videos" = {
     device = "/var/lib/videos";
-    options = [ "bind" ];
+    options = [
+      "bind"
+    ];
   };
 
   fileSystems."/var/lib/movies" = {
@@ -78,7 +92,9 @@
 
   fileSystems."/exports/movies" = {
     device = "/var/lib/movies";
-    options = [ "bind" ];
+    options = [
+      "bind"
+    ];
   };
 
   fileSystems."/var/lib/shows" = {
@@ -91,7 +107,9 @@
 
   fileSystems."/exports/shows" = {
     device = "/var/lib/shows";
-    options = [ "bind" ];
+    options = [
+      "bind"
+    ];
   };
 
   fileSystems."/var/lib/books" = {
@@ -104,7 +122,9 @@
 
   fileSystems."/exports/books" = {
     device = "/var/lib/books";
-    options = [ "bind" ];
+    options = [
+      "bind"
+    ];
   };
 
   fileSystems."/var/lib/music" = {
@@ -117,7 +137,9 @@
 
   fileSystems."/exports/music" = {
     device = "/var/lib/music";
-    options = [ "bind" ];
+    options = [
+      "bind"
+    ];
   };
 
   fileSystems."/var/lib/printer" = {
@@ -130,7 +152,9 @@
 
   fileSystems."/exports/printer" = {
     device = "/var/lib/printer";
-    options = [ "bind" ];
+    options = [
+      "bind"
+    ];
   };
 
   fileSystems."/var/lib/backup" = {

servers/midgard/default.nix

@@ -2,8 +2,9 @@
 
 {
   imports = [
-    ../modules
-    ../services
+    ../../shared/modules
+    ../../shared/programs
+    ../../shared/services
 
     ./filesystems.nix
     ./boot.nix
@@ -22,9 +23,6 @@
       coredns = {
         enable = config.personal.services.enable;
       };
-      docker = {
-        enable = config.personal.services.enable;
-      };
       tailscale = {
         enable = config.personal.services.enable;
       };

servers/niflheim/default.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+{
+  imports = [
+    ../../shared/modules
+    ../../shared/programs
+    ../../shared/services
+
+    ./filesystems.nix
+    ./boot.nix
+    ./networking.nix
+    ./hardware.nix
+  ];
+
+  personal = {
+    services = {
+      authentik = {
+        enable = config.personal.services.enable;
+      };
+      dst = {
+        enable = config.personal.services.enable;
+      };
+      mediang = {
+        enable = config.personal.services.enable;
+      };
+      minecraft = {
+        enable = config.personal.services.enable;
+      };
+      owncloud = {
+        enable = config.personal.services.enable;
+      };
+      tailscale = {
+        enable = config.personal.services.enable;
+      };
+    };
+  };
+
+  system = {
+    stateVersion = "21.11";
+  };
+}

servers/niflheim/networking.nix

@@ -11,7 +11,7 @@
     ];
 
     interfaces = {
-      enp2s0 = {
+      enp0s1 = {
         ipv4 = {
           addresses = [{
             address = "192.168.64.4";

servers/utgard/default.nix

@@ -2,8 +2,8 @@
 
 {
   imports = [
-    ../modules
-    ../services
+    ../../shared/modules
+    ../../shared/services
 
     ./filesystems.nix
     ./boot.nix

shared/modules/default.nix

@@ -0,0 +1,13 @@
+{ pkgs, lib, config, options, ... }:
+
+{
+  imports = [
+    ./global
+    ./network
+    ./nixpkgs
+    ./shells
+    ./sudo
+    ./tools
+    ./users
+  ];
+}

shared/modules/global/default.nix

@@ -2,16 +2,6 @@
 with lib;
 
 {
-  imports = [
-    ./network.nix
-    ./nixpkgs.nix
-    ./prowlarr.nix
-    ./shells.nix
-    ./sudo.nix
-    ./tools.nix
-    ./users.nix
-  ];
-
   config = {
     home-manager = {
       useGlobalPkgs = true;

shared/modules/users/default.nix

@@ -42,11 +42,11 @@ with lib;
     };
 
     age.secrets."users/root/password" = {
-      file = ../../secrets/users/root/password.age;
+      file = ../../../secrets/users/root/password.age;
     };
 
     age.secrets."users/admin/password" = {
-      file = ../../secrets/users/admin/password.age;
+      file = ../../../secrets/users/admin/password.age;
     };
   };
 }

shared/programs/citrix/default.nix

@@ -2,13 +2,13 @@
 with lib;
 
 let
-  cfg = config.personal.services.citrix;
+  cfg = config.personal.programs.citrix;
 
 in
 {
   options = {
     personal = {
-      services = {
+      programs = {
         citrix = {
           enable = mkEnableOption "Citrix";
         };

shared/programs/default.nix

@@ -0,0 +1,18 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{
+  imports = [
+    ./citrix
+  ];
+
+  options = {
+    personal = {
+      programs = {
+        enable = mkEnableOption "Programs" // {
+          default = true;
+        };
+      };
+    };
+  };
+}

shared/services/acme/default.nix

@@ -36,7 +36,7 @@ in
     };
 
     age.secrets."services/acme/credentials" = {
-      file = ../../secrets/services/acme/credentials.age;
+      file = ../../../secrets/services/acme/credentials.age;
       owner = "acme";
     };
   };

shared/services/authentik/arion.nix

@@ -0,0 +1,4 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{ }

shared/services/authentik/default.nix

@@ -0,0 +1,20 @@
+{ pkgs, lib, config, options, fetchurl, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.authentik;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        authentik = {
+          enable = mkEnableOption "Authentik";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable { };
+}

shared/services/default.nix

@@ -0,0 +1,37 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{
+  imports = [
+    ./acme
+    ./adguard
+    ./authentik
+    ./coredns
+    ./desktop
+    ./docker
+    ./dst
+    ./hass
+    ./haveged
+    ./libvirt
+    ./media
+    ./mediang
+    ./minecraft
+    ./nixbuild
+    ./openssh
+    ./owncloud
+    ./shares
+    ./tailscale
+    ./timesyncd
+    ./webserver
+  ];
+
+  options = {
+    personal = {
+      services = {
+        enable = mkEnableOption "Services" // {
+          default = true;
+        };
+      };
+    };
+  };
+}

shared/services/dst/arion.nix

@@ -0,0 +1,4 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{ }

shared/services/dst/default.nix

@@ -0,0 +1,20 @@
+{ pkgs, lib, config, options, fetchurl, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.dst;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        dst = {
+          enable = mkEnableOption "Don't Starve Together";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable { };
+}

shared/services/hass/arion.nix

@@ -0,0 +1,4 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{ }

shared/services/media/default.nix

@@ -173,7 +173,7 @@ in
     };
 
     age.secrets."users/media/password" = {
-      file = ../../secrets/users/media/password.age;
+      file = ../../../secrets/users/media/password.age;
     };
   };
 }

shared/services/mediang/arion.nix

@@ -0,0 +1,4 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{ }

shared/services/mediang/default.nix

@@ -0,0 +1,215 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.mediang;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        mediang = {
+          enable = mkEnableOption "Media";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable {
+    # networking = {
+    #   nat = {
+    #     enable = true;
+    #     internalInterfaces = ["ve-+"];
+    #     externalInterface = "ens3";
+    #   };
+    # };
+
+    containers = {
+      media =
+        let
+          passwordFile = config.age.secrets."users/media/password".path;
+        in
+        {
+          autoStart = true;
+          privateNetwork = true;
+          # hostAddress = "192.168.100.10";
+          # localAddress = "192.168.100.11";
+
+          config = { config, pkgs, ... }: {
+            users = {
+              users = {
+                media = {
+                  uid = 20000;
+                  description = "Media";
+                  shell = pkgs.zsh;
+                  isSystemUser = true;
+                  group = "media";
+                  home = "/var/lib/media";
+                  passwordFile = passwordFile;
+                };
+              };
+
+              groups = {
+                media = {
+                  gid = 20000;
+                };
+              };
+            };
+
+            services = {
+              jellyfin = {
+                enable = true;
+                user = "media";
+                group = "media";
+                package = pkgs.jellyfin;
+              };
+            };
+
+            networking.firewall = {
+              enable = true;
+              allowedTCPPorts = [
+                8080
+              ];
+            };
+
+            environment.etc."resolv.conf".text = "nameserver 8.8.8.8";
+            system.stateVersion = "22.05";
+          };
+        };
+    };
+
+    age.secrets."users/media/password" = {
+      file = ../../../secrets/users/media/password.age;
+    };
+  };
+}
+
+# services = {
+#   nzbget = {
+#     enable = true;
+#     user = "media";
+#     group = "media";
+
+#     settings = {
+#       MainDir = "/var/lib/downloads";
+#       DestDir = "/var/lib/downloads/completed";
+#       InterDir = "/var/lib/downloads/intermediate";
+#       NzbDir = "/var/lib/downloads/nzb";
+#       QueueDir = "/var/lib/downloads/queue";
+#       TempDir = "/var/lib/downloads/temp";
+#       ScriptDir = "/var/lib/downloads/scripts";
+
+#       "Category1.Name" = "Movies";
+#       "Category1.Unpack" = "yes";
+
+#       "Category2.Name" = "Series";
+#       "Category2.Unpack" = "yes";
+
+#       "Category3.Name" = "Music";
+#       "Category3.Unpack" = "yes";
+
+#       "Category4.Name" = "Books";
+#       "Category4.Unpack" = "yes";
+
+#       "Category5.Name" = "Prowlarr";
+#       "Category5.Unpack" = "yes";
+#     };
+#   };
+
+#   jellyfin = {
+#     enable = true;
+#     user = "media";
+#     group = "media";
+#     package = pkgs.jellyfin;
+#   };
+
+#   radarr = {
+#     enable = true;
+#     user = "media";
+#     group = "media";
+#     package = pkgs.radarr;
+#     dataDir = "/var/lib/radarr";
+#   };
+
+#   sonarr = {
+#     enable = true;
+#     user = "media";
+#     group = "media";
+#     package = pkgs.sonarr;
+#     dataDir = "/var/lib/sonarr";
+#   };
+
+#   lidarr = {
+#     enable = true;
+#     user = "media";
+#     group = "media";
+#     package = pkgs.lidarr;
+#     dataDir = "/var/lib/lidarr";
+#   };
+
+#   readarr = {
+#     enable = true;
+#     user = "media";
+#     group = "media";
+#     package = pkgs.nur.repos.tboerger.readarr;
+#     dataDir = "/var/lib/readarr";
+#   };
+
+#   bazarr = {
+#     enable = true;
+#     user = "media";
+#     group = "media";
+#     package = pkgs.bazarr;
+#   };
+
+#   prowlarr = {
+#     enable = true;
+#     user = "media";
+#     group = "media";
+#     package = pkgs.prowlarr;
+#   };
+
+#   nginx = {
+#     virtualHosts =
+#       let
+#         base = locations: {
+#           inherit locations;
+
+#           useACMEHost = "boerger.ws";
+#           forceSSL = true;
+#         };
+#         proxy = port: base {
+#           "/" = {
+#             proxyPass = "http://127.0.0.1:" + toString (port) + "/";
+#             proxyWebsockets = true;
+#           };
+#         };
+#       in
+#       {
+#         "nzbget.boerger.ws" = proxy 6789;
+#         "jellyfin.boerger.ws" = proxy 8096;
+#         "radarr.boerger.ws" = proxy 7878;
+#         "sonarr.boerger.ws" = proxy 8989;
+#         "lidarr.boerger.ws" = proxy 8686;
+#         "readarr.boerger.ws" = proxy 8787;
+#         "bazarr.boerger.ws" = proxy 6767;
+#         "prowlarr.boerger.ws" = proxy 9696;
+#       };
+#   };
+# };
+
+# personal = {
+#   services = {
+#     webserver = {
+#       enable = true;
+#     };
+#   };
+# };
+
+# networking = {
+#   firewall = {
+#     allowedTCPPorts = [ 8096 ];
+#     allowedUDPPorts = [ 1900 7359 ];
+#   };
+# };

shared/services/minecraft/arion.nix

@@ -0,0 +1,4 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{ }

shared/services/minecraft/default.nix

@@ -0,0 +1,20 @@
+{ pkgs, lib, config, options, fetchurl, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.minecraft;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        minecraft = {
+          enable = mkEnableOption "Minecraft";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable { };
+}

shared/services/nixbuild/default.nix

@@ -69,7 +69,7 @@ in
     };
 
     age.secrets."services/nixbuild/sshkey" = {
-      file = ../../secrets/services/nixbuild/sshkey.age;
+      file = ../../../secrets/services/nixbuild/sshkey.age;
     };
   };
 }

shared/services/owncloud/arion.nix

@@ -0,0 +1,4 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{ }

shared/services/owncloud/default.nix

@@ -0,0 +1,20 @@
+{ pkgs, lib, config, options, fetchurl, ... }:
+with lib;
+
+let
+  cfg = config.personal.services.owncloud;
+
+in
+{
+  options = {
+    personal = {
+      services = {
+        owncloud = {
+          enable = mkEnableOption "ownCloud";
+        };
+      };
+    };
+  };
+
+  config = mkIf cfg.enable { };
+}

shared/services/shares/arion.nix

@@ -0,0 +1,4 @@
+{ pkgs, lib, config, options, ... }:
+with lib;
+
+{ }

shared/services/shares/default.nix

@@ -214,11 +214,11 @@ in
     };
 
     age.secrets."users/printer/password" = {
-      file = ../../secrets/users/printer/password.age;
+      file = ../../../secrets/users/printer/password.age;
     };
 
     age.secrets."users/media/password" = {
-      file = ../../secrets/users/media/password.age;
+      file = ../../../secrets/users/media/password.age;
     };
   };
 }

shared/services/tailscale/default.nix

@@ -51,7 +51,7 @@ in
     };
 
     age.secrets."services/tailscale/authkey" = {
-      file = ../../secrets/services/tailscale/authkey.age;
+      file = ../../../secrets/services/tailscale/authkey.age;
     };
   };
 }