1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

diff --git a/flake.nix b/flake.nix
index eacccdad8644ee72c73fe730739f5b19df6dd356..c1c7d2213ea1bccac3732249dd268b597585af18 100644
--- a/flake.nix
+++ b/flake.nix
@@ -79,6 +79,7 @@             ];
             services.tclip.package = inputs.tclip.packages.${pkgs.system}.tclipd;
           };
         jasmine.imports = [ ./jasmine ];
+        gunpowder.imports = [ ./gunpowder ];
       };
       nixConfig = {
         extra-substitutors = [ "https://jolheiser.cachix.org" ];

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

diff --git a/gunpowder/default.nix b/gunpowder/default.nix
new file mode 100644
index 0000000000000000000000000000000000000000..ae5a619b4d9d4a9786b351d064a826b9f14dcf35
--- /dev/null
+++ b/gunpowder/default.nix
@@ -0,0 +1,134 @@
+{ pkgs, ... }:
+let
+  username = "jolheiser";
+  key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJh5aUDN/KN28+4tbayXRQliLyKFZaCZtUMEBNaJfHYj";
+in
+{
+  imports = [ ./hardware.nix ];
+
+  boot = {
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelParams = [
+      "quiet"
+      "splash"
+    ];
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+      useOSProber = true;
+      enableCryptodisk = true;
+    };
+  };
+
+  boot.initrd.secrets = {
+    "/crypto_keyfile.bin" = null;
+  };
+
+  boot.initrd.luks.devices = {
+    "luks-1f9bde68-9c4c-423c-a95f-17aa170dd2b4".keyFile = "/crypto_keyfile.bin";
+    "luks-a2ca1842-1ce0-437e-ba5e-8864a41e81cb" = {
+      device = "/dev/disk/by-uuid/a2ca1842-1ce0-437e-ba5e-8864a41e81cb";
+      keyFile = "/crypto_keyfile.bin";
+    };
+  };
+
+  networking = {
+    hostName = "gunpowder";
+    networkmanager.enable = true;
+    firewall.enable = true;
+  };
+
+  services = {
+    xserver = {
+      enable = true;
+      displayManager.lightdm.enable = true;
+      desktopManager.xfce.enable = true;
+    };
+    openssh.enable = true;
+    tailscale.enable = true;
+    mullvad-vpn = {
+      enable = true;
+      package = pkgs.mullvad-vpn;
+    };
+    resolved.enable = true;
+
+    # media
+    jellyfin = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.jellyfin = {
+      enable = true;
+      hostname = "jellyfin";
+      port = 8096;
+      authKey = "tskey-auth-khZwt3ASDX11CNTRL-jYDAVuX7VVLCebLUGdvnVLLoUkeEevXEV"; # One-time key
+    };
+    sonarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.sonarr = {
+      enable = true;
+      hostname = "sonarr";
+      port = 8989;
+      authKey = "tskey-auth-k1mZ4587A511CNTRL-uxq54KBAvb6YuhvZbxscb6rf7x8UwNiP"; # One-time key
+    };
+    radarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.radarr = {
+      enable = true;
+      hostname = "radarr";
+      port = 7878;
+      authKey = "tskey-auth-kjuWphWmFp11CNTRL-dcpVCTbdPTAAiqQHaKVhTA27uNQeHxmq5"; # One-time key
+    };
+    bazarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.bazarr = {
+      enable = true;
+      hostname = "bazarr";
+      port = 6767;
+      authKey = "tskey-auth-kydeAt7KDA21CNTRL-bLfZMG4ip4i4a91DX1b85ipjnZi9KgoN9"; # One-time key
+    };
+    prowlarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    tailproxy.prowlarr = {
+      enable = true;
+      hostname = "prowlarr";
+      port = 9696;
+      authKey = "tskey-auth-koCbGEVEvh11CNTRL-7pxqVBdP4v5xNvsPP5mMv5oW8PrgVQmb"; # One-time key
+    };
+  };
+
+  users = {
+    users = {
+      "${username}" = {
+        extraGroups = [
+          "wheel"
+          "docker"
+          "storage"
+        ];
+        isNormalUser = true;
+        openssh.authorizedKeys.keys = [ key ];
+      };
+      "root".openssh.authorizedKeys.keys = [ key ];
+    };
+    groups.media.members = [
+      "jolheiser"
+      "olheiser"
+      "jellyfin"
+      "radarr"
+      "sonarr"
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [ qbittorrent ];
+
+  system.stateVersion = "22.11";
+}
+

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

diff --git a/gunpowder/hardware.nix b/gunpowder/hardware.nix
new file mode 100644
index 0000000000000000000000000000000000000000..d2228942b378da69219c33f49acf165369fd5844
--- /dev/null
+++ b/gunpowder/hardware.nix
@@ -0,0 +1,56 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ehci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+    "rtsx_pci_sdmmc"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/a3e3e496-9497-4340-9750-2104e2ab22ab";
+    fsType = "ext4";
+  };
+
+  fileSystems."/mnt/hdd" = {
+    device = "/dev/disk/by-uuid/eb8ad2da-12cf-454b-aa20-e497c4550b7c";
+    fsType = "ext4";
+    options = [
+      "users"
+      "nofail"
+      "gid=users"
+    ];
+  };
+
+  boot.initrd.luks.devices."luks-1f9bde68-9c4c-423c-a95f-17aa170dd2b4".device = "/dev/disk/by-uuid/1f9bde68-9c4c-423c-a95f-17aa170dd2b4";
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/7e84d904-b00a-4c6c-aba4-ec1dde2dff85"; } ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp3s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp5s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
+