path: root/machines/rivendell.nix



{
  adminUser,
  lib,
  config,
  ...
}:
{
  wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";

  age.secrets = {
    wireguard.file = ../secrets/rivendell/wireguard.age;
    restic-local-pw.file = ../secrets/restic-pw.age;
    restic-nas-smb-config.file = ../secrets/restic-nas-smb-config.age;
    grafana-oidc.file = ../secrets/grafana-oidc.age;
    miniflux-oidc.file = ../secrets/miniflux-oidc.age;
    rsync-ssh-key.file = ../secrets/rsync-ssh-nas.age;
    authelia-storage-key = {
      file = ../secrets/authelia-storage-key.age;
      owner = "authelia-main";
    };
    authelia-jwt-key = {
      file = ../secrets/authelia-jwt-key.age;
      owner = "authelia-main";
    };
    authelia-users = {
      file = ../secrets/authelia-users.yaml.age;
      owner = "authelia-main";
    };
    authelia-jwks = {
      file = ../secrets/authelia-jwks.age;
      owner = "authelia-main";
    };
  };

  imports = [
    ../profiles/authelia.nix
    ../profiles/core-metrics.nix
    ../profiles/defaults.nix
    ../profiles/disk/btrfs-on-luks.nix
    ../profiles/git-server.nix
    ../profiles/hardware/framework-desktop.nix
    ../profiles/home-manager.nix
    ../profiles/miniflux.nix
    ../profiles/monitoring.nix
    ../profiles/remote-unlock.nix
    ../profiles/restic-backup.nix
    ../profiles/server.nix
    ../profiles/storage-media.nix
    ../profiles/users/admin-user.nix
    ../profiles/users/builder.nix
    ../profiles/users/home-manager.nix
    ../profiles/wireguard.nix
  ];

  boot.kernelModules = [ "sg" ];

  networking.hostName = "rivendell";
  networking.useDHCP = lib.mkDefault true;
  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;

  services = {
    website = {
      enable = true;
      openFirewall = true;
    };
    restic.backups.local.paths = [ "/var/lib/gitolite/repositories" ];
    restic.backups.synology.paths = [
      "/data/archives"
      "/data/media/music"
      "/var/lib/gitolite/repositories"
    ];
  };

  users.users.${adminUser.name}.extraGroups = [ "cdrom" ];

  system.stateVersion = "23.11";

  home-manager.users.${adminUser.name} = {
    home.homeDirectory = "/home/${adminUser.name}";
    imports = [
      ../home/profiles/minimal.nix
    ];
  };
}
{
  adminUser,
  lib,
  config,
  ...
}:
{
  wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";

  age.secrets = {
    wireguard.file = ../secrets/rivendell/wireguard.age;
    restic-local-pw.file = ../secrets/restic-pw.age;
    restic-nas-smb-config.file = ../secrets/restic-nas-smb-config.age;
    grafana-oidc.file = ../secrets/grafana-oidc.age;
    miniflux-oidc.file = ../secrets/miniflux-oidc.age;
    rsync-ssh-key.file = ../secrets/rsync-ssh-nas.age;
    authelia-storage-key = {
      file = ../secrets/authelia-storage-key.age;
      owner = "authelia-main";
    };
    authelia-jwt-key = {
      file = ../secrets/authelia-jwt-key.age;
      owner = "authelia-main";
    };
    authelia-users = {
      file = ../secrets/authelia-users.yaml.age;
      owner = "authelia-main";
    };
    authelia-jwks = {
      file = ../secrets/authelia-jwks.age;
      owner = "authelia-main";
    };
  };

  imports = [
    ../profiles/authelia.nix
    ../profiles/core-metrics.nix
    ../profiles/defaults.nix
    ../profiles/disk/btrfs-on-luks.nix
    ../profiles/git-server.nix
    ../profiles/hardware/framework-desktop.nix
    ../profiles/home-manager.nix
    ../profiles/miniflux.nix
    ../profiles/monitoring.nix
    ../profiles/remote-unlock.nix
    ../profiles/restic-backup.nix
    ../profiles/server.nix
    ../profiles/storage-media.nix
    ../profiles/users/admin-user.nix
    ../profiles/users/builder.nix
    ../profiles/users/home-manager.nix
    ../profiles/wireguard.nix
  ];

  boot.kernelModules = [ "sg" ];

  networking.hostName = "rivendell";
  networking.useDHCP = lib.mkDefault true;
  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;

  services = {
    website = {
      enable = true;
      openFirewall = true;
    };
    restic.backups.local.paths = [ "/var/lib/gitolite/repositories" ];
    restic.backups.synology.paths = [
      "/data/archives"
      "/data/media/music"
      "/var/lib/gitolite/repositories"
    ];
  };

  users.users.${adminUser.name}.extraGroups = [ "cdrom" ];

  system.stateVersion = "23.11";

  home-manager.users.${adminUser.name} = {
    home.homeDirectory = "/home/${adminUser.name}";
    imports = [
      ../home/profiles/minimal.nix
    ];
  };
}