rebuild framebox with impermanenceHEADmain

1 files changed, 94 insertions, 0 deletions

diff --git a/machines/framebox.nix b/machines/framebox.nix
new file mode 100644
index 0000000..15a82bd
--- /dev/null
+++ b/machines/framebox.nix
@@ -0,0 +1,94 @@
+{
+  adminUser,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+{
+  wgPublicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+  publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID76U5kt8DfBbuP16rMzfBTVTpjjPFKWnnheMALaCQEd";
+  ephemeralRoot = true;
+
+  age.secrets = {
+    wireguard.file = ../secrets/framebox/wireguard.age;
+    restic-local-pw.file = ../secrets/restic-pw.age;
+    restic-nas-smb-config.file = ../secrets/restic-nas-smb-config.age;
+    grafana-oidc.file = ../secrets/grafana-oidc.age;
+    miniflux-oidc.file = ../secrets/miniflux-oidc.age;
+    rsync-ssh-key.file = ../secrets/rsync-ssh-nas.age;
+    authelia-storage-key = {
+      file = ../secrets/authelia-storage-key.age;
+      owner = "authelia-main";
+    };
+    authelia-jwt-key = {
+      file = ../secrets/authelia-jwt-key.age;
+      owner = "authelia-main";
+    };
+    authelia-users = {
+      file = ../secrets/authelia-users.yaml.age;
+      owner = "authelia-main";
+    };
+    authelia-jwks = {
+      file = ../secrets/authelia-jwks.age;
+      owner = "authelia-main";
+    };
+  };
+
+  imports = [
+    ../profiles/authelia.nix
+    ../profiles/core-metrics.nix
+    ../profiles/defaults.nix
+    ../profiles/disk/btrfs-on-luks.nix
+    ../profiles/git-server.nix
+    ../profiles/hardware/framework-desktop.nix
+    ../profiles/home-manager.nix
+    ../profiles/miniflux.nix
+    ../profiles/monitoring.nix
+    ../profiles/postgresql.nix
+    ../profiles/remote-unlock.nix
+    ../profiles/restic-backup.nix
+    ../profiles/server.nix
+    ../profiles/state.nix
+    ../profiles/users/admin-user.nix
+    ../profiles/users/builder.nix
+    ../profiles/users/home-manager.nix
+    ../profiles/wireguard.nix
+  ];
+
+  boot.kernelModules = [ "sg" ];
+
+  networking.hostName = "framebox";
+  networking.useDHCP = lib.mkDefault true;
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  services = {
+    website = {
+      enable = true;
+      openFirewall = true;
+    };
+    restic.backups.local.paths = [ "/persist/save" ];
+    restic.backups.synology.paths = [
+      "/data/archives"
+      "/data/media/music"
+      "/persist/save"
+    ];
+  };
+
+  users.users.${adminUser.name}.extraGroups = [ "cdrom" ];
+
+  system.stateVersion = "23.11";
+
+  home-manager.users.${adminUser.name} = {
+    home.homeDirectory = "/home/${adminUser.name}";
+    imports = [
+      ../home/profiles/minimal.nix
+    ];
+    home.packages = with pkgs; [
+      ffmpeg
+      imagemagick
+      makemkv
+      mkvtoolnix-cli
+    ];
+  };
+}