From e55b8ee0f7073b46fb343a97ee744a95ec40d2ed Mon Sep 17 00:00:00 2001
From: Franck Cuny <franck@fcuny.net>
Date: Fri, 24 Oct 2025 09:02:29 -0700
Subject: simplify hosts management

---
 machines/nixos/x86_64-linux/do-rproxy.nix          | 203 +++++++++++++++++++++
 machines/nixos/x86_64-linux/do-rproxy/default.nix  |  45 -----
 machines/nixos/x86_64-linux/do-rproxy/disks.nix    |  55 ------
 .../x86_64-linux/do-rproxy/profiles/nginx.nix      | 149 ---------------
 machines/nixos/x86_64-linux/do-rproxy/secrets.nix  |  13 --
 machines/nixos/x86_64-linux/installer/default.nix  |  21 ---
 machines/nixos/x86_64-linux/iso.nix                |  21 +++
 machines/nixos/x86_64-linux/rivendell.nix          |  86 +++++++++
 machines/nixos/x86_64-linux/rivendell/default.nix  |  86 ---------
 machines/nixos/x86_64-linux/synology-vm.nix        | 123 +++++++++++++
 .../nixos/x86_64-linux/synology-vm/default.nix     |  85 ---------
 machines/nixos/x86_64-linux/synology-vm/disks.nix  |  55 ------
 .../nixos/x86_64-linux/synology-vm/hardware.nix    |  23 ---
 .../x86_64-linux/synology-vm/profiles/goget.nix    |   7 -
 .../nixos/x86_64-linux/synology-vm/secrets.nix     |  20 --
 15 files changed, 433 insertions(+), 559 deletions(-)
 create mode 100644 machines/nixos/x86_64-linux/do-rproxy.nix
 delete mode 100644 machines/nixos/x86_64-linux/do-rproxy/default.nix
 delete mode 100644 machines/nixos/x86_64-linux/do-rproxy/disks.nix
 delete mode 100644 machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
 delete mode 100644 machines/nixos/x86_64-linux/do-rproxy/secrets.nix
 delete mode 100644 machines/nixos/x86_64-linux/installer/default.nix
 create mode 100644 machines/nixos/x86_64-linux/iso.nix
 create mode 100644 machines/nixos/x86_64-linux/rivendell.nix
 delete mode 100644 machines/nixos/x86_64-linux/rivendell/default.nix
 create mode 100644 machines/nixos/x86_64-linux/synology-vm.nix
 delete mode 100644 machines/nixos/x86_64-linux/synology-vm/default.nix
 delete mode 100644 machines/nixos/x86_64-linux/synology-vm/disks.nix
 delete mode 100644 machines/nixos/x86_64-linux/synology-vm/hardware.nix
 delete mode 100644 machines/nixos/x86_64-linux/synology-vm/profiles/goget.nix
 delete mode 100644 machines/nixos/x86_64-linux/synology-vm/secrets.nix

(limited to 'machines/nixos/x86_64-linux')

diff --git a/machines/nixos/x86_64-linux/do-rproxy.nix b/machines/nixos/x86_64-linux/do-rproxy.nix
new file mode 100644
index 0000000..c444fef
--- /dev/null
+++ b/machines/nixos/x86_64-linux/do-rproxy.nix
@@ -0,0 +1,203 @@
+{
+  inputs,
+  lib,
+  pkgs,
+  config,
+  modulesPath,
+  ...
+}:
+{
+  age = {
+    secrets = {
+      cloudflare-nginx = {
+        file = ../../../secrets/cloudflare-nginx.age;
+      };
+      wireguard = {
+        file = ../../../secrets/do/wireguard.age;
+      };
+    };
+  };
+
+  imports = [
+    (modulesPath + "/virtualisation/digital-ocean-config.nix")
+    ../../../profiles/disk/basic-vm.nix
+    ../../../profiles/defaults.nix
+    ../../../profiles/server.nix
+    ../../../profiles/cgroups.nix
+  ];
+
+  disko.devices.disk.disk1.device = "/dev/vda";
+
+  networking.hostName = "do-rproxy";
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.50/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # vm-synology
+          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
+          allowedIPs = [ "10.100.0.40/32" ];
+          persistentKeepalive = 25;
+        }
+        {
+          # rivendell
+          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+          allowedIPs = [ "10.100.0.60/32" ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.trustedInterfaces = [ "wg0" ];
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
+  my.modules.hardware.do-droplet.enable = true;
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "franck@fcuny.net";
+    certs = {
+      "code.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+      "go.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+      "id.fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+      "fcuny.net" = {
+        dnsProvider = "cloudflare";
+        dnsResolver = "1.1.1.1";
+        reloadServices = [ "nginx.service" ];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
+      };
+    };
+  };
+
+  services.nginx =
+    let
+      accounts = [
+        {
+          user = "franck@fcuny.net";
+          realm = "fcuny.net";
+        }
+      ];
+      webfingerConfig = {
+        "= /.well-known/webfinger" = {
+          extraConfig = ''
+            return 307 /__webfinger/$arg_resource;
+          '';
+        };
+
+        "~ ^/__webfinger/(acct:[^/]+@[^/]+)" = {
+          root = pkgs.linkFarm "webfinger-entries" (
+            lib.listToAttrs (
+              map (acct: {
+                name = "acct:${acct.user}";
+                value = pkgs.writeText "webfinger-${acct.user}" ''
+                  {
+                    "subject": "acct:${acct.user}",
+                    "links": [
+                      {
+                        "rel": "http://openid.net/specs/connect/1.0/issuer",
+                        "href": "https://id.fcuny.net/realms/${acct.realm}"
+                      }
+                    ]
+                  }
+                '';
+              }) accounts
+            )
+          );
+
+          tryFiles = "/$1 =404";
+
+          extraConfig = ''
+            add_header Content-Type application/json;
+          '';
+        };
+      };
+    in
+    {
+      enable = true;
+      recommendedProxySettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedTlsSettings = true;
+      virtualHosts = {
+        "code.fcuny.net" = {
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://10.100.0.60:3000";
+          };
+          locations."/metrics" = {
+            proxyPass = "http://10.100.0.60:3000/metrics";
+            extraConfig = ''
+              deny all;
+              access_log off;
+            '';
+          };
+        };
+        "go.fcuny.net" = {
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://10.100.0.40:8070";
+          };
+        };
+        "id.fcuny.net" = {
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+          locations = (
+            {
+              "/" = {
+                proxyPass = "http://10.100.0.60:8080";
+              };
+            }
+            // webfingerConfig
+          );
+        };
+        "fcuny.net" = {
+          enableACME = true;
+          acmeRoot = null;
+          forceSSL = true;
+
+          root = "${inputs.my-site.packages.x86_64-linux.default}/";
+
+          locations = {
+            "/".tryFiles = "$uri $uri/ $uri/index.html =404";
+          }
+          // webfingerConfig;
+
+          extraConfig = ''
+            error_page 404 /404;
+          '';
+        };
+      };
+    };
+}
diff --git a/machines/nixos/x86_64-linux/do-rproxy/default.nix b/machines/nixos/x86_64-linux/do-rproxy/default.nix
deleted file mode 100644
index fd21220..0000000
--- a/machines/nixos/x86_64-linux/do-rproxy/default.nix
+++ /dev/null
@@ -1,45 +0,0 @@
-{ config, modulesPath, ... }:
-{
-
-  imports = [
-    (modulesPath + "/virtualisation/digital-ocean-config.nix")
-    ./disks.nix
-    ./secrets.nix
-    ./profiles/nginx.nix
-    ../../../../profiles/defaults.nix
-    ../../../../profiles/server.nix
-    ../../../../profiles/cgroups.nix
-  ];
-
-  networking.hostName = "do-rproxy";
-
-  networking.wireguard = {
-    enable = true;
-    interfaces.wg0 = {
-      ips = [ "10.100.0.50/32" ];
-      listenPort = 51871;
-      privateKeyFile = config.age.secrets.wireguard.path;
-      peers = [
-        {
-          # vm-synology
-          publicKey = "bJZyQoemudGJQox8Iegebm23c4BNVIxRPy1kmI2l904=";
-          allowedIPs = [ "10.100.0.40/32" ];
-          persistentKeepalive = 25;
-        }
-        {
-          # rivendell
-          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
-          allowedIPs = [ "10.100.0.60/32" ];
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-
-  networking.firewall.trustedInterfaces = [ "wg0" ];
-  networking.firewall.allowedUDPPorts = [ 51871 ];
-
-  my.modules.hardware.do-droplet.enable = true;
-
-  system.stateVersion = "25.05"; # Did you read the comment?
-}
diff --git a/machines/nixos/x86_64-linux/do-rproxy/disks.nix b/machines/nixos/x86_64-linux/do-rproxy/disks.nix
deleted file mode 100644
index a51111a..0000000
--- a/machines/nixos/x86_64-linux/do-rproxy/disks.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ lib, ... }:
-{
-  disko.devices = {
-    disk.disk1 = {
-      device = lib.mkDefault "/dev/vda";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "ESP";
-            size = "500M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              type = "lvm_pv";
-              vg = "pool";
-            };
-          };
-        };
-      };
-    };
-    lvm_vg = {
-      pool = {
-        type = "lvm_vg";
-        lvs = {
-          root = {
-            size = "100%FREE";
-            content = {
-              type = "filesystem";
-              format = "ext4";
-              mountpoint = "/";
-              mountOptions = [
-                "defaults"
-              ];
-            };
-          };
-        };
-      };
-    };
-  };
-}
diff --git a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix b/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
deleted file mode 100644
index 5c30175..0000000
--- a/machines/nixos/x86_64-linux/do-rproxy/profiles/nginx.nix
+++ /dev/null
@@ -1,149 +0,0 @@
-{
-  inputs,
-  config,
-  pkgs,
-  lib,
-  ...
-}:
-{
-  networking.firewall.allowedTCPPorts = [
-    80
-    443
-  ];
-
-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "franck@fcuny.net";
-    certs = {
-      "code.fcuny.net" = {
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "nginx.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
-      };
-      "go.fcuny.net" = {
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "nginx.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
-      };
-      "id.fcuny.net" = {
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "nginx.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
-      };
-      "fcuny.net" = {
-        dnsProvider = "cloudflare";
-        dnsResolver = "1.1.1.1";
-        reloadServices = [ "nginx.service" ];
-        credentialFiles.CF_DNS_API_TOKEN_FILE = config.age.secrets."cloudflare-nginx".path;
-      };
-    };
-  };
-
-  services.nginx =
-    let
-      accounts = [
-        {
-          user = "franck@fcuny.net";
-          realm = "fcuny.net";
-        }
-      ];
-      webfingerConfig = {
-        "= /.well-known/webfinger" = {
-          extraConfig = ''
-            return 307 /__webfinger/$arg_resource;
-          '';
-        };
-
-        "~ ^/__webfinger/(acct:[^/]+@[^/]+)" = {
-          root = pkgs.linkFarm "webfinger-entries" (
-            lib.listToAttrs (
-              map (acct: {
-                name = "acct:${acct.user}";
-                value = pkgs.writeText "webfinger-${acct.user}" ''
-                  {
-                    "subject": "acct:${acct.user}",
-                    "links": [
-                      {
-                        "rel": "http://openid.net/specs/connect/1.0/issuer",
-                        "href": "https://id.fcuny.net/realms/${acct.realm}"
-                      }
-                    ]
-                  }
-                '';
-              }) accounts
-            )
-          );
-
-          tryFiles = "/$1 =404";
-
-          extraConfig = ''
-            add_header Content-Type application/json;
-          '';
-        };
-      };
-    in
-    {
-      enable = true;
-      recommendedProxySettings = true;
-      recommendedGzipSettings = true;
-      recommendedOptimisation = true;
-      recommendedTlsSettings = true;
-      virtualHosts = {
-        "code.fcuny.net" = {
-          enableACME = true;
-          acmeRoot = null;
-          forceSSL = true;
-          locations."/" = {
-            proxyPass = "http://10.100.0.60:3000";
-          };
-          locations."/metrics" = {
-            proxyPass = "http://10.100.0.60:3000/metrics";
-            extraConfig = ''
-              deny all;
-              access_log off;
-            '';
-          };
-        };
-        "go.fcuny.net" = {
-          enableACME = true;
-          acmeRoot = null;
-          forceSSL = true;
-          locations."/" = {
-            proxyPass = "http://10.100.0.40:8070";
-          };
-        };
-        "id.fcuny.net" = {
-          enableACME = true;
-          acmeRoot = null;
-          forceSSL = true;
-          locations = (
-            {
-              "/" = {
-                proxyPass = "http://10.100.0.60:8080";
-              };
-            }
-            // webfingerConfig
-          );
-        };
-        "fcuny.net" = {
-          enableACME = true;
-          acmeRoot = null;
-          forceSSL = true;
-
-          root = "${inputs.my-site.packages.x86_64-linux.default}/";
-
-          locations = {
-            "/".tryFiles = "$uri $uri/ $uri/index.html =404";
-          }
-          // webfingerConfig;
-
-          extraConfig = ''
-            error_page 404 /404;
-          '';
-        };
-      };
-    };
-}
diff --git a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix b/machines/nixos/x86_64-linux/do-rproxy/secrets.nix
deleted file mode 100644
index 8711666..0000000
--- a/machines/nixos/x86_64-linux/do-rproxy/secrets.nix
+++ /dev/null
@@ -1,13 +0,0 @@
-{ self, ... }:
-{
-  age = {
-    secrets = {
-      cloudflare-nginx = {
-        file = "${self}/secrets/cloudflare-nginx.age";
-      };
-      wireguard = {
-        file = "${self}/secrets/do/wireguard.age";
-      };
-    };
-  };
-}
diff --git a/machines/nixos/x86_64-linux/installer/default.nix b/machines/nixos/x86_64-linux/installer/default.nix
deleted file mode 100644
index e914571..0000000
--- a/machines/nixos/x86_64-linux/installer/default.nix
+++ /dev/null
@@ -1,21 +0,0 @@
-{ adminUser, modulesPath, ... }:
-{
-  # run `nix build .#nixosConfigurations.iso.config.system.build.isoImage` to build the image
-  imports = [
-    "${modulesPath}/installer/cd-dvd/channel.nix"
-    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
-    {
-      home-manager.users.${adminUser.name} = {
-        imports = [
-          { home.stateVersion = "25.05"; }
-        ];
-      };
-    }
-  ];
-
-  boot.loader.grub.efiSupport = true;
-  boot.loader.grub.efiInstallAsRemovable = true;
-  boot.loader.grub.device = "nodev";
-
-  system.stateVersion = "25.05"; # Did you read the comment?
-}
diff --git a/machines/nixos/x86_64-linux/iso.nix b/machines/nixos/x86_64-linux/iso.nix
new file mode 100644
index 0000000..e914571
--- /dev/null
+++ b/machines/nixos/x86_64-linux/iso.nix
@@ -0,0 +1,21 @@
+{ adminUser, modulesPath, ... }:
+{
+  # run `nix build .#nixosConfigurations.iso.config.system.build.isoImage` to build the image
+  imports = [
+    "${modulesPath}/installer/cd-dvd/channel.nix"
+    "${modulesPath}/installer/cd-dvd/installation-cd-minimal.nix"
+    {
+      home-manager.users.${adminUser.name} = {
+        imports = [
+          { home.stateVersion = "25.05"; }
+        ];
+      };
+    }
+  ];
+
+  boot.loader.grub.efiSupport = true;
+  boot.loader.grub.efiInstallAsRemovable = true;
+  boot.loader.grub.device = "nodev";
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix
new file mode 100644
index 0000000..dc0205d
--- /dev/null
+++ b/machines/nixos/x86_64-linux/rivendell.nix
@@ -0,0 +1,86 @@
+{
+  lib,
+  config,
+  modulesPath,
+  inputs,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+    inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series
+    ../../../profiles/disk/btrfs-on-luks.nix
+    ../../../profiles/defaults.nix
+    ../../../profiles/server.nix
+    ../../../profiles/cgroups.nix
+    ../../../profiles/forgejo.nix
+    ../../../profiles/keycloak.nix
+    ../../../profiles/tailscale.nix
+  ];
+
+  age = {
+    secrets = {
+      wireguard = {
+        file = ../../../secrets/rivendell/wireguard.age;
+      };
+    };
+  };
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "xhci_pci"
+    "thunderbolt"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+    "r8169" # ethernet driver
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  networking.hostName = "rivendell";
+  networking.useDHCP = lib.mkDefault true;
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  users.users.builder = {
+    openssh.authorizedKeys.keys = [
+      # my personal key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      # remote builder ssh key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
+    ];
+    isNormalUser = true;
+    group = "nogroup";
+  };
+
+  nix.settings.trusted-users = [ "builder" ];
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.60/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          # digital ocean droplet
+          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          endpoint = "165.232.158.110:51871";
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
+  my.modules.hardware.baremetal.enable = true;
+  my.modules.remote-unlock.enable = true;
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
diff --git a/machines/nixos/x86_64-linux/rivendell/default.nix b/machines/nixos/x86_64-linux/rivendell/default.nix
deleted file mode 100644
index abbc78f..0000000
--- a/machines/nixos/x86_64-linux/rivendell/default.nix
+++ /dev/null
@@ -1,86 +0,0 @@
-{
-  lib,
-  config,
-  modulesPath,
-  inputs,
-  ...
-}:
-{
-  imports = [
-    (modulesPath + "/installer/scan/not-detected.nix")
-    inputs.nixos-hardware.nixosModules.framework-desktop-amd-ai-max-300-series
-    ../../../../profiles/disk/btrfs-on-luks.nix
-    ../../../../profiles/defaults.nix
-    ../../../../profiles/server.nix
-    ../../../../profiles/cgroups.nix
-    ../../../../profiles/forgejo.nix
-    ../../../../profiles/keycloak.nix
-    ../../../../profiles/tailscale.nix
-  ];
-
-  age = {
-    secrets = {
-      wireguard = {
-        file = ../../../../secrets/rivendell/wireguard.age;
-      };
-    };
-  };
-
-  boot.initrd.availableKernelModules = [
-    "nvme"
-    "xhci_pci"
-    "thunderbolt"
-    "usbhid"
-    "usb_storage"
-    "sd_mod"
-    "r8169" # ethernet driver
-  ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
-
-  networking.hostName = "rivendell";
-  networking.useDHCP = lib.mkDefault true;
-  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
-
-  users.users.builder = {
-    openssh.authorizedKeys.keys = [
-      # my personal key
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
-      # remote builder ssh key
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
-    ];
-    isNormalUser = true;
-    group = "nogroup";
-  };
-
-  nix.settings.trusted-users = [ "builder" ];
-
-  networking.wireguard = {
-    enable = true;
-    interfaces.wg0 = {
-      ips = [ "10.100.0.60/32" ];
-      listenPort = 51871;
-      privateKeyFile = config.age.secrets.wireguard.path;
-      peers = [
-        {
-          # digital ocean droplet
-          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
-          allowedIPs = [ "10.100.0.0/24" ];
-          endpoint = "165.232.158.110:51871";
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-
-  networking.firewall.allowedUDPPorts = [ 51871 ];
-
-  my.modules.hardware.baremetal.enable = true;
-  my.modules.remote-unlock.enable = true;
-
-  system.stateVersion = "23.11"; # Did you read the comment?
-}
diff --git a/machines/nixos/x86_64-linux/synology-vm.nix b/machines/nixos/x86_64-linux/synology-vm.nix
new file mode 100644
index 0000000..702f8b4
--- /dev/null
+++ b/machines/nixos/x86_64-linux/synology-vm.nix
@@ -0,0 +1,123 @@
+{
+  modulesPath,
+  lib,
+  adminUser,
+  config,
+  ...
+}:
+{
+  age = {
+    secrets = {
+      restic_gcs_credentials = {
+        file = ../../../secrets/restic_gcs_credentials.age;
+      };
+      restic_password = {
+        file = ../../../secrets/restic_password.age;
+      };
+      nas_client_credentials = {
+        file = ../../../secrets/nas_client.age;
+      };
+      wireguard = {
+        file = ../../../secrets/vm-synology/wireguard.age;
+      };
+    };
+  };
+
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    (modulesPath + "/installer/scan/not-detected.nix")
+    ../../../profiles/defaults.nix
+    ../../../profiles/server.nix
+    ../../../profiles/cgroups.nix
+    ../../../profiles/disk/basic-vm.nix
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = true;
+
+  networking.hostName = "synology-vm";
+  networking.useDHCP = lib.mkDefault true;
+  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
+
+  my.modules.nas-client = {
+    enable = true;
+    volumes = {
+      data = {
+        server = "192.168.1.68";
+        remotePath = "backups";
+        mountPoint = "/data/backups";
+        uid = adminUser.uid;
+      };
+    };
+  };
+
+  my.modules.backups = {
+    enable = true;
+    passwordFile = config.age.secrets.restic_password.path;
+    remote = {
+      googleProjectId = "fcuny-infra";
+      googleCredentialsFile = config.age.secrets.restic_gcs_credentials.path;
+    };
+  };
+
+  users.users.builder = {
+    openssh.authorizedKeys.keys = [
+      # my personal key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
+      # remote builder ssh key
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
+    ];
+    isNormalUser = true;
+    group = "nogroup";
+  };
+
+  nix.settings.trusted-users = [ "builder" ];
+
+  networking.wireguard = {
+    enable = true;
+    interfaces.wg0 = {
+      ips = [ "10.100.0.40/32" ];
+      listenPort = 51871;
+      privateKeyFile = config.age.secrets.wireguard.path;
+      peers = [
+        {
+          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          endpoint = "165.232.158.110:51871";
+          persistentKeepalive = 25;
+        }
+        {
+          # rivendell
+          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
+          allowedIPs = [ "10.100.0.0/24" ];
+          persistentKeepalive = 25;
+        }
+      ];
+    };
+  };
+
+  services.goget = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  networking.firewall.allowedUDPPorts = [ 51871 ];
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+}
diff --git a/machines/nixos/x86_64-linux/synology-vm/default.nix b/machines/nixos/x86_64-linux/synology-vm/default.nix
deleted file mode 100644
index c1b2270..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/default.nix
+++ /dev/null
@@ -1,85 +0,0 @@
-{
-  lib,
-  adminUser,
-  config,
-  ...
-}:
-{
-  imports = [
-    ./disks.nix
-    ./hardware.nix
-    ./secrets.nix
-    ./profiles/goget.nix
-    ../../../../profiles/defaults.nix
-    ../../../../profiles/server.nix
-    ../../../../profiles/cgroups.nix
-  ];
-
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.systemd-boot.enable = true;
-
-  networking.hostName = "synology-vm";
-  networking.useDHCP = lib.mkDefault true;
-  systemd.network.wait-online.anyInterface = lib.mkDefault config.networking.useDHCP;
-
-  my.modules.nas-client = {
-    enable = true;
-    volumes = {
-      data = {
-        server = "192.168.1.68";
-        remotePath = "backups";
-        mountPoint = "/data/backups";
-        uid = adminUser.uid;
-      };
-    };
-  };
-
-  my.modules.backups = {
-    enable = true;
-    passwordFile = config.age.secrets.restic_password.path;
-    remote = {
-      googleProjectId = "fcuny-infra";
-      googleCredentialsFile = config.age.secrets.restic_gcs_credentials.path;
-    };
-  };
-
-  users.users.builder = {
-    openssh.authorizedKeys.keys = [
-      # my personal key
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINBkozy+X96u5ciX766bJ/AyQ3xm1tXZTIr5+4PVFZFi"
-      # remote builder ssh key
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGFGxdplt9WwGjdhoYkmPe2opZMJShtpqnGCI+swrgvw"
-    ];
-    isNormalUser = true;
-    group = "nogroup";
-  };
-
-  nix.settings.trusted-users = [ "builder" ];
-
-  networking.wireguard = {
-    enable = true;
-    interfaces.wg0 = {
-      ips = [ "10.100.0.40/32" ];
-      listenPort = 51871;
-      privateKeyFile = config.age.secrets.wireguard.path;
-      peers = [
-        {
-          publicKey = "I+l/sWtfXcdunz2nZ05rlDexGew30ZuDxL0DVTTK318=";
-          allowedIPs = [ "10.100.0.0/24" ];
-          endpoint = "165.232.158.110:51871";
-          persistentKeepalive = 25;
-        }
-        {
-          # rivendell
-          publicKey = "jf7T7TMKQWSgSXhUplldZDV9G2y2BjMmHIAhg5d26ng=";
-          allowedIPs = [ "10.100.0.0/24" ];
-          persistentKeepalive = 25;
-        }
-      ];
-    };
-  };
-
-  networking.firewall.allowedUDPPorts = [ 51871 ];
-
-  system.stateVersion = "23.11"; # Did you read the comment?
-}
diff --git a/machines/nixos/x86_64-linux/synology-vm/disks.nix b/machines/nixos/x86_64-linux/synology-vm/disks.nix
deleted file mode 100644
index 1641339..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/disks.nix
+++ /dev/null
@@ -1,55 +0,0 @@
-{ lib, ... }:
-{
-  disko.devices = {
-    disk.disk1 = {
-      device = lib.mkDefault "/dev/sda";
-      type = "disk";
-      content = {
-        type = "gpt";
-        partitions = {
-          boot = {
-            name = "boot";
-            size = "1M";
-            type = "EF02";
-          };
-          esp = {
-            name = "ESP";
-            size = "500M";
-            type = "EF00";
-            content = {
-              type = "filesystem";
-              format = "vfat";
-              mountpoint = "/boot";
-            };
-          };
-          root = {
-            name = "root";
-            size = "100%";
-            content = {
-              type = "lvm_pv";
-              vg = "pool";
-            };
-          };
-        };
-      };
-    };
-    lvm_vg = {
-      pool = {
-        type = "lvm_vg";
-        lvs = {
-          root = {
-            size = "100%FREE";
-            content = {
-              type = "filesystem";
-              format = "ext4";
-              mountpoint = "/";
-              mountOptions = [
-                "defaults"
-              ];
-            };
-          };
-        };
-      };
-    };
-  };
-}
diff --git a/machines/nixos/x86_64-linux/synology-vm/hardware.nix b/machines/nixos/x86_64-linux/synology-vm/hardware.nix
deleted file mode 100644
index ad1fd3f..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/hardware.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ lib, modulesPath, ... }:
-{
-  imports = [
-    (modulesPath + "/profiles/qemu-guest.nix")
-    (modulesPath + "/installer/scan/not-detected.nix")
-  ];
-
-  boot.initrd.availableKernelModules = [
-    "ata_piix"
-    "uhci_hcd"
-    "virtio_pci"
-    "virtio_scsi"
-    "sd_mod"
-    "sr_mod"
-  ];
-  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-amd" ];
-  boot.extraModulePackages = [ ];
-
-  swapDevices = [ ];
-
-  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-}
diff --git a/machines/nixos/x86_64-linux/synology-vm/profiles/goget.nix b/machines/nixos/x86_64-linux/synology-vm/profiles/goget.nix
deleted file mode 100644
index ac32e62..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/profiles/goget.nix
+++ /dev/null
@@ -1,7 +0,0 @@
-{ ... }:
-{
-  services.goget = {
-    enable = true;
-    openFirewall = true;
-  };
-}
diff --git a/machines/nixos/x86_64-linux/synology-vm/secrets.nix b/machines/nixos/x86_64-linux/synology-vm/secrets.nix
deleted file mode 100644
index e323097..0000000
--- a/machines/nixos/x86_64-linux/synology-vm/secrets.nix
+++ /dev/null
@@ -1,20 +0,0 @@
-{ self, ... }:
-{
-  age = {
-    secrets = {
-      restic_gcs_credentials = {
-        file = "${self}/secrets/restic_gcs_credentials.age";
-      };
-      restic_password = {
-        file = "${self}/secrets/restic_password.age";
-      };
-      nas_client_credentials = {
-        file = "${self}/secrets/nas_client.age";
-      };
-      wireguard = {
-        file = "${self}/secrets/vm-synology/wireguard.age";
-      };
-    };
-  };
-
-}
-- 
cgit v1.2.3