♻️ a little reshuffling... gonna try some things

hosts/aristotle/configuration.nix

@@ -0,0 +1,75 @@
+{ pkgs, raspberry-pi-nix, ... }:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ../../nix/modules/base/nixos.nix
+    raspberry-pi-nix.nixosModules.raspberry-pi
+    ../../nix/modules/ipfs/cluster.nix
+    # ../../nix/modules/k3s/agent.nix
+    ../../nix/modules/sops
+  ];
+
+  # See: https://github.com/NixOS/nixos-hardware/issues/858
+  boot.initrd.systemd.tpm2.enable = false;
+
+  boot.kernelParams = [
+    "cgroup_enable=memory"
+    "cgroup_enable=cpuset"
+    "cgroup_memory=1"
+  ];
+
+  raspberry-pi-nix.board = "bcm2711";
+  hardware.raspberry-pi.config = {
+    all = {
+      dt-overlays = {
+        rpi-poe = {
+          enable = true;
+          params = {
+            poe_fan_temp0 = {
+              enable = true;
+              value = 50000;
+            };
+            poe_fan_temp1 = {
+              enable = true;
+              value = 60000;
+            };
+            poe_fan_temp2 = {
+              enable = true;
+              value = 70000;
+            };
+            poe_fan_temp3 = {
+              enable = true;
+              value = 80000;
+            };
+          };
+        };
+      };
+    };
+  };
+
+  time.timeZone = "America/Toronto";
+  networking = {
+    # networking.hostName = "nixos"; # Define your hostname.
+    # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
+
+    # The global useDHCP flag is deprecated, therefore explicitly set to false here.
+    # Per-interface useDHCP will be mandatory in the future, so this generated config
+    # replicates the default behaviour.
+    useDHCP = false;
+    interfaces.eth0.useDHCP = true;
+    interfaces.wlan0.useDHCP = true;
+    firewall.enable = false;
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+    raspberrypi-eeprom
+  ];
+  security.sudo.wheelNeedsPassword = false;
+}

hosts/aristotle/hardware-configuration.nix

@@ -0,0 +1,18 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ lib, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/NIXOS_SD";
+    fsType = "ext4";
+    options = [ "noatime" ];
+  };
+
+  swapDevices = [ ];
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+}

hosts/epicurus/darwin-configuration.nix

@@ -0,0 +1,10 @@
+{ ... }:
+{
+  imports = [
+    ./homebrew.nix
+
+    ../../nix/modules/base/darwin.nix
+    ../../nix/modules/builder
+    ../../nix/modules/dev
+  ];
+}

hosts/epicurus/homebrew.nix

@@ -0,0 +1,34 @@
+_:
+
+{
+  homebrew = {
+    taps = [
+      "homebrew/cask"
+      "homebrew/services"
+    ];
+
+    brews = [
+      "btop"
+      "code-server"
+      "coreutils"
+      "mas"
+      "mosh"
+    ];
+
+    casks = [
+      "1password"
+      "docker-desktop"
+      "font-jetbrains-mono"
+      "font-jetbrains-mono-nerd-font"
+      "gpg-suite"
+      "plex-media-server"
+      "stats"
+      "synology-drive"
+      "tailscale-app"
+    ];
+
+    masApps = {
+      Xcode = 497799835;
+    };
+  };
+}

hosts/heraclitus/darwin-configuration.nix

@@ -0,0 +1,19 @@
+{ ... }:
+{
+  imports = [
+    ./homebrew.nix
+
+    ../../nix/modules/base/darwin.nix
+    ../../nix/modules/dev
+    ../../nix/modules/builder
+  ];
+
+  system = {
+    defaults = {
+      dock = {
+        autohide = true;
+        orientation = "left";
+      };
+    };
+  };
+}

hosts/heraclitus/homebrew.nix

@@ -0,0 +1,104 @@
+_:
+
+{
+  homebrew = {
+    taps = [
+      "homebrew/cask"
+      "homebrew/services"
+      "walkah/tap"
+      "1password/tap"
+      "d12frosted/emacs-plus"
+      "dracula/install"
+      "heroku/brew"
+    ];
+
+    brews = [
+      "act"
+      "asdf"
+      "argocd"
+      "cmake"
+      "cocoapods"
+      "coreutils"
+      "emacs-plus"
+      "fontconfig"
+      "gcc"
+      "gh"
+      "helm"
+      "heroku"
+      "ipfs"
+      "kind"
+      "kubernetes-cli"
+      "kustomize"
+      "libtool"
+      "mas"
+      "mr"
+      "ollama"
+      "opentofu"
+      "podman"
+      "podman-compose"
+      "r"
+      "ripgrep"
+      "tea"
+      "terminal-notifier"
+      "watchman"
+    ];
+
+    casks = [
+      "1password"
+      "1password-cli"
+      "android-studio"
+      "arc"
+      "balenaetcher"
+      "beeper"
+      "brave-browser"
+      "bunch"
+      "calibre"
+      "claude"
+      "cleanmymac"
+      "discord"
+      "docker-desktop"
+      "dracula-xcode"
+      "element"
+      "fantastical"
+      "figma"
+      "firefox@developer-edition"
+      "font-jetbrains-mono"
+      "font-jetbrains-mono-nerd-font"
+      "ghostty"
+      "google-chrome"
+      "gpg-suite"
+      "hazel"
+      "jordanbaird-ice@beta"
+      "logi-options+"
+      "logitech-camera-settings"
+      "microsoft-edge"
+      "minecraft"
+      "obsidian"
+      "opal-composer"
+      "plexamp"
+      "podman-desktop"
+      "raycast"
+      "rstudio"
+      "slack"
+      "sonos"
+      "stats"
+      "steam"
+      "synology-drive"
+      "tailscale-app"
+      "todoist-app"
+      "visual-studio-code"
+      "zen"
+      "zoom"
+      "zulu@17"
+    ];
+
+    masApps = {
+      OnePasswordSafari = 1569813296;
+      Bumpr = 1166066070;
+      DayOne = 1055511498;
+      Drafts = 1435957248;
+      HomeAssistant = 1099568401;
+      Xcode = 497799835;
+    };
+  };
+}

hosts/plato/configuration.nix

@@ -0,0 +1,227 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  automount_opts = "uid=1000,gid=1000,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+  inherit (config.sops) secrets;
+in
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ../../nix/modules/base/nixos.nix
+
+    ../../nix/modules/coredns
+    ../../nix/modules/drone
+    ../../nix/modules/drone/runner-docker.nix
+    ../../nix/modules/gitea
+    # ../../nix/modules/k3s/server.nix
+    ../../nix/modules/matrix
+    ../../nix/modules/minecraft
+    ../../nix/modules/postgresql
+    ../../nix/modules/sops
+  ];
+  boot = {
+    binfmt.emulatedSystems = [ "aarch64-linux" ];
+    loader = {
+      efi.canTouchEfiVariables = true;
+      systemd-boot = {
+        # Use the systemd-boot EFI boot loader.
+        enable = true;
+        configurationLimit = 3;
+      };
+    };
+    tmp.cleanOnBoot = true;
+  };
+
+  # Set your time zone.
+  time.timeZone = "America/Toronto";
+  networking = {
+    hostName = "plato"; # Define your hostname.
+    useDHCP = false;
+    interfaces = {
+      enp10s0.useDHCP = true;
+      enp9s0.useDHCP = true;
+    };
+
+    # Open ports in the firewall.
+    # networking.firewall.allowedTCPPorts = [ ... ];
+    # networking.firewall.allowedUDPPorts = [ ... ];
+    # Or disable the firewall altogether.
+    firewall.enable = false;
+  };
+
+  security.sudo.wheelNeedsPassword = false;
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5spf4diguK+w7iYLFr565++6DjHukWfvpN2ru9dCRk nixbuild"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    cifs-utils
+    pinentry-curses
+    weechat
+  ];
+  fileSystems = {
+    "/mnt/downloads" = {
+      device = "//parthenon/Downloads";
+      fsType = "cifs";
+      options = [
+        "${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
+      ];
+    };
+
+    "/mnt/music" = {
+      device = "//parthenon/Music";
+      fsType = "cifs";
+      options = [
+        "${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
+      ];
+    };
+    "/mnt/video" = {
+      device = "//parthenon/Video";
+      fsType = "cifs";
+      options = [
+        "${automount_opts},credentials=${secrets.filesystems-parthenon.path}"
+      ];
+    };
+  };
+
+  nixpkgs.config.allowInsecurePredicate =
+    pkg:
+    builtins.elem (lib.getName pkg) [
+      "broadcom-sta" # aka “wl”
+    ];
+
+  power.ups = {
+    enable = true;
+    mode = "netserver";
+    ups."cyberpower" = {
+      description = "Cyberpower EC650LCD";
+      driver = "usbhid-ups";
+      port = "auto";
+    };
+    upsd = {
+      enable = true;
+      listen = [
+        { address = "0.0.0.0"; }
+      ];
+    };
+    users.upsmon = {
+      passwordFile = secrets.upsmon.path;
+      upsmon = "primary";
+    };
+
+    upsmon.monitor."cyberpower".user = "upsmon";
+  };
+
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  sops.secrets = {
+    filesystems-parthenon = { };
+    upsmon = { };
+  };
+
+  services = {
+    avahi = {
+      enable = true;
+      nssmdns4 = true;
+
+      publish = {
+        enable = true;
+        userServices = true;
+      };
+    };
+
+    borgbackup.jobs."borgbase" = {
+      paths = [
+        "/var/backup"
+      ];
+      repo = "ssh://h7ug55o3@h7ug55o3.repo.borgbase.com/./repo";
+      encryption = {
+        mode = "repokey-blake2";
+        passCommand = "cat /root/borgbackup/passphrase";
+      };
+      environment.BORG_RSH = "ssh -i /root/borgbackup/ssh_key";
+      compression = "auto,lzma";
+      startAt = "daily";
+    };
+
+    grafana = {
+      enable = true;
+      settings = {
+        server = {
+          domain = "plato.walkah.lab";
+          http_port = 2342;
+          http_addr = "0.0.0.0";
+        };
+      };
+    };
+    prometheus = {
+      scrapeConfigs = [
+        {
+          job_name = "node";
+          static_configs = [
+            {
+              targets = [
+                "plato:9100"
+                "agent:9100"
+                "form:9100"
+                "matter:9100"
+                "purpose:9100"
+                "socrates:9100"
+              ];
+            }
+          ];
+        }
+        {
+          job_name = "coredns";
+          static_configs = [ { targets = [ "plato:9153" ]; } ];
+        }
+        {
+          job_name = "ipfs";
+          metrics_path = "/debug/metrics/prometheus";
+          static_configs = [
+            {
+              targets = [
+                "agent:5001"
+                "form:5001"
+                "matter:5001"
+                "purpose:5001"
+              ];
+            }
+          ];
+        }
+      ];
+    };
+    tailscale = {
+      useRoutingFeatures = "server";
+    };
+  };
+
+  walkah.coredns = {
+    enable = true;
+  };
+
+  virtualisation.docker = {
+    enable = true;
+    # Clean docker images periodically
+    autoPrune = {
+      enable = true;
+      flags = [ "--all" ];
+    };
+    daemon.settings = {
+      dns = [
+        "1.1.1.1"
+        "1.0.0.1"
+      ];
+    };
+  };
+}

hosts/plato/hardware-configuration.nix

@@ -0,0 +1,40 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+  boot = {
+    initrd.availableKernelModules = [
+      "uhci_hcd"
+      "ehci_pci"
+      "ahci"
+      "xhci_pci"
+      "firewire_ohci"
+      "usb_storage"
+      "usbhid"
+      "sd_mod"
+      "sr_mod"
+    ];
+    initrd.kernelModules = [ ];
+    kernelModules = [
+      "kvm-intel"
+      "wl"
+    ];
+    extraModulePackages = [ config.boot.kernelPackages.broadcom_sta ];
+  };
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/ea3c68ac-e822-4b71-a8f5-65d9e452a3c2";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/FB06-AB48";
+    fsType = "vfat";
+  };
+
+  swapDevices = [ { device = "/dev/disk/by-uuid/3a812874-3def-4e46-b20d-cd55fa7bdd5f"; } ];
+
+}

hosts/socrates/configuration.nix

@@ -0,0 +1,72 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.nix # generated at runtime by nixos-infect
+    ../../nix/modules/base/nixos.nix
+
+    ../../nix/modules/akkoma
+    ../../nix/modules/akkoma/nginx.nix
+    ../../nix/modules/coredns
+    ../../nix/modules/code-server/nginx.nix
+    ../../nix/modules/drone/nginx.nix
+    ../../nix/modules/gitea/nginx.nix
+    ../../nix/modules/home-assistant/nginx.nix
+    ../../nix/modules/ipfs/gateway.nix
+    ../../nix/modules/matrix/nginx.nix
+    ../../nix/modules/minecraft/proxy.nix
+    ../../nix/modules/sops
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+
+  # Set your time zone.
+  time.timeZone = "America/Toronto";
+
+  networking = {
+    hostName = "socrates";
+    firewall = {
+      allowPing = true;
+      allowedTCPPorts = [
+        80
+        443
+      ];
+      trustedInterfaces = [ "tailscale0" ];
+      checkReversePath = "loose";
+    };
+  };
+
+  nix = {
+    settings.trusted-users = [
+      "@wheel"
+      "root"
+    ];
+  };
+
+  security = {
+    sudo.wheelNeedsPassword = false;
+    acme.acceptTerms = true;
+    acme.defaults.email = "walkah@walkah.net";
+  };
+
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0mE4MyMnfd1b2nlBJT7kpZ6Vov+ILuGNfzdp5ZBNQe walkah@walkah.net"
+  ];
+
+  environment.systemPackages = with pkgs; [ kubo-migrator ];
+
+  walkah.coredns = {
+    enable = true;
+    addr = "100.103.57.96";
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      recommendedTlsSettings = true;
+      recommendedOptimisation = true;
+      recommendedGzipSettings = true;
+      recommendedProxySettings = true;
+    };
+  };
+}

hosts/socrates/hardware-configuration.nix

@@ -0,0 +1,9 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub.device = "/dev/vda";
+  fileSystems."/" = {
+    device = "/dev/vda1";
+    fsType = "ext4";
+  };
+}

hosts/socrates/networking.nix

@@ -0,0 +1,52 @@
+{ lib, ... }:
+{
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    defaultGateway = "167.99.176.1";
+    defaultGateway6 = "2604:a880:cad:d0::1";
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce true;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [
+          {
+            address = "167.99.176.10";
+            prefixLength = 20;
+          }
+          {
+            address = "10.20.0.5";
+            prefixLength = 16;
+          }
+        ];
+        ipv6.addresses = [
+          {
+            address = "2604:a880:cad:d0::cda:5001";
+            prefixLength = 64;
+          }
+          {
+            address = "fe80::b885:79ff:fe71:134e";
+            prefixLength = 64;
+          }
+        ];
+        ipv4.routes = [
+          {
+            address = "167.99.176.1";
+            prefixLength = 32;
+          }
+        ];
+        ipv6.routes = [
+          {
+            address = "2604:a880:cad:d0::1";
+            prefixLength = 32;
+          }
+        ];
+      };
+
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="ba:85:79:71:13:4e", NAME="eth0"
+    ATTR{address}=="3e:02:2b:ed:5d:22", NAME="eth1"
+  '';
+}