From 6d5812c1ddffafbdd9f44fea4bee31cf5abf5133 Mon Sep 17 00:00:00 2001
From: Daniel Kempkens <daniel+git@kempkens.io>
Date: Thu, 13 Apr 2023 16:45:01 +0200
Subject: [PATCH] mediaserver: init

---
 agenix/hosts/mediaserver/config.nix           |   7 ++
 .../hosts/mediaserver/user/danielPassword.age |  13 ++
 flake.nix                                     |   8 ++
 hardware/hosts/mediaserver.nix                |  40 ++++++
 secrets.nix                                   |   5 +
 system/flakes/mediaserver.nix                 |  40 ++++++
 system/hosts/mediaserver.nix                  | 115 ++++++++++++++++++
 7 files changed, 228 insertions(+)
 create mode 100644 agenix/hosts/mediaserver/config.nix
 create mode 100644 agenix/hosts/mediaserver/user/danielPassword.age
 create mode 100644 hardware/hosts/mediaserver.nix
 create mode 100644 system/flakes/mediaserver.nix
 create mode 100644 system/hosts/mediaserver.nix

diff --git a/agenix/hosts/mediaserver/config.nix b/agenix/hosts/mediaserver/config.nix
new file mode 100644
index 0000000..417b8c0
--- /dev/null
+++ b/agenix/hosts/mediaserver/config.nix
@@ -0,0 +1,7 @@
+{
+  age.secrets = {
+    user-daniel-password = {
+      file = ./user/danielPassword.age;
+    };
+  };
+}
diff --git a/agenix/hosts/mediaserver/user/danielPassword.age b/agenix/hosts/mediaserver/user/danielPassword.age
new file mode 100644
index 0000000..7f2219b
--- /dev/null
+++ b/agenix/hosts/mediaserver/user/danielPassword.age
@@ -0,0 +1,13 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE10R3A2ZyBMUzZP
+MS9jajNJaUZnQzU2cjlLUlZSU0k5YzNEdTF2VlZ1WVhRa3daaVNRCmM2OHJtYXVt
+akpqS3IxUHloR3N1R2tvM1FXZm9XL2t6Y2xYaDFpUVVPZ3MKLT4gc3NoLWVkMjU1
+MTkgWTk0WWlnIDB6OEdkc0JoQjdTQjM2RmNQK1NLVDF0OXEvM09EQVJqQ1c0Z3Rl
+dXZaRHMKcGQwK2dwNEI4R0MwZFkwT0hSNithc1FjZkxna2RzbHd5bEx5N2w3bjZt
+dwotPiBASEAhLWdyZWFzZSBUKwpGTXUvOHhFMEJSc0tEWUF4dFB3dTJNZ3dvc1p4
+R0c1VS9EQ2kKLS0tIDQ4T2RzQTJXZ0tSOTN4bnM1NzIrb2JrVHA0ODM5NkxYczN4
+aW55eFp2VlkKflcGYpyoxjqM+0ZWERBYXstYzpWVW/2FWBRbfDFUBwISHp5qJdJz
+joR+bIe2Gf18qRZf7NOvpqfOsl8sU+kfYKb1mG4bTZ4fsR8X24fDFgsJw6VLHgPj
+7ksFOkH+VEFEsIBTdccYs9QMUvBA0PrDbk/UylQGpCpzRjEGyCijLGpuPjWZ+O+Y
+ZeKPaQ==
+-----END AGE ENCRYPTED FILE-----
diff --git a/flake.nix b/flake.nix
index 01b867b..28ebd26 100644
--- a/flake.nix
+++ b/flake.nix
@@ -57,6 +57,13 @@
         inherit inputs;
       };
 
+      mediaserver = import ./system/flakes/mediaserver.nix {
+        inherit (inputs) nixpkgs;
+        inherit (inputs) home-manager;
+        inherit (inputs) ragenix;
+        inherit inputs;
+      };
+
       adsb-antenna = import ./system/flakes/adsb-antenna.nix {
         inherit (inputs) nixpkgs;
         inherit (inputs) home-manager;
@@ -71,6 +78,7 @@
       nixosConfigurations = {
         sail = sail.system;
         attic = attic.system;
+        mediaserver = mediaserver.system;
         adsb-antenna = adsb-antenna.system;
       };
     };
diff --git a/hardware/hosts/mediaserver.nix b/hardware/hosts/mediaserver.nix
new file mode 100644
index 0000000..3aba1cd
--- /dev/null
+++ b/hardware/hosts/mediaserver.nix
@@ -0,0 +1,40 @@
+{ pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    initrd = {
+      availableKernelModules = [ "ata_piix" "xhci_pci" "ahci" "sd_mod" "sr_mod" ];
+      kernelModules = [ "tls" ];
+    };
+
+    kernelPackages = pkgs.linuxPackages_latest;
+    kernelModules = [ "kvm-intel" "tcp_bbr" ];
+
+    kernel.sysctl = {
+      "net.core.default_qdisc" = "fq";
+      "net.ipv4.tcp_congestion_control" = "bbr";
+      "net.core.rmem_max" = 2500000;
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXROOT";
+      fsType = "ext4";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-label/NIXBOOT";
+      fsType = "vfat";
+    };
+  };
+
+  hardware.cpu.intel.updateMicrocode = false;
+}
diff --git a/secrets.nix b/secrets.nix
index f7f71d7..00cf174 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -3,9 +3,11 @@ let
 
   system-sail = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJMs1BqZ+MC7XBwV+dZW8EmaZt2cOg/xcOBPS9KSzIl";
   system-attic = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHe6N3LfPxu7KNsyuI8YE3R0OHLTxNw5+WhuQjKL6PUr";
+  system-mediaserver = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDlB0cL5CtTOyARWSE2yUsNU4JHUPmr71710mZHzsmbX";
 
   sail = [ user-daniel system-sail ];
   attic = [ user-daniel system-attic ];
+  mediaserver = [ user-daniel system-mediaserver ];
 in
 {
   # sail
@@ -52,4 +54,7 @@ in
   "agenix/hosts/attic/tailscale/authkey.age".publicKeys = attic;
 
   "agenix/hosts/attic/atticd/environment.age".publicKeys = attic;
+
+  # mediaserver
+  "agenix/hosts/mediaserver/user/danielPassword.age".publicKeys = mediaserver;
 }
diff --git a/system/flakes/mediaserver.nix b/system/flakes/mediaserver.nix
new file mode 100644
index 0000000..ef66b11
--- /dev/null
+++ b/system/flakes/mediaserver.nix
@@ -0,0 +1,40 @@
+{ nixpkgs, home-manager, ragenix, inputs, ... }:
+
+let
+  overlay-attic = inputs.attic.overlays.default;
+  overlay-neovim = inputs.neovim-nightly-overlay.overlay;
+  overlay-nifoc = inputs.nifoc-overlay.overlay;
+
+  nixpkgsConfig = {
+    overlays = [
+      overlay-attic
+      overlay-neovim
+      overlay-nifoc
+    ];
+
+    config = {
+      allowUnfree = true;
+      allowBroken = true;
+    };
+  };
+in
+{
+  system = nixpkgs.lib.nixosSystem {
+    system = "x86_64-linux";
+    modules = [
+      ../hosts/mediaserver.nix
+
+      home-manager.nixosModules.home-manager
+
+      ragenix.nixosModules.default
+
+      {
+        nixpkgs = nixpkgsConfig;
+        nix.nixPath = [ "nixpkgs=${nixpkgs}" ];
+        home-manager.useGlobalPkgs = true;
+        home-manager.useUserPackages = true;
+        home-manager.users.daniel = import ../../home/hosts/mediaserver.nix;
+      }
+    ];
+  };
+}
diff --git a/system/hosts/mediaserver.nix b/system/hosts/mediaserver.nix
new file mode 100644
index 0000000..ee0e4b2
--- /dev/null
+++ b/system/hosts/mediaserver.nix
@@ -0,0 +1,115 @@
+args@{ pkgs, config, lib, ... }:
+
+let
+  ssh-keys = import ../shared/ssh-keys.nix;
+in
+{
+  imports = [
+    ../../hardware/hosts/mediaserver.nix
+    ../../agenix/hosts/mediaserver/config.nix
+    ../nixos/ssh.nix
+
+    ../nixos/git.nix
+  ];
+
+  system.stateVersion = "22.11";
+
+  nix = {
+    package = pkgs.nixVersions.stable;
+
+    settings = {
+      auto-optimise-store = true;
+
+      substituters = [
+        "https://attic.cache.daniel.sx/nifoc-systems"
+        "https://nifoc.cachix.org"
+        "https://nix-community.cachix.org"
+        "https://wurzelpfropf.cachix.org"
+      ];
+
+      trusted-public-keys = [
+        "nifoc-systems:eDDqVP5BFR6/1KvXbF9oUL8JahDdmbrsYtxlQ57LOTU="
+        "nifoc.cachix.org-1:ymuftq7RgN/lf/iWXFK8gpwDSAGFaGBeliWe9u6q8II="
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "wurzelpfropf.cachix.org-1:ilZwK5a6wJqVr7Fyrzp4blIEkGK+LJT0QrpWr1qBNq0="
+      ];
+    };
+
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 14d";
+    };
+
+    extraOptions = ''
+      experimental-features = nix-command flakes
+      extra-platforms = aarch64-linux
+      keep-derivations = true
+      keep-outputs = true
+      post-build-hook = ${../../home/programs/scripts/attic-system-cache}
+    '';
+  };
+
+  environment.etc."nix/netrc".source = ../../secret/shared/nix-netrc;
+
+  boot = {
+    cleanTmpDir = true;
+
+    binfmt.emulatedSystems = [ "aarch64-linux" ];
+  };
+
+  zramSwap.enable = true;
+
+  networking = {
+    hostName = "mediaserver";
+    useNetworkd = true;
+  };
+
+  systemd.network = {
+    enable = true;
+
+    networks = {
+      "10-lan" = {
+        matchConfig.Name = "ens3";
+        networkConfig = {
+          DHCP = "yes";
+          IPv6AcceptRA = true;
+        };
+        linkConfig.RequiredForOnline = "routable";
+
+        ntp = [
+          "ptbtime1.ptb.de"
+          "ptbtime2.ptb.de"
+          "ptbtime3.ptb.de"
+        ];
+      };
+    };
+  };
+
+  services.journald.extraConfig = ''
+    SystemMaxUse=1G
+  '';
+
+  documentation = {
+    nixos.enable = false;
+    doc.enable = false;
+  };
+
+  programs.fish.enable = true;
+
+  users.users = {
+    root = {
+      openssh.authorizedKeys.keys = [ ssh-keys.LAN ];
+    };
+
+    daniel = {
+      passwordFile = config.age.secrets.user-daniel-password.path;
+      isNormalUser = true;
+      home = "/home/daniel";
+      description = "Daniel";
+      extraGroups = [ "wheel" ];
+      shell = pkgs.fish;
+      openssh.authorizedKeys.keys = [ ssh-keys.LAN ];
+    };
+  };
+}