about summary refs log tree commit diff
path: root/configurations
diff options
context:
space:
mode:
authorAzat Bahawi <azat@bahawi.net>2022-08-12 22:53:53 +0300
committerAzat Bahawi <azat@bahawi.net>2022-08-12 22:53:53 +0300
commit61b94f0dd06cac0f7dcd38cce80f2a7ab8376098 (patch)
treeb703a9fe11eae6c4cae4e4682f02caf0caa171d0 /configurations
2022-08-12
Diffstat (limited to 'configurations')
-rw-r--r--configurations/default.nix139
-rw-r--r--configurations/manwe/default.nix171
-rw-r--r--configurations/manwe/mailserver.nix96
-rw-r--r--configurations/manwe/webserver.nix21
-rw-r--r--configurations/melian/default.nix288
-rw-r--r--configurations/test-headful/default.nix27
-rw-r--r--configurations/test-headless/default.nix22
-rw-r--r--configurations/varda/default.nix95
-rw-r--r--configurations/yavanna/default.nix101
9 files changed, 960 insertions, 0 deletions
diff --git a/configurations/default.nix b/configurations/default.nix
new file mode 100644
index 0000000..e0741dc
--- /dev/null
+++ b/configurations/default.nix
@@ -0,0 +1,139 @@
+{
+  inputs,
+  lib,
+}:
+with lib; {
+  # TODO Make a generic wrapper for all hosts.
+  melian = let
+    system = "x86_64-linux";
+  in
+    nixosSystem {
+      inherit system;
+
+      modules =
+        attrValues inputs.self.nixosModules
+        ++ [./melian]
+        ++ (with inputs;
+          (with nixos-hardware.nixosModules; [
+            common-pc-laptop-ssd
+            lenovo-thinkpad-t480
+          ])
+          ++ [nixpkgs.nixosModules.notDetected]);
+
+      specialArgs = rec {
+        inherit inputs lib;
+        this = my.configurations.melian;
+      };
+    };
+
+  manwe = let
+    system = "x86_64-linux";
+  in
+    nixosSystem {
+      inherit system;
+
+      modules =
+        attrValues inputs.self.nixosModules
+        ++ [./manwe]
+        ++ (with inputs;
+          (with nixos-hardware.nixosModules; [common-cpu-amd common-pc-ssd])
+          ++ [
+            nixpkgs.nixosModules.notDetected
+            "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+          ]);
+
+      specialArgs = rec {
+        inherit inputs lib;
+        this = my.configurations.manwe;
+      };
+    };
+
+  varda = let
+    system = "x86_64-linux";
+  in
+    nixosSystem {
+      inherit system;
+
+      modules =
+        attrValues inputs.self.nixosModules
+        ++ [./varda]
+        ++ (with inputs;
+          (with nixos-hardware.nixosModules; [common-cpu-amd common-pc-ssd])
+          ++ [
+            nixpkgs.nixosModules.notDetected
+            "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+          ]);
+
+      specialArgs = rec {
+        inherit inputs lib;
+        this = my.configurations.varda;
+      };
+    };
+
+  yavanna = let
+    system = "x86_64-linux";
+  in
+    nixosSystem {
+      inherit system;
+
+      modules =
+        attrValues inputs.self.nixosModules
+        ++ [./yavanna]
+        ++ (with inputs;
+          (with nixos-hardware.nixosModules; [common-cpu-intel common-pc-hdd])
+          ++ [nixpkgs.nixosModules.notDetected]);
+
+      specialArgs = rec {
+        inherit inputs lib;
+        this = my.configurations.yavanna;
+      };
+    };
+
+  test-headless = let
+    system = "x86_64-linux";
+  in
+    nixosSystem {
+      inherit system;
+
+      modules =
+        attrValues inputs.self.nixosModules
+        ++ [./test-headless]
+        ++ (with inputs; [
+          nixpkgs.nixosModules.notDetected
+          "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+        ]);
+
+      specialArgs = rec {
+        inherit inputs lib;
+        this = {
+          hostname = "test-headless";
+          isHeadless = true;
+          isHeadful = false;
+        };
+      };
+    };
+
+  test-headful = let
+    system = "x86_64-linux";
+  in
+    nixosSystem {
+      inherit system;
+
+      modules =
+        attrValues inputs.self.nixosModules
+        ++ [./test-headful]
+        ++ (with inputs; [
+          nixpkgs.nixosModules.notDetected
+          "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+        ]);
+
+      specialArgs = rec {
+        inherit inputs lib;
+        this = {
+          hostname = "test-headful";
+          isHeadful = true;
+          isHeadless = false;
+        };
+      };
+    };
+}
diff --git a/configurations/manwe/default.nix b/configurations/manwe/default.nix
new file mode 100644
index 0000000..50acacd
--- /dev/null
+++ b/configurations/manwe/default.nix
@@ -0,0 +1,171 @@
+{
+  config,
+  inputs,
+  lib,
+  this,
+  ...
+}:
+with lib; {
+  imports = [
+    ./mailserver.nix
+    ./webserver.nix
+  ];
+
+  secrets.wireguard-private-key-manwe.file = "${inputs.self}/secrets/wireguard-private-key-manwe";
+
+  nixfiles.modules = {
+    nsd = {
+      enable = true;
+      fqdn = "ns1.${config.networking.domain}";
+    };
+    unbound.enable = true;
+
+    wireguard = {
+      privateKeyFile = config.secrets.wireguard-private-key-manwe.path;
+      server.enable = true;
+    };
+
+    acme.enable = true;
+
+    monitoring.enable = true;
+
+    gotify.enable = true;
+    matrix.dendrite = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+    soju = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+  };
+
+  services.prometheus = {
+    # TODO Make this generic.
+    scrapeConfigs = with my.configurations;
+    with config.services.prometheus.exporters; [
+      {
+        job_name = "endlessh-go";
+        static_configs = [
+          {
+            targets = with config.nixfiles.modules.endlessh-go; [
+              "${manwe.hostname}:${toString prometheusPort}"
+              "${varda.hostname}:${toString prometheusPort}"
+              "${yavanna.hostname}:${toString prometheusPort}"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "nginx";
+        static_configs = [
+          {
+            targets = with nginx; [
+              "${manwe.hostname}:${toString port}"
+              "${varda.hostname}:${toString port}"
+              "${yavanna.hostname}:${toString port}"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "node";
+        static_configs = [
+          {
+            targets = with node; [
+              "${manwe.hostname}:${toString port}"
+              "${varda.hostname}:${toString port}"
+              "${yavanna.hostname}:${toString port}"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "postgres";
+        static_configs = [
+          {
+            targets = with postgres; [
+              "${manwe.hostname}:${toString port}"
+              "${varda.hostname}:${toString port}"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "unbound";
+        static_configs = [
+          {
+            targets = with unbound; ["${manwe.hostname}:${toString port}"];
+          }
+        ];
+      }
+      # {
+      #   job_name = "wireguard";
+      #   static_configs = [{
+      #     targets = with wireguard; [
+      #       "${manwe.hostname}:${toString port}"
+      #     ];
+      #   }];
+      # }
+    ];
+  };
+
+  networking = let
+    interface = "eth0";
+  in {
+    interfaces.${interface} = {
+      ipv4.addresses = [
+        {
+          inherit (this.ipv4) address;
+          prefixLength = 22;
+        }
+      ];
+
+      ipv6.addresses = [
+        {
+          inherit (this.ipv6) address;
+          prefixLength = 64;
+        }
+      ];
+    };
+
+    defaultGateway = {
+      inherit interface;
+      address = this.ipv4.gateway;
+    };
+
+    defaultGateway6 = {
+      inherit interface;
+      address = this.ipv6.gateway;
+    };
+
+    nat.externalInterface = interface;
+  };
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+
+    initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+
+    "/" = {
+      device = "/dev/sda2";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+  };
+
+  swapDevices = [{device = "/dev/sda3";}];
+
+  system.stateVersion = "22.05";
+}
diff --git a/configurations/manwe/mailserver.nix b/configurations/manwe/mailserver.nix
new file mode 100644
index 0000000..60a917b
--- /dev/null
+++ b/configurations/manwe/mailserver.nix
@@ -0,0 +1,96 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [inputs.simple-nixos-mailserver.nixosModule];
+
+  config = {
+    secrets = {
+      dkim-key-azahi-cc = {
+        file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+        path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-rohan-net = {
+        file = "${inputs.self}/secrets/dkim-key-rohan-net";
+        path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-gondor-net = {
+        file = "${inputs.self}/secrets/dkim-key-gondor-net";
+        path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+      dkim-key-shire-me = {
+        file = "${inputs.self}/secrets/dkim-key-shire-me";
+        path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key";
+        owner = "opendkim";
+        group = "opendkim";
+      };
+    };
+
+    nixfiles.modules.acme.enable = true;
+
+    mailserver = let
+      cert = config.certs.${my.domain.shire};
+    in {
+      enable = true;
+
+      fqdn = config.networking.domain;
+      domains = with my.domain; [azahi gondor rohan shire];
+
+      localDnsResolver = false;
+
+      certificateScheme = 1;
+      certificateFile = "${cert.directory}/fullchain.pem";
+      keyFile = "${cert.directory}/key.pem";
+
+      lmtpSaveToDetailMailbox = "no";
+
+      loginAccounts = with my.domain; {
+        "azahi@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          aliases = [
+            "@${azahi}"
+            "@${rohan}"
+            "@${gondor}"
+            "abuse@${shire}"
+            "admin@${shire}"
+            "ceo@${shire}"
+            "postmaster@${shire}"
+          ];
+        };
+        "samwise@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          aliases = ["chad@${shire}"];
+          quota = "1G";
+        };
+        "pippin@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          quota = "1G";
+        };
+        "meriadoc@${shire}" = {
+          hashedPassword = "[REDACTED]";
+          quota = "1G";
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      dovecot = ''
+        enabled = true
+        mode = aggressive
+      '';
+      postfix = ''
+        enabled = true
+        mode = aggressive
+      '';
+    };
+  };
+}
diff --git a/configurations/manwe/webserver.nix b/configurations/manwe/webserver.nix
new file mode 100644
index 0000000..fd23432
--- /dev/null
+++ b/configurations/manwe/webserver.nix
@@ -0,0 +1,21 @@
+{
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  config.nixfiles.modules.nginx.virtualHosts = with my.domain;
+    {
+      ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ";
+      ${azahi} = {
+        serverAliases = ["frodo.${gondor}" "frodo.${rohan}"];
+        locations."/".root = inputs.azahi-cc;
+      };
+    }
+    // (let
+      frodo = "301 https://frodo.";
+    in {
+      ${gondor}.locations."/".return = concatStrings [frodo gondor];
+      ${rohan}.locations."/".return = concatStrings [frodo rohan];
+    });
+}
diff --git a/configurations/melian/default.nix b/configurations/melian/default.nix
new file mode 100644
index 0000000..2f3da98
--- /dev/null
+++ b/configurations/melian/default.nix
@@ -0,0 +1,288 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  secrets = {
+    wireguard-private-key-melian.file = "${inputs.self}/secrets/wireguard-private-key-melian";
+
+    syncthing-cert-melian = with config.services.syncthing; {
+      file = "${inputs.self}/secrets/syncthing-cert-melian";
+      owner = user;
+      inherit group;
+    };
+
+    syncthing-key-melian = with config.services.syncthing; {
+      file = "${inputs.self}/secrets/syncthing-key-melian";
+      owner = user;
+      inherit group;
+    };
+  };
+
+  nixfiles.modules = {
+    profiles.dev = {
+      containers.enable = true;
+      sql.enable = true;
+    };
+
+    games = {
+      lutris.enable = true;
+      steam.enable = true;
+    };
+
+    wireguard = {
+      privateKeyFile = config.secrets.wireguard-private-key-melian.path;
+      client.enable = true;
+    };
+
+    syncthing = with config.secrets; {
+      enable = true;
+      key = syncthing-key-melian.path;
+      cert = syncthing-cert-melian.path;
+    };
+    # ipfs.enable = true; # High CPU usage is really anoying.
+
+    beets.enable = true;
+    bluetooth.enable = true;
+    chromium.enable = true;
+    libvirtd.enable = true;
+    mpd.enable = true;
+    qutebrowser.enable = true;
+
+    throttled.enable = true;
+  };
+
+  hm = {
+    home.packages = with pkgs; [
+      (aspellWithDicts (p: with p; [en ru]))
+      calibre
+      iaito
+      kotatogram-desktop
+      nheko
+      tor-browser
+    ];
+
+    accounts.email = {
+      maildirBasePath = "${config.my.home}/mail";
+
+      # TODO Move to my.nix.
+      accounts = let
+        base = {
+          mbsync = {
+            enable = true;
+            create = "both";
+            expunge = "both";
+            patterns = ["*"];
+          };
+          msmtp.enable = true;
+          mu.enable = true;
+        };
+
+        pass = path: "${pkgs.pass}/bin/pass show ${path}";
+      in {
+        shire =
+          base
+          // {
+            address = my.email;
+            gpg = {
+              inherit (my.pgp) key;
+              signByDefault = true;
+              encryptByDefault = false;
+            };
+
+            primary = true;
+
+            imap.host = "shire.me";
+            smtp.host = "shire.me";
+            userName = "azahi@shire.me";
+            passwordCommand = pass "email/shire.me/azahi";
+          };
+
+        yahoo =
+          base
+          // {
+            address = "a.gondor@yahoo.com";
+
+            imap.host = "imap.yahoo.com";
+            smtp.host = "smtp.yahoo.com";
+            userName = "a.gondor@yahoo.com";
+            passwordCommand = pass "email/yahoo.com/a.gondor";
+          };
+      };
+    };
+
+    programs = {
+      mbsync.enable = true;
+      msmtp.enable = true;
+      mu.enable = true;
+
+      ssh.matchBlocks = let
+        mkBlock = {
+          hostname,
+          port ? 22022,
+          user ? "azahi",
+        }: {
+          inherit hostname port user;
+          identityFile = "${config.my.home}/.ssh/id_ed25519";
+        };
+        mkInternalHostname = hostname: "${hostname}.${my.domain.shire}";
+      in
+        with my.configurations; {
+          # TODO Wrap this.
+          manwe = mkBlock {hostname = mkInternalHostname "manwe";};
+          manwe-init = mkBlock {hostname = manwe.ipv4.address;};
+          varda = mkBlock {hostname = mkInternalHostname "varda";};
+          varda-init = mkBlock {hostname = varda.ipv4.address;};
+          yavanna = mkBlock {hostname = mkInternalHostname "yavanna";};
+          yavanna-init = mkBlock {hostname = yavanna.ipv4.address;};
+        };
+    };
+  };
+
+  networking = {
+    interfaces = {
+      eth0.useDHCP = true;
+      wlan0.useDHCP = true;
+    };
+
+    wireless = {
+      enable = false;
+      iwd.enable = true;
+      userControlled.enable = true;
+      allowAuxiliaryImperativeNetworks = true;
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/bb8b09dc-cc67-47e5-8280-532b17a9e62a";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/1083-C8A0";
+      fsType = "vfat";
+    };
+  };
+
+  # Hibernation is not enabled because I don't use it.
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 8 * 1024;
+    }
+  ];
+
+  boot = {
+    kernelPackages = mkForce pkgs.linuxPackages_xanmod_latest;
+
+    # https://www.phoronix.com/scan.php?page=article&item=spectre-meltdown-2&num=11
+    kernelParams = ["mitigations=off"];
+
+    # Just to make Lutris/Wine logs happy.
+    kernel.sysctl."dev.i915.perf_stream_paranoid" = 0;
+
+    extraModprobeConfig = ''
+      options iwlwifi 11n_disable=1
+    '';
+
+    initrd = {
+      kernelModules = [];
+      availableKernelModules = ["ahci" "nvme" "sd_mod" "usb_storage" "usbhid" "xhci_pci"];
+
+      luks.devices."root" = {
+        device = "/dev/disk/by-uuid/c1b46f24-eec0-47d2-a142-75ddfd7bb218";
+        allowDiscards = true;
+        bypassWorkqueues = true;
+      };
+    };
+    kernelModules = ["kvm-intel"];
+
+    loader = {
+      efi.canTouchEfiVariables = true;
+
+      systemd-boot = {
+        enable = true;
+        configurationLimit = 10;
+      };
+    };
+  };
+
+  hardware = {
+    trackpoint = {
+      enable = true;
+      speed = 500;
+      sensitivity = 250;
+    };
+
+    opengl.extraPackages = with pkgs; [
+      intel-media-driver
+      libvdpau-va-gl
+      vaapiIntel
+      vaapiVdpau
+    ];
+  };
+
+  powerManagement = let
+    modprobe = "${pkgs.kmod}/bin/modprobe";
+  in {
+    enable = true;
+
+    # This fixes an issue with not being able to suspend or wake up from suspend
+    # due to a kernel bug[1].
+    #
+    # [1]: https://bbs.archlinux.org/viewtopic.php?id=270964
+    # [1]: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/522998
+    # [1]: https://bugs.launchpad.net/ubuntu/+source/pm-utils/+bug/562484/comments/3
+    # [1]: https://gist.github.com/ioggstream/8f380d398aef989ac455b93b92d42048
+    powerDownCommands = "${modprobe} -r xhci_pci";
+    powerUpCommands = "${modprobe} xhci_pci";
+  };
+
+  services = {
+    tlp = {
+      enable = false;
+      settings = {
+        START_CHARGE_THRESH_BAT0 = 75;
+        STOP_CHARGE_THRESH_BAT0 = 80;
+        RESTORE_THRESHOLDS_ON_BAT = 1;
+      };
+    };
+
+    throttled.enable = mkForce false;
+
+    thinkfan = {
+      enable = true;
+
+      # Old-style configuration should be nullified because it does not support
+      # hwmon search and appends to valid configuration resulting in conflicts
+      # and crash. I probably should make a PR to remove what was introduced[1]
+      # before.
+      #
+      # [1]: https://github.com/NixOS/nixpkgs/commit/02b872310d6a6503639f5a71a14f00441f961bc9
+      sensors = mkForce null;
+      fans = mkForce null;
+      levels = mkForce null;
+
+      settings = {
+        sensors = [
+          {
+            hwmon = "/sys/class/hwmon";
+            name = "coretemp";
+            indices = [1];
+          }
+        ];
+        fans = [{tpacpi = "/proc/acpi/ibm/fan";}];
+        levels = [["level auto" 0 50] ["level disengaged" 50 32767]];
+      };
+    };
+
+    xserver.videoDrivers = ["intel" "modesetting"];
+  };
+
+  system.stateVersion = "22.05";
+}
diff --git a/configurations/test-headful/default.nix b/configurations/test-headful/default.nix
new file mode 100644
index 0000000..fb3c276
--- /dev/null
+++ b/configurations/test-headful/default.nix
@@ -0,0 +1,27 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+with lib; {
+  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
+
+  nixfiles.modules = {
+    dwm.enable = true;
+    kde.enable = false;
+    xmonad.enable = false;
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  fileSystems."/".device = "/dev/null";
+
+  documentation = {
+    enable = mkForce false;
+    man = {
+      enable = mkForce false;
+      man-db.enable = mkForce false;
+    };
+  };
+
+  system.stateVersion = "22.05";
+}
diff --git a/configurations/test-headless/default.nix b/configurations/test-headless/default.nix
new file mode 100644
index 0000000..c085e63
--- /dev/null
+++ b/configurations/test-headless/default.nix
@@ -0,0 +1,22 @@
+{
+  lib,
+  modulesPath,
+  ...
+}:
+with lib; {
+  imports = ["${modulesPath}/profiles/qemu-guest.nix"];
+
+  # This will allow `nix flake check` tests to pass.
+  nixfiles.modules = {
+    endlessh-go.enable = mkForce false;
+    node-exporter.enable = mkForce false;
+    promtail.enable = mkForce false;
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  fileSystems."/".device = "/dev/null";
+
+  documentation.enable = mkForce false;
+
+  system.stateVersion = "22.05";
+}
diff --git a/configurations/varda/default.nix b/configurations/varda/default.nix
new file mode 100644
index 0000000..b9d84f7
--- /dev/null
+++ b/configurations/varda/default.nix
@@ -0,0 +1,95 @@
+{
+  config,
+  inputs,
+  lib,
+  this,
+  ...
+}:
+with lib; {
+  secrets.wireguard-private-key-varda.file = "${inputs.self}/secrets/wireguard-private-key-varda";
+
+  nixfiles.modules = {
+    wireguard = {
+      privateKeyFile = config.secrets.wireguard-private-key-varda.path;
+      client.enable = true;
+    };
+
+    acme.enable = true;
+
+    rss-bridge.enable = true;
+    radicale.enable = true;
+  };
+
+  networking = let
+    interface = "eth0";
+  in {
+    interfaces.${interface} = {
+      ipv4.addresses = [
+        {
+          inherit (this.ipv4) address;
+          prefixLength = 22;
+        }
+      ];
+
+      ipv6.addresses = [
+        {
+          inherit (this.ipv6) address;
+          prefixLength = 64;
+        }
+      ];
+    };
+
+    defaultGateway = {
+      inherit interface;
+      address = this.ipv4.gateway;
+    };
+
+    defaultGateway6 = {
+      inherit interface;
+      address = this.ipv6.gateway;
+    };
+  };
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+
+    initrd = {
+      luks.devices.nixos = {
+        device = "/dev/sda2";
+        allowDiscards = true;
+        bypassWorkqueues = true;
+      };
+
+      network = {
+        enable = true;
+        ssh = {
+          enable = true;
+          port = head config.services.openssh.ports;
+          hostKeys = map (k: k.path) config.services.openssh.hostKeys;
+          authorizedKeys = config.my.openssh.authorizedKeys.keys;
+        };
+      };
+
+      availableKernelModules = ["ata_piix" "sd_mod" "sr_mod" "uhci_hcd" "virtio_pci" "virtio_scsi"];
+    };
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "LABEL=boot";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+
+    "/" = {
+      device = "LABEL=nixos";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+  };
+
+  system.stateVersion = "22.05";
+}
diff --git a/configurations/yavanna/default.nix b/configurations/yavanna/default.nix
new file mode 100644
index 0000000..b740da3
--- /dev/null
+++ b/configurations/yavanna/default.nix
@@ -0,0 +1,101 @@
+{
+  config,
+  inputs,
+  lib,
+  this,
+  ...
+}:
+with lib; {
+  secrets = {
+    wireguard-private-key-yavanna.file = "${inputs.self}/secrets/wireguard-private-key-yavanna";
+
+    syncthing-cert-yavanna = with config.services.syncthing; {
+      file = "${inputs.self}/secrets/syncthing-cert-yavanna";
+      owner = user;
+      inherit group;
+    };
+
+    syncthing-key-yavanna = with config.services.syncthing; {
+      file = "${inputs.self}/secrets/syncthing-key-yavanna";
+      owner = user;
+      inherit group;
+    };
+  };
+
+  nixfiles.modules = {
+    wireguard = {
+      privateKeyFile = config.secrets.wireguard-private-key-yavanna.path;
+      client.enable = true;
+    };
+
+    syncthing = with config.secrets; {
+      enable = true;
+      key = syncthing-key-yavanna.path;
+      cert = syncthing-cert-yavanna.path;
+    };
+
+    acme.enable = true;
+
+    rtorrent = {
+      enable = true;
+      flood.enable = true;
+    };
+  };
+
+  networking = let
+    interface = "eth0";
+  in {
+    interfaces.${interface} = {
+      ipv4.addresses = [
+        {
+          inherit (this.ipv4) address;
+          prefixLength = 24;
+        }
+      ];
+
+      ipv6.addresses = [
+        {
+          inherit (this.ipv6) address;
+          prefixLength = 128;
+        }
+      ];
+    };
+
+    defaultGateway = {
+      inherit interface;
+      address = this.ipv4.gateway;
+    };
+
+    defaultGateway6 = {
+      inherit interface;
+      address = this.ipv6.gateway;
+    };
+  };
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+
+    initrd = {
+      availableKernelModules = ["uhci_hcd" "ahci"];
+      kernelModules = ["nvme"];
+    };
+  };
+
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+    options = ["noatime"];
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 4 * 1024;
+    }
+  ];
+
+  system.stateVersion = "22.05";
+}

Consider giving Nix/NixOS a try! <3