10 files changed, 621 insertions, 0 deletions

diff --git a/nixosConfigurations/default.nix b/nixosConfigurations/default.nix
new file mode 100644
index 0000000..8ebeda4
--- /dev/null
+++ b/nixosConfigurations/default.nix
@@ -0,0 +1,96 @@
+{
+  inputs,
+  lib,
+}:
+with lib; let
+  mkConfiguration = name: {
+    modules ? [],
+    configuration ? ./${name},
+    this ? my.configurations.${name},
+    extraSpecialArgs ? {
+      localUsername = my.username;
+      localHostname = this.hostname;
+    },
+  }:
+    nameValuePair name (nixosSystem {
+      inherit (this) system;
+      modules =
+        modules
+        ++ attrValues inputs.self.modules
+        ++ attrValues inputs.self.nixosModules
+        ++ optional (configuration != null) (import configuration);
+      specialArgs =
+        {
+          inherit inputs lib this;
+        }
+        // extraSpecialArgs;
+    });
+in
+  mapAttrs' mkConfiguration {
+    # A dummy configuration to test the "headless" profile.
+    test-headless = {
+      modules = with inputs; [
+        "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+        nixpkgs.nixosModules.notDetected
+      ];
+      this = {
+        hostname = "test-headless";
+        system = "x86_64-linux";
+        isHeadless = true;
+        isHeadful = false;
+      };
+    };
+
+    # A dummy configuration to test the "headful" profile.
+    test-headful = {
+      modules = with inputs; [
+        "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+        nixpkgs.nixosModules.notDetected
+      ];
+      this = {
+        hostname = "test-headful";
+        system = "x86_64-linux";
+        isHeadless = false;
+        isHeadful = true;
+      };
+    };
+
+    # A beefy desktop: 7950x/rx6750xt/128GB.
+    eonwe.modules = with inputs; [
+      nixos-hardware.nixosModules.common-cpu-amd
+      nixos-hardware.nixosModules.common-gpu-amd
+      nixos-hardware.nixosModules.common-pc-ssd
+      nixpkgs.nixosModules.notDetected
+    ];
+
+    # ThinkPad T480.
+    melian.modules = with inputs; [
+      nixos-hardware.nixosModules.common-pc-laptop-ssd
+      nixos-hardware.nixosModules.lenovo-thinkpad-t480
+      nixpkgs.nixosModules.notDetected
+    ];
+
+    # VPS: Germany
+    manwe.modules = with inputs; [
+      "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+      nixos-hardware.nixosModules.common-cpu-amd
+      nixos-hardware.nixosModules.common-pc-ssd
+      nixpkgs.nixosModules.notDetected
+    ];
+
+    # VPS: Germany
+    varda.modules = with inputs; [
+      "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+      nixos-hardware.nixosModules.common-cpu-amd
+      nixos-hardware.nixosModules.common-pc-ssd
+      nixpkgs.nixosModules.notDetected
+    ];
+
+    # VPS: France
+    yavanna.modules = with inputs; [
+      "${nixpkgs}/nixos/modules/profiles/qemu-guest.nix"
+      nixos-hardware.nixosModules.common-cpu-intel
+      nixos-hardware.nixosModules.common-pc-hdd
+      nixpkgs.nixosModules.notDetected
+    ];
+  }
diff --git a/nixosConfigurations/eonwe/default.nix b/nixosConfigurations/eonwe/default.nix
new file mode 100644
index 0000000..a867837
--- /dev/null
+++ b/nixosConfigurations/eonwe/default.nix
@@ -0,0 +1,72 @@
+{
+  config,
+  lib,
+  pkgs,
+  this,
+  ...
+}:
+with lib; {
+  nixfiles.modules = {
+    wireguard.client.enable = true;
+
+    syncthing.enable = true;
+
+    openssh.server.enable = true;
+
+    games = {
+      lutris.enable = true;
+      steam.enable = true;
+    };
+    android.enable = true;
+    bluetooth.enable = true;
+    discord.enable = true;
+    libvirtd.enable = true;
+    qutebrowser.enable = true;
+  };
+
+  hm.programs = {
+    firefox.profiles.default.settings."media.ffmpeg.vaapi.enabled" = true;
+
+    mpv.config = {
+      hwdec = "vdpau";
+      vo = "gpu";
+      profile = "gpu-hq";
+    };
+  };
+
+  boot = {
+    # Silence benign MCE errors:
+    # ```
+    # mce: [Hardware Error]: CPU 1: Machine Check: 0 Bank 29: ffffffffffffffff
+    # mce: [Hardware Error]: TSC 0 MISC ff1fffffffffffff SYND ffffffffffffffff IPID ffffffffffffffff
+    # mce: [Hardware Error]: PROCESSOR 2:a60f12 TIME 1669988017 SOCKET 0 APIC 2 microcode a601201
+    # ```
+    kernelParams = ["mce=nobootlog"];
+
+    initrd.availableKernelModules = [
+      "ahci"
+      "nvme"
+      "sd_mod"
+      "usb_storage"
+      "usbhid"
+      "xhci_pci"
+    ];
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/disk/by-uuid/FF1E-9CFD";
+      fsType = "vfat";
+    };
+
+    "/" = {
+      device = "/dev/disk/by-uuid/20276c1b-7e46-430b-b741-2f4aeb76bc51";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+  };
+
+  # No swap space is declared here because the system already has 128Gb of RAM.
+  # I didn't manage to even hit 100Gb mark even when running large
+  # computations/compiling something big.
+}
diff --git a/nixosConfigurations/manwe/default.nix b/nixosConfigurations/manwe/default.nix
new file mode 100644
index 0000000..b8dd324
--- /dev/null
+++ b/nixosConfigurations/manwe/default.nix
@@ -0,0 +1,88 @@
+{
+  config,
+  lib,
+  this,
+  ...
+}:
+with lib; {
+  imports = [
+    ./mailserver.nix
+    ./webserver.nix
+  ];
+
+  nixfiles.modules = {
+    nsd = {
+      enable = true;
+      fqdn = "ns1.${config.networking.domain}";
+    };
+    unbound.enable = true;
+
+    wireguard.server.enable = true;
+
+    acme.enable = true;
+
+    monitoring.enable = true;
+
+    postgresql.enable = true;
+
+    git.server = {
+      enable = true;
+      domain = "git.${my.domain.azahi}";
+    };
+
+    gotify.enable = true;
+    matrix.dendrite = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+    radicale.enable = true;
+    rss-bridge.enable = true;
+    shadowsocks.enable = true;
+    soju = {
+      enable = true;
+      domain = my.domain.azahi;
+    };
+    vaultwarden.enable = true;
+  };
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+
+    initrd.availableKernelModules = [
+      "ata_piix"
+      "sd_mod"
+      "sr_mod"
+      "uhci_hcd"
+      "virtio_pci"
+      "virtio_scsi"
+    ];
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/sda1";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+
+    "/" = {
+      device = "/dev/sda2";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/sda3";
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 25;
+  };
+}
diff --git a/nixosConfigurations/manwe/mailserver.nix b/nixosConfigurations/manwe/mailserver.nix
new file mode 100644
index 0000000..a4b552a
--- /dev/null
+++ b/nixosConfigurations/manwe/mailserver.nix
@@ -0,0 +1,94 @@
+{
+  config,
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  imports = [inputs.simple-nixos-mailserver.nixosModule];
+
+  secrets = {
+    dkim-key-azahi-cc = {
+      file = "${inputs.self}/secrets/dkim-key-azahi-cc";
+      path = "/var/dkim/${my.domain.azahi}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-rohan-net = {
+      file = "${inputs.self}/secrets/dkim-key-rohan-net";
+      path = "/var/dkim/${my.domain.rohan}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-gondor-net = {
+      file = "${inputs.self}/secrets/dkim-key-gondor-net";
+      path = "/var/dkim/${my.domain.gondor}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+    dkim-key-shire-me = {
+      file = "${inputs.self}/secrets/dkim-key-shire-me";
+      path = "/var/dkim/${my.domain.shire}.${config.mailserver.dkimSelector}.key";
+      owner = "opendkim";
+      group = "opendkim";
+    };
+  };
+
+  nixfiles.modules.acme.enable = true;
+
+  mailserver = let
+    cert = config.certs.${my.domain.shire};
+  in {
+    enable = true;
+
+    fqdn = config.networking.domain;
+    domains = with my.domain; [azahi gondor rohan shire];
+
+    localDnsResolver = false;
+
+    certificateScheme = 1;
+    certificateFile = "${cert.directory}/fullchain.pem";
+    keyFile = "${cert.directory}/key.pem";
+
+    lmtpSaveToDetailMailbox = "no";
+
+    loginAccounts = with my.domain; {
+      "azahi@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        aliases = [
+          "@${azahi}"
+          "@${rohan}"
+          "@${gondor}"
+          "abuse@${shire}"
+          "admin@${shire}"
+          "ceo@${shire}"
+          "postmaster@${shire}"
+        ];
+      };
+      "samwise@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        aliases = ["chad@${shire}"];
+        quota = "1G";
+      };
+      "pippin@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        quota = "1G";
+      };
+      "meriadoc@${shire}" = {
+        hashedPassword = "@HASHED_PASSWORD@";
+        quota = "1G";
+      };
+    };
+  };
+
+  services.fail2ban.jails = {
+    dovecot = ''
+      enabled = true
+      mode = aggressive
+    '';
+    postfix = ''
+      enabled = true
+      mode = aggressive
+    '';
+  };
+}
diff --git a/nixosConfigurations/manwe/webserver.nix b/nixosConfigurations/manwe/webserver.nix
new file mode 100644
index 0000000..4dded7e
--- /dev/null
+++ b/nixosConfigurations/manwe/webserver.nix
@@ -0,0 +1,23 @@
+{
+  inputs,
+  lib,
+  ...
+}:
+with lib; {
+  nixfiles.modules.nginx.virtualHosts = with my.domain;
+    {
+      ${shire}.locations."/".return = "301 https://www.youtube.com/watch?v=dQw4w9WgXcQ";
+      "git.${shire}".locations."/".return = "301 https://git.${azahi}";
+      "bitwarden.${shire}".locations."/".return = "301 https://vaultwarden.${shire}";
+      ${azahi} = {
+        serverAliases = ["frodo.${gondor}" "frodo.${rohan}"];
+        locations."/".root = inputs.azahi-cc;
+      };
+    }
+    // (let
+      frodo = "301 https://frodo.";
+    in {
+      ${gondor}.locations."/".return = concatStrings [frodo gondor];
+      ${rohan}.locations."/".return = concatStrings [frodo rohan];
+    });
+}
diff --git a/nixosConfigurations/melian/default.nix b/nixosConfigurations/melian/default.nix
new file mode 100644
index 0000000..3ba854c
--- /dev/null
+++ b/nixosConfigurations/melian/default.nix
@@ -0,0 +1,108 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  nixfiles.modules = {
+    wireguard.client.enable = true;
+
+    syncthing.enable = true;
+
+    bluetooth.enable = true;
+
+    throttled.enable = true;
+  };
+
+  hardware.trackpoint = {
+    enable = true;
+    speed = 500;
+    sensitivity = 250;
+  };
+
+  powerManagement = let
+    modprobe = "${pkgs.kmod}/bin/modprobe";
+  in {
+    enable = true;
+
+    # This fixes an issue with not being able to suspend or wake up from suspend
+    # due to a kernel bug[1].
+    #
+    # [1]: https://bbs.archlinux.org/viewtopic.php?id=270964
+    # [1]: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/522998
+    # [1]: https://bugs.launchpad.net/ubuntu/+source/pm-utils/+bug/562484/comments/3
+    # [1]: https://gist.github.com/ioggstream/8f380d398aef989ac455b93b92d42048
+    powerDownCommands = "${modprobe} -r xhci_pci";
+    powerUpCommands = "${modprobe} xhci_pci";
+  };
+
+  services = {
+    thinkfan = {
+      enable = true;
+
+      settings = {
+        sensors = [
+          {
+            hwmon = "/sys/class/hwmon";
+            name = "coretemp";
+            indices = [1];
+          }
+        ];
+        fans = [{tpacpi = "/proc/acpi/ibm/fan";}];
+        levels = [
+          ["level auto" 0 50]
+          ["level disengaged" 50 32767]
+        ];
+      };
+    };
+
+    fwupd.enable = true;
+  };
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ahci"
+        "nvme"
+        "sd_mod"
+        "usb_storage"
+        "usbhid"
+        "xhci_pci"
+      ];
+
+      luks.devices."root" = {
+        device = "/dev/disk/by-uuid/c1b46f24-eec0-47d2-a142-75ddfd7bb218";
+        allowDiscards = true;
+        bypassWorkqueues = true;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/disk/by-uuid/1083-C8A0";
+      fsType = "vfat";
+    };
+
+    "/" = {
+      device = "/dev/disk/by-uuid/bb8b09dc-cc67-47e5-8280-532b17a9e62a";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+  };
+
+  # NOTE This makes hibernation pretty much impossible because the partition is
+  # encrypted.
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 8 * 1024;
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 25;
+  };
+}
diff --git a/nixosConfigurations/test-headful/default.nix b/nixosConfigurations/test-headful/default.nix
new file mode 100644
index 0000000..25db8c7
--- /dev/null
+++ b/nixosConfigurations/test-headful/default.nix
@@ -0,0 +1,19 @@
+{lib, ...}:
+with lib; {
+  nixfiles.modules = {
+    dwm.enable = true;
+    kde.enable = false;
+    xmonad.enable = false;
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  fileSystems."/".device = "/dev/null";
+
+  documentation = {
+    enable = mkForce false;
+    man = {
+      enable = mkForce false;
+      man-db.enable = mkForce false;
+    };
+  };
+}
diff --git a/nixosConfigurations/test-headless/default.nix b/nixosConfigurations/test-headless/default.nix
new file mode 100644
index 0000000..919a436
--- /dev/null
+++ b/nixosConfigurations/test-headless/default.nix
@@ -0,0 +1,13 @@
+{lib, ...}:
+with lib; {
+  nixfiles.modules = {
+    endlessh-go.enable = mkForce false;
+    node-exporter.enable = mkForce false;
+    promtail.enable = mkForce false;
+  };
+
+  boot.loader.systemd-boot.enable = true;
+  fileSystems."/".device = "/dev/null";
+
+  documentation.enable = mkForce false;
+}
diff --git a/nixosConfigurations/varda/default.nix b/nixosConfigurations/varda/default.nix
new file mode 100644
index 0000000..5e0914e
--- /dev/null
+++ b/nixosConfigurations/varda/default.nix
@@ -0,0 +1,62 @@
+{
+  lib,
+  this,
+  ...
+}:
+with lib; {
+  nixfiles.modules = {
+    wireguard.client.enable = true;
+
+    acme.enable = true;
+
+    games.minecraft.server = {
+      enable = false; # Disabled because no one is playing now.
+      memory = "6G";
+    };
+  };
+
+  boot = {
+    loader = {
+      efi.canTouchEfiVariables = true;
+
+      systemd-boot = {
+        enable = true;
+        configurationLimit = 10;
+      };
+    };
+
+    initrd.availableKernelModules = [
+      "ata_piix"
+      "sd_mod"
+      "sr_mod"
+      "uhci_hcd"
+      "virtio_pci"
+      "virtio_scsi"
+    ];
+  };
+
+  fileSystems = {
+    "/boot" = {
+      device = "/dev/disk/by-uuid/03FD-B6C0";
+      fsType = "vfat";
+    };
+
+    "/" = {
+      device = "/dev/disk/by-uuid/b07e8273-915a-424c-8c55-cdc2bd482f49";
+      fsType = "xfs";
+      options = ["noatime"];
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 4 * 1024;
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 25;
+  };
+}
diff --git a/nixosConfigurations/yavanna/default.nix b/nixosConfigurations/yavanna/default.nix
new file mode 100644
index 0000000..e3172a6
--- /dev/null
+++ b/nixosConfigurations/yavanna/default.nix
@@ -0,0 +1,46 @@
+{
+  lib,
+  this,
+  ...
+}:
+with lib; {
+  nixfiles.modules = {
+    wireguard.client.enable = true;
+
+    syncthing.enable = true;
+
+    acme.enable = true;
+
+    rtorrent.enable = true;
+  };
+
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+
+    initrd = {
+      availableKernelModules = ["uhci_hcd" "ahci"];
+      kernelModules = ["nvme"];
+    };
+  };
+
+  fileSystems."/" = {
+    device = "/dev/sda1";
+    fsType = "ext4";
+    options = ["noatime"];
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 4 * 1024;
+    }
+  ];
+
+  zramSwap = {
+    enable = true;
+    memoryPercent = 25;
+  };
+}