39 files changed, 654 insertions, 0 deletions

diff --git a/hosts/aptos/default.nix b/hosts/aptos/default.nix
new file mode 100644
index 0000000..04d45ee
--- /dev/null
+++ b/hosts/aptos/default.nix
@@ -0,0 +1,32 @@
+{ config, pkgs, hostname, ... }:
+
+{
+  imports = [ # Include the results of the hardware scan.
+    ./hardware.nix
+    ./sound.nix
+    ./networking.nix
+    ./profile.nix
+    ./home.nix
+    ./services.nix
+  ];
+
+  virtualisation.docker = { enable = true; };
+
+  virtualisation.containerd = {
+    enable = true;
+    settings = {
+      plugins."io.containerd.grpc.v1.cri" = {
+        containerd.snapshotter = "overlayfs";
+      };
+    };
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
+
diff --git a/hosts/aptos/hardware.nix b/hosts/aptos/hardware.nix
new file mode 100644
index 0000000..085db9f
--- /dev/null
+++ b/hosts/aptos/hardware.nix
@@ -0,0 +1,45 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "nvme" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ];
+  boot.initrd.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/292e07ac-4199-4a97-94a6-bd2fd2a9cf6a";
+    fsType = "btrfs";
+    options = [ "subvol=nixos" ];
+  };
+
+  boot.initrd.luks.devices."system".device =
+    "/dev/disk/by-uuid/c83a8db7-4215-4864-8a46-b8ca839d8c05";
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/292e07ac-4199-4a97-94a6-bd2fd2a9cf6a";
+    fsType = "btrfs";
+    options = [ "subvol=home" ];
+  };
+
+  fileSystems."/.snapshots" = {
+    device = "/dev/disk/by-uuid/292e07ac-4199-4a97-94a6-bd2fd2a9cf6a";
+    fsType = "btrfs";
+    options = [ "subvol=snapshots" ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/42D9-6EA8";
+    fsType = "vfat";
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/24041034-ff39-44bf-a04c-8fd8318b554d"; }];
+
+  my.hardware.intel.enable = true;
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+}
diff --git a/hosts/aptos/home.nix b/hosts/aptos/home.nix
new file mode 100644
index 0000000..d7a6545
--- /dev/null
+++ b/hosts/aptos/home.nix
@@ -0,0 +1,14 @@
+{ pkgs, ... }: {
+  my.home = {
+    packages.enable = true;
+    bluetooth.enable = true;
+    element.enable = true;
+    zsh.enable = true;
+    git.enable = true;
+    go.enable = true;
+    python.enable = true;
+    scanner.enable = true;
+    tmux.enable = true;
+    yt-dlp.enable = true;
+  };
+}
diff --git a/hosts/aptos/networking.nix b/hosts/aptos/networking.nix
new file mode 100644
index 0000000..111fbe7
--- /dev/null
+++ b/hosts/aptos/networking.nix
@@ -0,0 +1,38 @@
+{ lib, ... }:
+
+{
+  # Use systemd-networkd for networking
+  systemd.network = {
+    enable = true;
+    networks = {
+      wlan0 = {
+        matchConfig.Name = "wlan0";
+        networkConfig = { DHCP = "yes"; };
+        extraConfig = ''
+          [DHCPv4]
+          UseDNS=yes
+          UseDomains=yes
+        '';
+      };
+    };
+  };
+
+  networking = {
+    hostName = "aptos";
+    useNetworkd = true;
+    useDHCP = false;
+    private-wireguard.enable = true;
+  };
+
+  services.nscd.enable = false;
+  system.nssModules = lib.mkForce [ ];
+
+  # Use systemd-resolved
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+  };
+
+  my.hardware.networking.wireless.enable = true;
+  my.services.tailscale.enable = true;
+}
diff --git a/hosts/aptos/profile.nix b/hosts/aptos/profile.nix
new file mode 100644
index 0000000..4e5b48d
--- /dev/null
+++ b/hosts/aptos/profile.nix
@@ -0,0 +1,14 @@
+{ ... }: {
+
+  # Install tools related to the scanner (scanimage etc)
+  hardware.sane.enable = true;
+
+  my.profiles = {
+    # Laptop specific configuration
+    laptop.enable = true;
+    bluetooth.enable = true;
+    desktop.enable = true;
+    multimedia.enable = true;
+    trusted.enable = true;
+  };
+}
diff --git a/hosts/aptos/secrets/gcloud/world-nix.age b/hosts/aptos/secrets/gcloud/world-nix.age
new file mode 100644
index 0000000..a8b51b2
--- /dev/null
+++ b/hosts/aptos/secrets/gcloud/world-nix.age
Binary files differdiff --git a/hosts/aptos/secrets/restic/repo-users.age b/hosts/aptos/secrets/restic/repo-users.age
new file mode 100644
index 0000000..59c435a
--- /dev/null
+++ b/hosts/aptos/secrets/restic/repo-users.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dtgBNg 5MAt41NmpX7UB+6zxI8NHrXpjvsn0iiEaUDwgt4RWDQ
+40RuB49FnH8WkPptwfiC4Es5b8JkI5PT6eau0f2wtOI
+-> ssh-ed25519 +LF+iw kchufYdtZ4Zp3fT58mFxbe033PLCPHXvMBwdR+xTTFM
+Kya9nVBHiVuDD5DJPQfsl3c5V64uCJb2nbPhWfbFqnA
+-> '-grease a3~x=^
+bn2D2ZS3fW4a42Au7J95HAQPE9IBGOULmNKH6XFWKNi+BzWiG3yo37MOog
+--- jvVR43MbkXMwylmHM3IrKwGjfnL8TdnWRoIrUergBC4
+Us9��������'��`}�m�)N��=~/�}��TDQM�u������v$�
\ No newline at end of file
diff --git a/hosts/aptos/secrets/secrets.nix b/hosts/aptos/secrets/secrets.nix
new file mode 100644
index 0000000..9e503b2
--- /dev/null
+++ b/hosts/aptos/secrets/secrets.nix
@@ -0,0 +1,28 @@
+let
+  fcuny =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdlm/qoR/dnMjZhVSTtqFzkgN3Yf9eQ3pgKMiipg+dl";
+  aptos =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOTcPGaiL+/Mwl8JzLHrBwas7QvWPjix4lnaAA1tw+5t";
+in {
+  "wireguard_privatekey.age".publicKeys = [ fcuny aptos ];
+
+  "syncthing/key.age" = {
+    publicKeys = [ fcuny aptos ];
+    owner = "fcuny";
+  };
+
+  "syncthing/cert.age" = {
+    publicKeys = [ fcuny aptos ];
+    owner = "fcuny";
+  };
+
+  "restic/repo-users.age" = {
+    publicKeys = [ fcuny aptos ];
+    owner = "fcuny";
+  };
+
+  "gcloud/world-nix.age" = {
+    publicKeys = [ fcuny aptos ];
+    owner = "fcuny";
+  };
+}
diff --git a/hosts/aptos/secrets/syncthing/cert.age b/hosts/aptos/secrets/syncthing/cert.age
new file mode 100644
index 0000000..33c6645
--- /dev/null
+++ b/hosts/aptos/secrets/syncthing/cert.age
Binary files differdiff --git a/hosts/aptos/secrets/syncthing/key.age b/hosts/aptos/secrets/syncthing/key.age
new file mode 100644
index 0000000..4e5c123
--- /dev/null
+++ b/hosts/aptos/secrets/syncthing/key.age
Binary files differdiff --git a/hosts/aptos/secrets/wireguard_privatekey.age b/hosts/aptos/secrets/wireguard_privatekey.age
new file mode 100644
index 0000000..17559c3
--- /dev/null
+++ b/hosts/aptos/secrets/wireguard_privatekey.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dtgBNg FHZdyNsEtCMF7rNUGO7TauqsMfwDDGwcp9Qm0Ol9e1g
+RmWlyqW2jq3WkfRRmbGpaT/gre3ZSqQp4+lYEgXszAM
+-> ssh-ed25519 +LF+iw ZmLkAMA1NOAwFMoCa0keA4K8VIo+hnTctFCWVaQbFWI
+mm91OaR6HC/W6Wml+AYwnKN1nzOmqt43VpEzv6SYKFE
+-> $.%v/-grease R
+sVPs8WkXy+KnPioNwaun9oDe6k5ZvDQr7Km/6xIKmrOQkaEzflrLJXgj4GdmByki
+KktJM38SRPKiBhW757c
+--- Y3jxOsnE/O8pGbt3P85sz1ZQ5uHzmIjozAzSvmhimHA
+V��sk����¾�\�븡Ф����B��ȴRO���Y�x�y�+���!�m3
;!{����HC�;�
A�}��
\ No newline at end of file
diff --git a/hosts/aptos/services.nix b/hosts/aptos/services.nix
new file mode 100644
index 0000000..a2210e2
--- /dev/null
+++ b/hosts/aptos/services.nix
@@ -0,0 +1,19 @@
+{ config, ... }:
+let secrets = config.age.secrets;
+in {
+  my.services = {
+    backup = {
+      enable = true;
+      user = "fcuny";
+      repository = "sftp:192.168.0.107:/data/slow/backups/users/fcuny";
+      exclude = [
+        "/home/fcuny/.cache"
+        "/home/fcuny/downloads"
+        "/home/fcuny/workspace/linux.git"
+      ];
+      timerConfig = { OnCalendar = "06:30"; };
+      passwordFile = secrets."restic/repo-users".path;
+      paths = [ "/home/fcuny" ];
+    };
+  };
+}
diff --git a/hosts/aptos/sound.nix b/hosts/aptos/sound.nix
new file mode 100644
index 0000000..947f9cd
--- /dev/null
+++ b/hosts/aptos/sound.nix
@@ -0,0 +1 @@
+{ ... }: { my.hardware.sound = { pipewire = { enable = true; }; }; }
diff --git a/hosts/carmel/boot.nix b/hosts/carmel/boot.nix
new file mode 100644
index 0000000..606215e
--- /dev/null
+++ b/hosts/carmel/boot.nix
@@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  boot = {
+    # get an IP address on boot, so we can unlock the root disk remotely
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      # driver for the NIC, required in order to get an IP address
+      kernelModules = [ "igb" ];
+    };
+  };
+
+  my.system.boot = { initrd = { network.enable = true; }; };
+}
diff --git a/hosts/carmel/default.nix b/hosts/carmel/default.nix
new file mode 100644
index 0000000..87ad97d
--- /dev/null
+++ b/hosts/carmel/default.nix
@@ -0,0 +1,23 @@
+{ config, pkgs, hostname, ... }:
+
+{
+  imports = [
+    ./hardware.nix
+    ./boot.nix
+    ./sound.nix
+    ./networking.nix
+    ./home.nix
+    ./profile.nix
+  ];
+
+  hardware.opengl.driSupport = true;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
+
diff --git a/hosts/carmel/hardware.nix b/hosts/carmel/hardware.nix
new file mode 100644
index 0000000..aa86049
--- /dev/null
+++ b/hosts/carmel/hardware.nix
@@ -0,0 +1,46 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/7d4e07d8-1104-4ab8-8ead-8ca28da2d344";
+    fsType = "btrfs";
+    options = [ "subvol=nixos" ];
+  };
+
+  boot.initrd.luks.devices."system".device =
+    "/dev/disk/by-uuid/dd1b3673-ece0-49f8-bf71-8cc4e1a06634";
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/7d4e07d8-1104-4ab8-8ead-8ca28da2d344";
+    fsType = "btrfs";
+    options = [ "subvol=home" ];
+  };
+
+  fileSystems."/.snapshots" = {
+    device = "/dev/disk/by-uuid/7d4e07d8-1104-4ab8-8ead-8ca28da2d344";
+    fsType = "btrfs";
+    options = [ "subvol=snapshots" ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/7430-1C58";
+    fsType = "vfat";
+  };
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/ebcb04f3-4227-4ec3-af52-bd775ef38027"; }];
+
+  my.hardware.amd.enable = true;
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}
diff --git a/hosts/carmel/home.nix b/hosts/carmel/home.nix
new file mode 100644
index 0000000..231aebd
--- /dev/null
+++ b/hosts/carmel/home.nix
@@ -0,0 +1,14 @@
+{ pkgs, ... }:
+
+{
+  my.home = {
+    packages.enable = true;
+    zsh.enable = true;
+    git.enable = true;
+    go.enable = true;
+    python.enable = true;
+    scanner.enable = true;
+    tmux.enable = true;
+    yt-dlp.enable = true;
+  };
+}
diff --git a/hosts/carmel/networking.nix b/hosts/carmel/networking.nix
new file mode 100644
index 0000000..8ad9d3e
--- /dev/null
+++ b/hosts/carmel/networking.nix
@@ -0,0 +1,35 @@
+{ lib, ... }:
+
+{
+  # Use systemd-networkd for networking
+  systemd.network = {
+    enable = true;
+    networks = {
+      enp9s0 = {
+        matchConfig.Name = "enp9s0";
+        networkConfig = { DHCP = "yes"; };
+        extraConfig = ''
+          [DHCPv4]
+          UseDNS=yes
+          UseDomains=yes
+        '';
+      };
+    };
+  };
+
+  services.nscd.enable = false;
+  system.nssModules = lib.mkForce [ ];
+
+  # Use systemd-resolved
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+  };
+
+  networking = {
+    hostName = "carmel";
+    useNetworkd = true;
+    useDHCP = false;
+    private-wireguard.enable = true;
+  };
+}
diff --git a/hosts/carmel/profile.nix b/hosts/carmel/profile.nix
new file mode 100644
index 0000000..6174a60
--- /dev/null
+++ b/hosts/carmel/profile.nix
@@ -0,0 +1,5 @@
+{ ... }:
+
+{
+  my.profiles.desktop.enable = true;
+}
diff --git a/hosts/carmel/sound.nix b/hosts/carmel/sound.nix
new file mode 100644
index 0000000..947f9cd
--- /dev/null
+++ b/hosts/carmel/sound.nix
@@ -0,0 +1 @@
+{ ... }: { my.hardware.sound = { pipewire = { enable = true; }; }; }
diff --git a/hosts/tahoe/boot.nix b/hosts/tahoe/boot.nix
new file mode 100644
index 0000000..f013f34
--- /dev/null
+++ b/hosts/tahoe/boot.nix
@@ -0,0 +1,17 @@
+{ ... }:
+
+{
+  boot = {
+    # get an IP address on boot, so we can unlock the root disk remotely
+    kernelParams = [ "ip=dhcp" ];
+    initrd = {
+      # driver for the NIC, required in order to get an IP address
+      kernelModules = [ "r8169" ];
+    };
+  };
+
+  my.system.boot = {
+    tmp = { clean = true; };
+    initrd = { network.enable = true; };
+  };
+}
diff --git a/hosts/tahoe/default.nix b/hosts/tahoe/default.nix
new file mode 100644
index 0000000..1998a51
--- /dev/null
+++ b/hosts/tahoe/default.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, hostname, ... }:
+
+{
+  imports =
+    [ ./boot.nix ./hardware.nix ./networking.nix ./home.nix ./services.nix ];
+
+  users.groups.nas.gid = 5000;
+  users.users.nas = {
+    uid = 5000;
+    group = "nas";
+    isSystemUser = true;
+  };
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "21.11"; # Did you read the comment?
+}
+
diff --git a/hosts/tahoe/hardware.nix b/hosts/tahoe/hardware.nix
new file mode 100644
index 0000000..ab08490
--- /dev/null
+++ b/hosts/tahoe/hardware.nix
@@ -0,0 +1,63 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules =
+    [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/128c2a5e-48f6-4d94-b196-fb5db500b36d";
+    fsType = "btrfs";
+    options = [ "subvol=nixos" ];
+  };
+
+  boot.initrd.luks.devices."system".device =
+    "/dev/disk/by-uuid/0d11e090-d88f-4313-8a41-8ef52eea0870";
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/128c2a5e-48f6-4d94-b196-fb5db500b36d";
+    fsType = "btrfs";
+    options = [ "subvol=home" ];
+  };
+
+  fileSystems."/.snapshots" = {
+    device = "/dev/disk/by-uuid/128c2a5e-48f6-4d94-b196-fb5db500b36d";
+    fsType = "btrfs";
+    options = [ "subvol=snapshots" ];
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/CBB9-B788";
+    fsType = "vfat";
+  };
+
+  fileSystems."/data/fast" = {
+    device = "/dev/disk/by-uuid/b9290b55-8ff6-4bd0-843d-a9e6f7a4df59";
+    fsType = "btrfs";
+  };
+
+  boot.initrd.luks.devices."raid-fast".device =
+    "/dev/disk/by-uuid/66c58a92-45fe-4b03-9be0-214ff67c177c";
+
+  fileSystems."/data/slow" = {
+    device = "/dev/disk/by-uuid/0f16db51-0ee7-48d8-9e48-653b85ecbf0a";
+    fsType = "btrfs";
+  };
+
+  boot.initrd.luks.devices."raid-slow".device =
+    "/dev/disk/by-uuid/d8b21267-d457-4522-91d9-5481b44dd0a5";
+
+  swapDevices =
+    [{ device = "/dev/disk/by-uuid/0f54b5ab-4fca-4c5a-a9eb-622553145163"; }];
+
+  my.hardware.amd.enable = true;
+
+  # high-resolution display
+  hardware.video.hidpi.enable = lib.mkDefault true;
+}
diff --git a/hosts/tahoe/home.nix b/hosts/tahoe/home.nix
new file mode 100644
index 0000000..2e56275
--- /dev/null
+++ b/hosts/tahoe/home.nix
@@ -0,0 +1,17 @@
+{ pkgs, ... }:
+
+{
+  my.home = {
+    packages = { enable = true; };
+    tmux.enable = true;
+    git.enable = true;
+    ssh.enable = true;
+    zsh.enable = true;
+    beets = {
+      enable = true;
+      musicDirectory = "/data/fast/music";
+    };
+    flac.enable = true;
+    yt-dlp.enable = true;
+  };
+}
diff --git a/hosts/tahoe/networking.nix b/hosts/tahoe/networking.nix
new file mode 100644
index 0000000..22a7251
--- /dev/null
+++ b/hosts/tahoe/networking.nix
@@ -0,0 +1,38 @@
+{ lib, ... }:
+
+{
+  # Use systemd-networkd for networking
+  systemd.network = {
+    enable = true;
+    networks = {
+      enp42s0 = {
+        matchConfig.Name = "enp42s0";
+        networkConfig = { DHCP = "yes"; };
+        extraConfig = ''
+          [DHCPv4]
+          UseDNS=yes
+          UseDomains=yes
+        '';
+      };
+    };
+  };
+
+  networking = {
+    hostName = "tahoe";
+    useNetworkd = true;
+    useDHCP = false;
+    private-wireguard.enable = true;
+    firewall.enable = false;
+  };
+
+  services.nscd.enable = false;
+  system.nssModules = lib.mkForce [ ];
+
+  # Use systemd-resolved
+  services.resolved = {
+    enable = true;
+    dnssec = "false";
+  };
+
+  my.services.tailscale.enable = true;
+}
diff --git a/hosts/tahoe/secrets/acme/credentials.age b/hosts/tahoe/secrets/acme/credentials.age
new file mode 100644
index 0000000..1a3f92f
--- /dev/null
+++ b/hosts/tahoe/secrets/acme/credentials.age
Binary files differdiff --git a/hosts/tahoe/secrets/acme/gcp_service_account.json.age b/hosts/tahoe/secrets/acme/gcp_service_account.json.age
new file mode 100644
index 0000000..d90b0e5
--- /dev/null
+++ b/hosts/tahoe/secrets/acme/gcp_service_account.json.age
Binary files differdiff --git a/hosts/tahoe/secrets/drone/secrets.age b/hosts/tahoe/secrets/drone/secrets.age
new file mode 100644
index 0000000..618bbc6
--- /dev/null
+++ b/hosts/tahoe/secrets/drone/secrets.age
Binary files differdiff --git a/hosts/tahoe/secrets/drone/shared-secrets b/hosts/tahoe/secrets/drone/shared-secrets
new file mode 100644
index 0000000..47612be
--- /dev/null
+++ b/hosts/tahoe/secrets/drone/shared-secrets
@@ -0,0 +1,5 @@
+DRONE_GITEA_CLIENT_ID=21ef7412-a58a-493c-beec-2e1dc27ebe79
+DRONE_GITEA_CLIENT_SECRET=GCXGi97PXxAoMTpHveMtNJXDyzdvI8jeC0TaEtCgpPab
+DRONE_GITEA_SERVER=https://git.fcuny.net
+DRONE_GIT_ALWAYS_AUTH=1
+DRONE_RPC_SECRET=d3daa6782d0f4ed66f7f557fa384ff8f
diff --git a/hosts/tahoe/secrets/rclone/config.ini.age b/hosts/tahoe/secrets/rclone/config.ini.age
new file mode 100644
index 0000000..1c4f7c0
--- /dev/null
+++ b/hosts/tahoe/secrets/rclone/config.ini.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 dtgBNg flk9dqXjiNJJcadn58Tkra0KoYp7ALlogSgryrOukns
+Ha4UVvpR4xcYuf5zKPhStkghZby7SrDk+bwvHvO/j00
+-> ssh-ed25519 wtownA Ml9OWVPS8ikt2baMVaM7B4r/vi0tTaKTt+TmbZhr7xg
+8kuan5CA93vCAyOclC+RX/RCh7G1XbTqLuGvg04mqLA
+-> 7-grease
+mfeTWZr97OI6k9CBqi+VbmiuNRc6wZHlonUnGS+b20UKp+ZfGjmczrvPeV7VhqH/
+4SPz9GwCWlJkJAtyPhfjb8X+2VJMxRTpLNfGn4WtADb151GQ
+--- B/G2/6lOCuA82g23qiyi3ESh80fo1ejwKjTsw/wcDXA
+�5�1m��[B����L��(�F�S�Fkr�IWCq���	]�%��d�C1�cY��E'���;�b,��$3��2�S^���2(�����Wqy,W�%��g�U2����&�{U#u��읧�F��8��
+�������|r
\ No newline at end of file
diff --git a/hosts/tahoe/secrets/rclone/gcs_service_account.json.age b/hosts/tahoe/secrets/rclone/gcs_service_account.json.age
new file mode 100644
index 0000000..ff5260f
--- /dev/null
+++ b/hosts/tahoe/secrets/rclone/gcs_service_account.json.age
Binary files differdiff --git a/hosts/tahoe/secrets/restic/repo-systems.age b/hosts/tahoe/secrets/restic/repo-systems.age
new file mode 100644
index 0000000..cd39590
--- /dev/null
+++ b/hosts/tahoe/secrets/restic/repo-systems.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 dtgBNg I6aC5eB9FuJuQh0qEtjJ6Ho6UrybXBCIqeqErJtsOEc
+uo23S1l1Fb2G+vG7GI7Nc+SPCl3d0Obc3tHPeDESAuw
+-> ssh-ed25519 wtownA NoFRHiQRgQrHmTLJ5wi/rORy4J1Wf4iU6Hr+FlaFfyE
+gZsVc9ptglFYrvE4gRl+L/RpkB9uVDOeAr3z9Dk4J4I
+-> Pz-grease
+iWN7
+--- t14q3Wr5y4TZFZmwGEf6ARvo63x2AEQhU4tnhdRrLa0
+�S+�sHt�=@�}�C��Ѧ��O{�����<�jM=;�*��+9�t�ٱ�&:4
\ No newline at end of file
diff --git a/hosts/tahoe/secrets/secrets.nix b/hosts/tahoe/secrets/secrets.nix
new file mode 100644
index 0000000..01ff035
--- /dev/null
+++ b/hosts/tahoe/secrets/secrets.nix
@@ -0,0 +1,36 @@
+let
+  fcuny_aptos =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIdlm/qoR/dnMjZhVSTtqFzkgN3Yf9eQ3pgKMiipg+dl";
+  tahoe =
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEq1IQRvj2jofCHOO6M28w2SRdgtHU06NJvwAwv/b69F";
+  all = [ fcuny_aptos tahoe ];
+in {
+  "wireguard_privatekey.age".publicKeys = all;
+
+  "acme/credentials.age".publicKeys = all;
+  "acme/gcp_service_account.json.age" = {
+    publicKeys = all;
+    owner = "acme";
+  };
+
+  "drone/secrets.age" = {
+    publicKeys = all;
+    owner = "drone";
+  };
+
+  "syncthing/key.age" = {
+    publicKeys = all;
+    owner = "fcuny";
+  };
+
+  "syncthing/cert.age" = {
+    publicKeys = all;
+    owner = "fcuny";
+  };
+
+  "unifi/unifi-poller.age".publicKeys = all;
+
+  "restic/repo-systems.age".publicKeys = all;
+  "rclone/config.ini.age".publicKeys = all;
+  "rclone/gcs_service_account.json.age".publicKeys = all;
+}
diff --git a/hosts/tahoe/secrets/syncthing/cert.age b/hosts/tahoe/secrets/syncthing/cert.age
new file mode 100644
index 0000000..aceb120
--- /dev/null
+++ b/hosts/tahoe/secrets/syncthing/cert.age
Binary files differdiff --git a/hosts/tahoe/secrets/syncthing/key.age b/hosts/tahoe/secrets/syncthing/key.age
new file mode 100644
index 0000000..8c22933
--- /dev/null
+++ b/hosts/tahoe/secrets/syncthing/key.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dtgBNg ChSBoRw7XwKHqNfO43UkA1mL3gYzVrt9u2CYpxw6oSI
+witLAp/ilF/wcWnGx0QReqe7mBdR3lZspzOjpEpMi1I
+-> ssh-ed25519 wtownA NdY9VIDwwMlAfw39yIMsAGUMIRghUOBWlZ4ham9DRSc
+HucEPuec5Y3MGvp3kIZa/NFWxSGPhL01qE1P4L24P8g
+-> 2/x-grease Op@o& x
+u7C9+kZlujVO76tqT07yS+pYtUa7lyTu4ksZeXhTlgAGP59Zl5tq7DkT
+--- ddK2/N4jHQ2jB1nvuQWfElP+LR+pgQW0Ozzc3n7FhSs
+<Y��
�v(�3y����ܲ�đk��*�r� '-���+��wn���v�0|*�@���-�����Rԙ*rg[$
f�]X��6+M��6n��s�uD`���������=V��{Àw�2E�?"yWWX�P2s�p���a�ng?<s��u=��rE�h����b��^�`����1����VX;�g��v˜ף��p�#U��4�@;�k�T��ô�+bt�v򋏚5I���"���N1mh���!8��T`�`v[$
+:痙����u��j0��c�S�(GVqt�em���+T����>�v��RI
\ No newline at end of file
diff --git a/hosts/tahoe/secrets/traefik/gcp_service_account.json.age b/hosts/tahoe/secrets/traefik/gcp_service_account.json.age
new file mode 100644
index 0000000..0f99905
--- /dev/null
+++ b/hosts/tahoe/secrets/traefik/gcp_service_account.json.age
Binary files differdiff --git a/hosts/tahoe/secrets/unifi/unifi-poller.age b/hosts/tahoe/secrets/unifi/unifi-poller.age
new file mode 100644
index 0000000..4fb0e7f
--- /dev/null
+++ b/hosts/tahoe/secrets/unifi/unifi-poller.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 dtgBNg uqkCRrdoOMyrsbpfK8+7LwHZ9HAtZVmPMDHMT24mHXk
+BooBKT31kAEjWOHvx5B4g82R/Wl6f/1kp0BiEn6X6jE
+-> ssh-ed25519 wtownA 7TZMv8CNmwIbYh6tHu5hzI+YmXem+u6Ni4dJ8brAyj4
+CUPF2SgqA/Rz9bnA2w1jvoZpWKTmFrKYACySbzXHrqU
+-> *"=7-grease >"jI\ )%!Hr*2 }Br{nQX
+Zo1RbBeC8QYmLO7rPbQCxe0YUGCYsf5xN4lXpqBNS42ZPg/oeIE1ZvYTU47p5SbE
+CjuxcicfzgPApwp8o9s
+--- M8GY2JUWDT87vxiZ4RrYjJp6yUW6Gz993Ens/65PPQo
+��~s�mw�a�i�!�=���I�y��>F}S�b�*.��1�&Kc��
\ No newline at end of file
diff --git a/hosts/tahoe/secrets/wireguard_privatekey.age b/hosts/tahoe/secrets/wireguard_privatekey.age
new file mode 100644
index 0000000..edd8bee
--- /dev/null
+++ b/hosts/tahoe/secrets/wireguard_privatekey.age
@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 dtgBNg qNmKLv3MGfcZrBGuX3/+WlJh/2W7ailKCl1XwC1Dczk
+6Z5ZsPmBsDVIn/CTAgujuuQMc9UgYsjOU2FjcXOgzXM
+-> ssh-ed25519 wtownA reQNIQYlaC/rWXO791VWzwdlSXe+Vo1dBU/yVLYEmhI
+0kZxEr3DfYTSl2F0UzuZkHLWq/BGd1XqBddEl4Ml9SQ
+-> kQ-grease Q^i|R~ &PWMBI U3Y<>Kji
+pSfA5OfoiOKuMhBIgliAdmVPAQg97f9ZiNUABNP8KFzZiaGY9D1Co9rkkvOA97LR
+rl3U8SfGb+RUyFB5lQZBkvH1tgz9GbakV2rRhZNGjabLO6V7NEVFa4ka3ODL4rlS
+ggM
+--- Yds61EVDl84C0IbJCRO5CRatN76JPxSauRkm8Ui8L4U
+Z�FΎ�Ā� <ܠ��0�X}��l!���+P&,�:y��!ZG
��d�!vk�hL�;8M�nvGl�F�J0!���
\ No newline at end of file
diff --git a/hosts/tahoe/services.nix b/hosts/tahoe/services.nix
new file mode 100644
index 0000000..e665b15
--- /dev/null
+++ b/hosts/tahoe/services.nix
@@ -0,0 +1,57 @@
+{ config, ... }:
+let secrets = config.age.secrets;
+in {
+  my.services = {
+    samba = {
+      enable = true;
+      publicShares = [ "/data/fast/music" "/data/fast/videos" ];
+    };
+    navidrome = {
+      enable = true;
+      vhostName = "music.fcuny.xyz";
+      musicFolder = "/data/fast/music";
+    };
+    unifi = {
+      enable = true;
+      vhostName = "unifi.fcuny.xyz";
+    };
+    prometheus = { enable = true; };
+    grafana = {
+      enable = true;
+      vhostName = "dash.fcuny.xyz";
+    };
+    cgit = {
+      enable = true;
+    };
+    gerrit = {
+      enable = true;
+      vhostName = "cl.fcuny.net";
+    };
+    sourcegraph = {
+      enable = true;
+      vhostName = "cs.fcuny.xyz";
+    };
+    drone = {
+      enable = true;
+      vhostName = "drone.fcuny.xyz";
+      runners = [ "docker" "exec" ];
+      sharedSecretFile = secrets."drone/secrets".path;
+    };
+    rclone = { enable = true; };
+    nginx = { enable = true; };
+    transmission = {
+      enable = true;
+      vhostName = "bt.fcuny.xyz";
+    };
+    metrics-exporter = { enable = true; };
+    syncthing.enable = true;
+    backup = {
+      enable = true;
+      repository = "/data/slow/backups/systems";
+      timerConfig = { OnCalendar = "00:15"; };
+      passwordFile = secrets."restic/repo-systems".path;
+      paths =
+        [ "/home" "/data/fast/music" "/data/fast/photos" "/data/fast/videos" ];
+    };
+  };
+}