aboutsummaryrefslogtreecommitdiff
path: root/modules/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'modules/hosts')
-rw-r--r--modules/hosts/ltrr-block/age.nix10
-rw-r--r--modules/hosts/ltrr-block/configuration.nix467
-rw-r--r--modules/hosts/ltrr-block/disk-config.nix39
-rw-r--r--modules/hosts/ltrr-block/hardware-configuration.nix32
-rw-r--r--modules/hosts/ltrr-block/secrets/cwa.env.agebin0 -> 821 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/explo.env.agebin0 -> 3721 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/navidrome.env.agebin0 -> 351 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/1c8822a2f185737c765ae9a5ce0d3879-soularr-config.agebin0 -> 2790 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/550a141b44c76106807b541c1987996b-wg-priv-key.age8
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/9288d02fd4269798567444d076247538-explo-env.agebin0 -> 3760 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/939083f61f3167ef5aff27bdba700e8e-xray-config.agebin0 -> 1750 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/d5f4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age7
-rw-r--r--modules/hosts/ltrr-block/secrets/rekeyed/e9669da1b38fb37ba09edf8fdeafc4de-slskd-env.agebin0 -> 507 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/slskd.env.agebin0 -> 491 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/soularr.conf.agebin0 -> 2711 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/transmission-settings.json.age8
-rw-r--r--modules/hosts/ltrr-block/secrets/wg-priv.key.agebin0 -> 294 bytes
-rw-r--r--modules/hosts/ltrr-block/secrets/xray.json.agebin0 -> 1752 bytes
-rw-r--r--modules/hosts/ltrr-cloud/age.nix10
-rw-r--r--modules/hosts/ltrr-cloud/configuration.nix345
-rw-r--r--modules/hosts/ltrr-cloud/disk-config.nix56
-rw-r--r--modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.agebin0 -> 473 bytes
-rw-r--r--modules/hosts/ltrr-cloud/secrets/authelia-storage.key.agebin0 -> 464 bytes
-rw-r--r--modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age8
-rw-r--r--modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age7
-rw-r--r--modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age8
-rw-r--r--modules/hosts/ltrr-cloud/secrets/wg-priv.key.agebin0 -> 392 bytes
-rw-r--r--modules/hosts/ltrr-mask/configuration.nix125
-rw-r--r--modules/hosts/ltrr-mask/disk-config.nix56
29 files changed, 1186 insertions, 0 deletions
diff --git a/modules/hosts/ltrr-block/age.nix b/modules/hosts/ltrr-block/age.nix
new file mode 100644
index 0000000..e22263b
--- /dev/null
+++ b/modules/hosts/ltrr-block/age.nix
@@ -0,0 +1,10 @@
+{inputs, ...}: {
+ flake.nixosModules.ltrr-block = {
+ age.rekey = {
+ hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINe2bfzslwh9DwNXopmaiRKVNQMIQNuMlP/jJCDrwSbc";
+ masterIdentities = ["/home/jerpo/.config/age/keys.txt"];
+ storageMode = "local";
+ localStorageDir = ./. + "/secrets/rekeyed";
+ };
+ };
+}
diff --git a/modules/hosts/ltrr-block/configuration.nix b/modules/hosts/ltrr-block/configuration.nix
new file mode 100644
index 0000000..5ee4711
--- /dev/null
+++ b/modules/hosts/ltrr-block/configuration.nix
@@ -0,0 +1,467 @@
+{
+ inputs,
+ self,
+ ...
+}: {
+ flake.nixosConfigurations.ltrr-block = inputs.nixpkgs-stable.lib.nixosSystem {
+ modules = [
+ self.nixosModules.ltrr-block
+ ];
+ };
+
+ flake.nixosModules.ltrr-block = {
+ modulesPath,
+ pkgs,
+ config,
+ ...
+ }: let
+ domain = "kcu.su";
+ in {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ (modulesPath + "/profiles/qemu-guest.nix")
+
+ self.nixosModules.nginxProxy
+ self.nixosModules.directories
+ self.nixosModules.booklore
+ self.nixosModules.watcharr
+
+ inputs.disko.nixosModules.disko
+ self.diskoConfigurations.ltrr-block
+
+ inputs.agenix.nixosModules.default
+ inputs.agenix-rekey.nixosModules.default
+ ];
+
+ nixpkgs = {
+ config.allowUnfree = true;
+ overlays = [
+ self.overlays.unstable-packages
+ ];
+ };
+
+ boot.loader.grub = {
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ };
+
+ services.openssh = {
+ enable = true;
+ settings.PasswordAuthentication = false;
+ };
+
+ environment.systemPackages = with pkgs; [
+ curl
+ gitMinimal
+ ];
+
+ users.users = {
+ root = {
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru"
+ ];
+ };
+ };
+
+ users.users.mc = {
+ isNormalUser = true;
+ packages = with pkgs; [
+ steamcmd
+ tmux
+ steam-run
+ ];
+ };
+
+ users.users.files = {
+ isNormalUser = true;
+ group = "files";
+ uid = 1000;
+ linger = true;
+ extraGroups = [
+ "music"
+ "images"
+ ];
+ };
+
+ users.groups.music = {
+ gid = 991;
+ };
+
+ createPaths."/srv/files" = {
+ owner = "files";
+ permissions = "0770";
+ group = "files";
+ subPaths = {
+ "music".group = "music";
+ "images".group = "images";
+ };
+ };
+
+ networking.hostName = "ltrr-block";
+ networking.firewall = {
+ allowedTCPPorts = [80 5030 2049 25565];
+ allowedUDPPorts = [51820 16261 16262];
+ };
+
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "notspl3g+acme@duck.com";
+ };
+
+ nginxProxy = {
+ enable = true;
+ domain = domain;
+
+ recommendedProxySettings = false;
+ subdomains = {
+ "slskd" = {
+ proxyPass = "http://127.0.0.1:${toString config.services.slskd.settings.web.port}";
+ proxyWebsockets = true;
+ };
+ "immich" = {
+ proxyPass = "http://localhost:${toString config.services.immich.port}";
+ proxyWebsockets = true;
+ recommendedProxySettings = true;
+ extraConfig = ''
+ client_max_body_size 50000M;
+ proxy_read_timeout 600s;
+ proxy_send_timeout 600s;
+ send_timeout 600s;
+ '';
+ };
+
+ "music".proxyPass = "http://127.0.0.1:5692";
+ "navidrome".proxyPass = "http://127.0.0.1:4533";
+ "files".proxyPass = "http://127.0.0.1:${toString config.services.filebrowser.settings.port}";
+ "track".proxyPass = "http://127.0.0.1:7093";
+ "tube".proxyPass = "http://127.0.0.1:5410";
+ "torrents".proxyPass = "http://127.0.0.1:7317";
+ "jellyfin".proxyPass = "http://127.0.0.1:8096";
+ "lidarr" = {
+ proxyPass = "http://127.0.0.1:8686";
+ proxyWebsockets = true;
+ };
+
+ "prowlarr".proxyPass = "http://127.0.0.1:9696";
+ "shelfmark".proxyPass = "http://127.0.0.1:8084";
+ };
+ };
+
+ age.secrets.wg-priv-key = {
+ rekeyFile = ./secrets/wg-priv.key.age;
+ };
+
+ networking.wg-quick = {
+ interfaces.wg0 = {
+ address = ["10.1.1.2/32"];
+ listenPort = 51820;
+
+ privateKeyFile = config.age.secrets.wg-priv-key.path;
+
+ peers = [
+ {
+ endpoint = "${domain}:51820";
+ publicKey = "1RwEOL8br97Mujhz3fkfYKcxUFNHYAmt5JbWTbR3ihE=";
+ allowedIPs = ["10.1.1.1/32"];
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+
+ services.tailscale.enable = true;
+
+ users.users.filebrowser.extraGroups = ["music" "images"];
+ systemd.services.filebrowser.serviceConfig.SupplementaryGroups = ["music" "images"];
+ services.filebrowser = {
+ enable = true;
+ group = "files";
+ settings = {
+ root = "/srv/files";
+ port = 9337;
+ };
+ };
+
+ systemd.tmpfiles.rules = [
+ "d /srv/files/slskd 0770 slskd music"
+ "d /opt/traggo/data"
+ "d /var/lib/traggo"
+ ];
+ users.users.slskd.extraGroups = ["files"];
+ age.secrets.slskd-env = {
+ rekeyFile = ./secrets/slskd.env.age;
+ };
+ systemd.services.slskd.serviceConfig.UMask = 0002;
+ services.slskd = {
+ enable = true;
+ environmentFile = config.age.secrets.slskd-env.path;
+ group = "music";
+ settings = {
+ shares = {
+ directories = ["/srv/files/music"];
+ filters = ["explo"];
+ };
+ directories.downloads = "/srv/files/slskd";
+ permissions.file.mode = 770;
+ web.authentication.api_keys = {
+ arr = {
+ key = "mahChufaeweipemeeheexaoDahchohZi";
+ cidr = "127.0.0.1/32";
+ };
+ };
+ };
+ openFirewall = true;
+ domain = null;
+ };
+
+ users.users.jellyfin.extraGroups = ["files"];
+ services.jellyfin = {
+ enable = true;
+ };
+
+ createPaths."/srv/files/torrents" = {
+ owner = "files";
+ group = "files";
+ permissions = "0770";
+ subPaths = {
+ "incomplete" = {};
+ "completed" = {};
+ };
+ };
+
+ users.users.lidarr.extraGroups = ["files"];
+ services.lidarr = {
+ enable = true;
+ group = "music";
+ };
+
+ services.prowlarr = {
+ enable = true;
+ };
+
+ services.qbittorrent = {
+ enable = true;
+ user = "files";
+ group = "files";
+ webuiPort = 7317;
+ serverConfig = {
+ Preferences = {
+ WebUI = {
+ Enabled = "true";
+ Username = "spl3g";
+ Password_PBKDF2 = "@ByteArray(drq4VxxcJLLK0Bma9mxUeg==:47J+BVdVlmpJt0Hb9LqiAj6rTK3ZlFPvy00PdGPtmeXO7SslNg/4Uej7Vmwn3+oFPuE1q/9tm1z1UogfopREUQ==)";
+ };
+ Downloads = {
+ SavePath = "/srv/files/torrents/complete/";
+ TempPathEnabled = "true";
+ TempPath = "/srv/files/torrents/incomplete/";
+ };
+ };
+ };
+ };
+
+ createPaths."/var/lib/soularr" = {
+ owner = "slskd";
+ group = "slskd";
+ permissions = "0770";
+ };
+ age.secrets.soularr-config = {
+ rekeyFile = ./secrets/soularr.conf.age;
+ owner = "slskd";
+ group = "music";
+ };
+ virtualisation.oci-containers.containers.soularr = {
+ image = "mrusse08/soularr:latest";
+ environment = {
+ TZ = "Asia/Yekaterinburg";
+ SCRIPT_INTERVAL = "300";
+ };
+ # slskd:music
+ user = "991:991";
+ volumes = [
+ "/srv/files/slskd:/downloads"
+ "/var/lib/soularr:/data"
+ "${config.age.secrets.soularr-config.path}:/data/config.ini"
+ ];
+ networks = [
+ "host"
+ ];
+ };
+
+ createPaths."/srv/files/explo" = {
+ owner = "files";
+ group = "music";
+ permissions = "0770";
+ };
+ age.secrets.explo-env = {
+ rekeyFile = ./secrets/explo.env.age;
+ owner = "files";
+ group = "music";
+ };
+ # TODO: write a module for explo
+ virtualisation.oci-containers.containers.explo = {
+ image = "ghcr.io/lumepart/explo:latest";
+ volumes = [
+ "${config.age.secrets.explo-env.path}:/opt/explo/.env"
+ "/srv/files/explo:/data/"
+ "/srv/files/slskd:/slskd/"
+ ];
+ environment = {
+ EXECUTE_ON_START = "true";
+ };
+ networks = [
+ "host"
+ ];
+ # files:music
+ extraOptions = [
+ "--uidmap=0:1000:1"
+ "--gidmap=0:991:1"
+ "--uidmap=1:100000:65535"
+ "--gidmap=1:100000:65535"
+ ];
+ };
+
+ age.secrets.navidrome-env = {
+ rekeyFile = ./secrets/navidrome.env.age;
+ };
+ users.users.navidrome.extraGroups = ["files" "music"];
+ systemd.services.navidrome.serviceConfig.BindReadOnlyPaths = ["/srv/files/explo"];
+ services.navidrome = {
+ enable = true;
+ package = pkgs.unstable.navidrome;
+ settings = {
+ BaseUrl = "https://navidrome.${domain}";
+ MusicFolder = "/srv/files/music";
+ PlaylistsPath = "playlists";
+ Scanner.PurgeMissing = "always";
+ EnableSharing = true;
+ };
+ environmentFile = config.age.secrets.navidrome-env.path;
+ };
+
+ age.secrets.xray-config = {
+ rekeyFile = ./secrets/xray.json.age;
+ };
+ services.xray = {
+ enable = true;
+ settingsFile = config.age.secrets.xray-config.path;
+ };
+
+ services.invidious = {
+ enable = true;
+ address = "127.0.0.1";
+ port = 5410;
+ domain = "tube.${domain}";
+ settings = {
+ http_proxy = {
+ host = "127.0.0.1";
+ port = 10801;
+ user = "";
+ password = "";
+ };
+ };
+ };
+
+ virtualisation.oci-containers.backend = "podman";
+ virtualisation.oci-containers.containers.aonsoku = {
+ image = "ghcr.io/victoralvesf/aonsoku:latest";
+ ports = [
+ "127.0.0.1:5692:8080"
+ ];
+ environment = {
+ SERVER_URL = "https://navidrome.${domain}";
+ HIDE_SERVER = "true";
+ };
+ };
+
+ users.groups.books = {
+ gid = 1001;
+ };
+ createPaths."/srv/files/books" = {
+ owner = "files";
+ group = "books";
+ permissions = "0770";
+ subPaths = {
+ "/library" = {};
+ "/bookdrop" = {};
+ };
+ };
+
+ createPaths."/var/lib/cwa" = {
+ owner = "files";
+ group = "books";
+ permissions = "0750";
+ };
+
+ # age.secrets.cwa-env = {
+ # rekeyFile = ./secrets/cwa.env.age;
+ # };
+ # virtualisation.oci-containers.containers.cwa = {
+ # image = "ghcr.io/crocodilestick/calibre-web-automated:latest";
+ # environmentFiles = [
+ # config.age.secrets.cwa-env.path
+ # ];
+ # environment = {
+ # TZ = "Europe/Moscow";
+ # PUID = "1000";
+ # PGID = "1001";
+ # };
+ # ports = [
+ # "127.0.0.1:8083:8083"
+ # ];
+ # volumes = [
+ # "/srv/files/books:/calibre-library"
+ # "/srv/files/books/injest:/cwa-book-ingest"
+ # "/var/lib/cwa:/config"
+ # ];
+ # };
+
+ createPaths."/var/lib/shelfmark" = {
+ owner = "files";
+ group = "books";
+ permissions = "0750";
+ };
+
+ virtualisation.oci-containers.containers.shelfmark = {
+ image = "ghcr.io/calibrain/shelfmark:latest";
+ environment = {
+ PUID = "1000";
+ PGID = "1001";
+ };
+
+ ports = [
+ "127.0.0.1:8084:8084"
+ ];
+
+ volumes = [
+ "/srv/files/books/injest:/books"
+ "/var/lib/shelfmark:/config"
+ ];
+ networks = [
+ "host"
+ ];
+ };
+ services.booklore = {
+ enable = true;
+ subdomain = "books";
+ uid = "1000";
+ gid = "1001";
+ settings = {
+ timezone = "Europe/Yekaterinburg";
+ booksDir = "/srv/files/books/library";
+ bookdropDir = "/srv/files/books/injest";
+ };
+ };
+
+ services.watcharr = {
+ enable = true;
+ subdomain = "watched";
+ };
+
+ services.immich = {
+ enable = true;
+ };
+
+ system.stateVersion = "24.05";
+ };
+}
diff --git a/modules/hosts/ltrr-block/disk-config.nix b/modules/hosts/ltrr-block/disk-config.nix
new file mode 100644
index 0000000..52c5070
--- /dev/null
+++ b/modules/hosts/ltrr-block/disk-config.nix
@@ -0,0 +1,39 @@
+{
+ flake.diskoConfigurations.ltrr-block = {
+ disko.devices = {
+ disk = {
+ main = {
+ device = "/dev/sdb";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ boot = {
+ size = "1M";
+ type = "EF02";
+ };
+ ESP = {
+ size = "1G";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ mountOptions = ["umask=0077"];
+ };
+ };
+ root = {
+ size = "100%";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/modules/hosts/ltrr-block/hardware-configuration.nix b/modules/hosts/ltrr-block/hardware-configuration.nix
new file mode 100644
index 0000000..ed72c61
--- /dev/null
+++ b/modules/hosts/ltrr-block/hardware-configuration.nix
@@ -0,0 +1,32 @@
+# Do not modify this file! It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations. Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+ flake.nixosModules.ltrr-block = {
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+ }: {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = ["ehci_pci" "ata_piix" "xhci_pci" "usbhid" "usb_storage" "sd_mod"];
+ boot.initrd.kernelModules = [];
+ boot.kernelModules = [];
+ boot.extraModulePackages = [];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = lib.mkDefault true;
+ # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+ # networking.interfaces.enp0s29u1u3.useDHCP = lib.mkDefault true;
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+ };
+}
diff --git a/modules/hosts/ltrr-block/secrets/cwa.env.age b/modules/hosts/ltrr-block/secrets/cwa.env.age
new file mode 100644
index 0000000..25e9486
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/cwa.env.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/explo.env.age b/modules/hosts/ltrr-block/secrets/explo.env.age
new file mode 100644
index 0000000..1c0f605
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/explo.env.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/navidrome.env.age b/modules/hosts/ltrr-block/secrets/navidrome.env.age
new file mode 100644
index 0000000..5a6b99d
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/navidrome.env.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/1c8822a2f185737c765ae9a5ce0d3879-soularr-config.age b/modules/hosts/ltrr-block/secrets/rekeyed/1c8822a2f185737c765ae9a5ce0d3879-soularr-config.age
new file mode 100644
index 0000000..608846d
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/1c8822a2f185737c765ae9a5ce0d3879-soularr-config.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/550a141b44c76106807b541c1987996b-wg-priv-key.age b/modules/hosts/ltrr-block/secrets/rekeyed/550a141b44c76106807b541c1987996b-wg-priv-key.age
new file mode 100644
index 0000000..52a14bd
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/550a141b44c76106807b541c1987996b-wg-priv-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptoveQ ulI09UBOLtapH3caDEteDd52zftMg/7xb9XT2N643A4
+JxzMCCqoLhPIuF7uas7xs1FhX3oqwm11a4r7mV56aiw
+-> pXy7_[-grease H=# dQnNDe%G ] o
+bT0nTM57IpqunS1CNyc/DXpM3f5L3n1887I++YtmrFZQEiU5liKv8Kr+aUD6lK7N
+S44U1Z0Y3VmTeWbN1iV0f5KMk2ZIFXtdjf1kw5JGfFWWVoGXJAxQuQ
+--- 522Kc0bJO1nPQ7bKfYj2+dNqArZpWbwGHRQCLnjbspI
+vν1PʾPMqkI6!vj/)/OZhGxnUš9cL \ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/9288d02fd4269798567444d076247538-explo-env.age b/modules/hosts/ltrr-block/secrets/rekeyed/9288d02fd4269798567444d076247538-explo-env.age
new file mode 100644
index 0000000..c11aa4a
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/9288d02fd4269798567444d076247538-explo-env.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/939083f61f3167ef5aff27bdba700e8e-xray-config.age b/modules/hosts/ltrr-block/secrets/rekeyed/939083f61f3167ef5aff27bdba700e8e-xray-config.age
new file mode 100644
index 0000000..7cba65e
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/939083f61f3167ef5aff27bdba700e8e-xray-config.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/d5f4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age b/modules/hosts/ltrr-block/secrets/rekeyed/d5f4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age
new file mode 100644
index 0000000..954c2bb
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/d5f4d0c5c7b3217d008be68e8ad757e8-navidrome-env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 ptoveQ OduiFfXpTXdPiFhmwROVjOSFSPSE8ViVFKpDKbkU4GA
+SOtXYB7vqxYAdiZ81YkQJPU+EBljy8q/5xfUwkQE9FA
+-> GPDe-grease
+tK3q1L/lU2oMO9AzA2cfa5OE36z3x2YCGAu5SVyajQ
+--- Y//hhULEy1uzl/p289AiDRGKFuR4GufSVa48rrgD8Ck
+&o$)ʓ\StkಚJ+J=}a8~ҪCY*O@%:<x !V8eOȁnOwmMԊߔ`m-V,8y TDFjM 2߃U \ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/rekeyed/e9669da1b38fb37ba09edf8fdeafc4de-slskd-env.age b/modules/hosts/ltrr-block/secrets/rekeyed/e9669da1b38fb37ba09edf8fdeafc4de-slskd-env.age
new file mode 100644
index 0000000..37adc46
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/rekeyed/e9669da1b38fb37ba09edf8fdeafc4de-slskd-env.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/slskd.env.age b/modules/hosts/ltrr-block/secrets/slskd.env.age
new file mode 100644
index 0000000..1744660
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/slskd.env.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/soularr.conf.age b/modules/hosts/ltrr-block/secrets/soularr.conf.age
new file mode 100644
index 0000000..d02e1c7
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/soularr.conf.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/transmission-settings.json.age b/modules/hosts/ltrr-block/secrets/transmission-settings.json.age
new file mode 100644
index 0000000..f9811c4
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/transmission-settings.json.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 OUnJLswhrEjV/CylaDqKGX/VqhxhepjCt458Gk0wBgE
+AN2//RRPB5aF+UMSF7ezSXza3t1dr6AGuTGhVzkDitM
+-> 2f#v;H-grease dJa
+ErP6N46d+W72CKSHEbgxzWSiCjN7VM0unjwAE/LWLXt+GNUGEN3I+DaPTWf46v05
+EA
+--- URehB3fPuN8jXQoFfe2YZTyT6gZVs44slp/F7pXBYXM
+=T̈` AMwƗ{ #荂w֬5Ԫ@A܇91{,k{B͆HfSn^;Lew`W41K>hfY \ No newline at end of file
diff --git a/modules/hosts/ltrr-block/secrets/wg-priv.key.age b/modules/hosts/ltrr-block/secrets/wg-priv.key.age
new file mode 100644
index 0000000..7ea39e9
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/wg-priv.key.age
Binary files differ
diff --git a/modules/hosts/ltrr-block/secrets/xray.json.age b/modules/hosts/ltrr-block/secrets/xray.json.age
new file mode 100644
index 0000000..f50d67b
--- /dev/null
+++ b/modules/hosts/ltrr-block/secrets/xray.json.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/age.nix b/modules/hosts/ltrr-cloud/age.nix
new file mode 100644
index 0000000..80232d7
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/age.nix
@@ -0,0 +1,10 @@
+{inputs, ...}: {
+ flake.nixosModules.ltrr-cloud = {
+ age.rekey = {
+ hostPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGkmaIw2J4H6lWDVnopnUKQuQMJuQf5VMoC1/YwCuhAb";
+ masterIdentities = ["/home/jerpo/.config/age/keys.txt"];
+ storageMode = "local";
+ localStorageDir = ./. + "/secrets/rekeyed";
+ };
+ };
+}
diff --git a/modules/hosts/ltrr-cloud/configuration.nix b/modules/hosts/ltrr-cloud/configuration.nix
new file mode 100644
index 0000000..34a74e0
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/configuration.nix
@@ -0,0 +1,345 @@
+{
+ inputs,
+ self,
+ ...
+}: {
+ flake.nixosConfigurations.ltrr-cloud = inputs.nixpkgs-stable.lib.nixosSystem {
+ modules = [
+ self.nixosModules.ltrr-cloud
+ ];
+ };
+
+ flake.nixosModules.ltrr-cloud = {
+ modulesPath,
+ config,
+ lib,
+ pkgs,
+ ...
+ }: let
+ domain = "kcu.su";
+ in {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ (modulesPath + "/profiles/qemu-guest.nix")
+ "${inputs.nixpkgs}/nixos/modules/services/networking/headscale.nix"
+
+ self.nixosModules.nginxProxy
+ self.nixosModules.directories
+
+ inputs.disko.nixosModules.disko
+ self.diskoConfigurations.ltrr-cloud
+
+ inputs.agenix.nixosModules.default
+ inputs.agenix-rekey.nixosModules.default
+ ];
+ nixpkgs.hostPlatform = "x86_64-linux";
+
+ disabledModules = ["services/networking/headscale.nix"];
+
+ nixpkgs.overlays = [
+ self.overlays.unstable-packages
+ ];
+
+ boot.loader.grub = {
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ };
+
+ networking = {
+ interfaces.ens3 = {
+ ipv4.addresses = [
+ {
+ address = "194.156.117.206";
+ prefixLength = 32;
+ }
+ ];
+ };
+ defaultGateway = {
+ address = "100.100.1.1";
+ interface = "ens3";
+ };
+ };
+
+ networking.nameservers = ["8.8.8.8" "1.1.1.1"];
+
+ networking.useDHCP = lib.mkDefault false;
+
+ networking.hostName = "ltrr-cloud";
+
+ services.openssh = {
+ enable = true;
+ };
+
+ environment.systemPackages = map lib.lowPrio [
+ pkgs.curl
+ pkgs.gitMinimal
+ ];
+
+ users.users = {
+ root = {
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru"
+ ];
+ };
+ };
+
+ swapDevices = [
+ {
+ device = "/var/lib/swapfile";
+ size = 2 * 1024;
+ }
+ ];
+
+ networking.nat = {
+ enable = true;
+ externalInterface = "ens3";
+ internalInterfaces = ["wg0"];
+ };
+
+ age.secrets.wg-priv-key = {
+ rekeyFile = ./secrets/wg-priv.key.age;
+ };
+ networking.wg-quick = {
+ interfaces.wg0 = {
+ address = ["10.1.1.1/32"];
+ listenPort = 51820;
+
+ privateKeyFile = config.age.secrets.wg-priv-key.path;
+
+ preUp = ''
+ sysctl -w net.ipv4.ip_forward=1
+ # 16261
+ iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
+ iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
+
+ # 16262
+ iptables -t nat -I PREROUTING 1 -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
+ iptables -A FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
+ iptables -t nat -A POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+ '';
+ postDown = ''
+ # 16261
+ iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16261 -j DNAT --to-destination 10.1.1.2:16261
+ iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16261 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16261 -d 10.1.1.2 -j MASQUERADE
+
+ # 16262
+ iptables -t nat -D PREROUTING -i ens3 -p udp --dport 16262 -j DNAT --to-destination 10.1.1.2:16262
+ iptables -D FORWARD -p udp -d 10.1.1.2 --dport 16262 -j ACCEPT
+ iptables -t nat -D POSTROUTING -o wg0 -p udp --dport 16262 -d 10.1.1.2 -j MASQUERADE
+ '';
+
+ peers = [
+ {
+ allowedIPs = ["10.1.1.2/32"];
+ publicKey = "kzXzxJu1AdcRI5UwtGOrN6WuTZYqJo++PYRrXdOu/lY=";
+ persistentKeepalive = 25;
+ }
+ ];
+ };
+ };
+
+ networking.firewall.allowedTCPPorts = [80 443 25565];
+ networking.firewall.allowedUDPPorts = [51820 16261 16262];
+
+ services.fail2ban = {
+ enable = true;
+ ignoreIP = [
+ "10.0.0.0/8"
+ ];
+ bantime = "24h";
+ bantime-increment = {
+ enable = true;
+ multipliers = "1 2 4 8 16 32 64";
+ maxtime = "168h";
+ overalljails = true;
+ };
+
+ jails = {
+ nginx-http-auth.settings = {
+ enabled = true;
+ port = "http,https";
+ logpath = "/var/log/nginx/*.log";
+ backend = "auto";
+ };
+ nginx-botsearch.settings = {
+ enabled = true;
+ port = "http,https";
+ logpath = "/var/log/nginx/*.log";
+ backend = "auto";
+ };
+ nginx-bad-request.settings = {
+ enabled = true;
+ port = "http,https";
+ logpath = "/var/log/nginx/*.log";
+ backend = "auto";
+ };
+ };
+ };
+
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "notspl3g+acme@duck.com";
+ };
+
+ nginxProxy = {
+ enable = true;
+ acme.enable = true;
+
+ inherit domain;
+ subdomains = {
+ "headscale" = {
+ proxyPass = "http://127.0.0.1:8768";
+ proxyWebsockets = true;
+ recommendedProxySettings = true;
+ };
+ "uptime" = {
+ proxyPass = "http://127.0.0.1:8762";
+ proxyWebsockets = true;
+ recommendedProxySettings = true;
+ };
+ "monitor" = {
+ proxyPass = "http://127.0.0.1:8090";
+ };
+ "auth".proxyPass = "http://127.0.0.1:9091";
+ };
+
+ extraVirtualHosts = {
+ "kcu.su" = {
+ forceSSL = true;
+ enableACME = true;
+ locations."/apple" = {
+ root = "/var/www";
+ };
+ locations."/" = {
+ return = 444;
+ };
+ };
+
+ "_".locations = {
+ "/" = {
+ return = 444;
+ };
+ };
+ };
+
+ home = let
+ homeConfig = self.nixosConfigurations.ltrr-block.config;
+ in {
+ subdomains = homeConfig.nginxProxy.subdomains;
+ url = "http://10.1.1.2";
+ };
+ };
+
+ age.secrets.authelia-jwt = {
+ rekeyFile = ./secrets/authelia-jwt.key.age;
+ owner = "authelia-kcu";
+ group = "authelia-kcu";
+ };
+ age.secrets.authelia-storage = {
+ rekeyFile = ./secrets/authelia-storage.key.age;
+ owner = "authelia-kcu";
+ group = "authelia-kcu";
+ };
+ services.authelia.instances.kcu = {
+ enable = true;
+ secrets = {
+ jwtSecretFile = config.age.secrets.authelia-jwt.path;
+ storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
+ };
+ settings = {
+ authentication_backend = {
+ file = {
+ path = "/var/lib/authelia-kcu/users_database.yml";
+ };
+ };
+
+ storage = {
+ local = {};
+ };
+
+ access_control = {
+ default_policy = "deny";
+ rules = [
+ {
+ domain = ["auth.${domain}"];
+ policy = "bypass";
+ }
+ {
+ domain = ["*.${domain}"];
+ policy = "one_factor";
+ }
+ ];
+ };
+
+ session = {
+ name = "authelia_session";
+ expiration = "12h";
+ inactivity = "45m";
+ cookies = [
+ {
+ inherit domain;
+ authelia_url = "https://auth.kcu.su";
+ }
+ ];
+ };
+
+ storage = {
+ local = {
+ path = "/var/lib/authelia-kcu/db.sqlite3";
+ };
+ };
+
+ notifier = {
+ disable_startup_check = false;
+ filesystem = {
+ filename = "/var/lib/authelia-kcu/notification.txt";
+ };
+ };
+ };
+ };
+
+ services.headscale = {
+ enable = true;
+ package = pkgs.headscale;
+ port = 8768;
+ settings = {
+ server_url = "https://headscale.${domain}:443";
+ dns = {
+ base_domain = "ts.net";
+ nameservers.global = ["8.8.8.8"];
+ magicdns = true;
+ };
+ };
+ };
+
+ createPaths = {
+ "/var/lib/uptime-kuma" = {
+ owner = "root";
+ group = "root";
+ };
+ };
+ virtualisation.oci-containers.backend = "podman";
+ virtualisation.oci-containers.containers = {
+ "uptime-kuma" = {
+ image = "louislam/uptime-kuma:2";
+ volumes = [
+ "/var/lib/uptime-kuma:/app/data"
+ ];
+ ports = [
+ "127.0.0.1:8762:3001"
+ ];
+ capabilities = {
+ NET_RAW = true;
+ };
+ };
+ };
+
+ services.beszel.hub = {
+ enable = true;
+ };
+
+ system.stateVersion = "24.05";
+ };
+}
diff --git a/modules/hosts/ltrr-cloud/disk-config.nix b/modules/hosts/ltrr-cloud/disk-config.nix
new file mode 100644
index 0000000..f7abadd
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/disk-config.nix
@@ -0,0 +1,56 @@
+{
+ flake.diskoConfigurations.ltrr-cloud = {
+ disko.devices = {
+ disk.disk1 = {
+ device = "/dev/vda";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ boot = {
+ name = "boot";
+ size = "1M";
+ type = "EF02";
+ };
+ esp = {
+ name = "ESP";
+ size = "500M";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ root = {
+ name = "root";
+ size = "100%";
+ content = {
+ type = "lvm_pv";
+ vg = "pool";
+ };
+ };
+ };
+ };
+ };
+ lvm_vg = {
+ pool = {
+ type = "lvm_vg";
+ lvs = {
+ root = {
+ size = "100%FREE";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ mountOptions = [
+ "defaults"
+ ];
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+}
diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age b/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age
new file mode 100644
index 0000000..ecad260
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/authelia-jwt.key.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age b/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age
new file mode 100644
index 0000000..22e9eb5
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/authelia-storage.key.age
Binary files differ
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age
new file mode 100644
index 0000000..3fdbf7c
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/97c2df6cc789b9e8ced5811bfa43d3f8-authelia-jwt.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 +W/xBg sJTHHtkYrmAQbKR8ZOdR9K/reO0qeKTL4gsx34pysiY
+iTmPnK/LRYZIgEuq/xtLiQyDMML6hFPO262OdIq8UD8
+-> orB|s|Kd-grease K7 l7hC&yL A^ 6,
+MoHcwp57sM2RWYOYAk8LihPGhPSrmZkUpd3X4eJODfsqfEuJys9ZhKVyr4l4FwzN
+NsQJcBuH1//fXe/P
+--- gku/aoba9gRLFf1wD6rrwogur0EYGovRAybhyr3CLco
+ĩ,y yLۘXP1d(5Xvst6D}S 8ҹ03.XDLQsUEgK4<w [u3BxN'9}z $wF Ŧ^z!lg ńØ $qjP \ No newline at end of file
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age
new file mode 100644
index 0000000..5605e81
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/98c1b723eb9ef4334c5a90c456a33743-wg-priv-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 +W/xBg HvzCOTiwRSUSNLxgsyBbhWOU7JdVeA0OLMTnHTAXlgE
+v4G1Z3E2H0zzbamMppALx25HeS5rSfM+bJmrbUM+jgs
+-> 6hkBDp}-grease ^w s#u_m8> 1?':qM
+IAyx+VQq7VnSNf2SfqusH0eXFffH
+--- L9C8w8DV9hstoTBd39/zve9OJt4v/vFpIDbRcxUWIeI
+W:l{2u%:Vy/> .H u+AtLȲN ޼뺃 \ No newline at end of file
diff --git a/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age b/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age
new file mode 100644
index 0000000..ff31a34
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/rekeyed/ab2826e18d1b8ee845f01ac87f5dd6ea-authelia-storage.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 +W/xBg vxOWjAe9E2wVCDSYjJ4FzTb6OJof4BME/a0B2/m7zl8
+2jTCWcg7koRgIOUi2QDKFimbE/Gq+F0CAYmkaBmT51g
+-> eI}jc#W-grease $l&5 718 6%B>X
+miZ+OEV0SD7oYl1tqYpVFzxGhQIvMjDTQ4xRwA8Cu8BNghAwbv2vROant8sjWSsv
+WKkljj4/RH2EU1f0y0b2fIbhF8I
+--- X06G5WHTNau24I+ZT20SebQvbxP7S9zrjbk0FFIPyOE
+L\_@DD=*o>YEak",ś2،Iwb(p4Y' Paj&4-J!lkLV[X"2mqVᷩPNëz"9'I۲*5Z2~zYܸ2 \ No newline at end of file
diff --git a/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age b/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age
new file mode 100644
index 0000000..cd52bb3
--- /dev/null
+++ b/modules/hosts/ltrr-cloud/secrets/wg-priv.key.age
Binary files differ
diff --git a/modules/hosts/ltrr-mask/configuration.nix b/modules/hosts/ltrr-mask/configuration.nix
new file mode 100644
index 0000000..3656016
--- /dev/null
+++ b/modules/hosts/ltrr-mask/configuration.nix
@@ -0,0 +1,125 @@
+{
+ inputs,
+ self,
+ ...
+}: {
+ flake.nixosConfigurations.ltrr-mask = inputs.nixpkgs-stable.lib.nixosSystem {
+ modules = [
+ self.nixosModules.ltrr-mask
+ ];
+ };
+
+ flake.nixosModules.ltrr-mask = {
+ modulesPath,
+ config,
+ lib,
+ pkgs,
+ ...
+ }: let
+ domain = "kcu.su";
+ in {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ (modulesPath + "/profiles/qemu-guest.nix")
+
+ inputs.disko.nixosModules.disko
+ self.diskoConfigurations.ltrr-mask
+
+ self.nixosModules.nginxProxy
+ ];
+ nixpkgs.hostPlatform = "x86_64-linux";
+
+ boot.loader.grub = {
+ efiSupport = true;
+ efiInstallAsRemovable = true;
+ };
+
+ networking.firewall.allowedTCPPorts = [
+ # http
+ # 80
+ # 443
+
+ # xray
+ 4876
+ 57625
+ 39701
+ 39482
+ ];
+
+ networking.domain = domain;
+ networking.hostName = "ltrr-vpn";
+ networking = {
+ interfaces.ens3 = {
+ ipv4.addresses = [
+ {
+ address = "64.188.126.186";
+ prefixLength = 32;
+ }
+ ];
+ };
+ defaultGateway = {
+ address = "100.64.0.1";
+ interface = "ens3";
+ };
+ };
+
+ networking.useDHCP = lib.mkDefault false;
+
+ networking.nameservers = ["8.8.8.8" "1.1.1.1"];
+
+ services.openssh = {
+ enable = true;
+ settings.PasswordAuthentication = false;
+ };
+
+ environment.systemPackages = map lib.lowPrio [
+ pkgs.curl
+ pkgs.gitMinimal
+ ];
+
+ users.users = {
+ root = {
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDJ8UW1BXDGDmlaiARO3a9boTG8wknUyITMz0Z0OJpHx spleefer6@yandex.ru"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPuQVHIGm2bfvhW16ZI/4hDK2X8W+ADbPLXwzKZIYXZL user@LAPTOP-72FMD6D0"
+ ];
+ };
+ };
+
+ nginxProxy = {
+ enable = false;
+ acme.enable = true;
+
+ inherit domain;
+ subdomains = {
+ "xray" = {
+ proxyPass = "http://127.0.0.1:2053";
+
+ extraConfig = "
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header Range $http_range;
+ proxy_set_header If-Range $http_if_range;
+ proxy_redirect off;
+ ";
+ recommendedProxySettings = false;
+ };
+ };
+ };
+
+ virtualisation.oci-containers = {
+ backend = "docker";
+ containers.xui = {
+ image = "ghcr.io/mhsanaei/3x-ui:latest";
+ ports = ["4876:2053" "57625:57625" "39701:39701"];
+ volumes = [
+ "/root/x-ui:/etc/x-ui"
+ ];
+ };
+ };
+
+ system.stateVersion = "24.05";
+ };
+}
diff --git a/modules/hosts/ltrr-mask/disk-config.nix b/modules/hosts/ltrr-mask/disk-config.nix
new file mode 100644
index 0000000..e772466
--- /dev/null
+++ b/modules/hosts/ltrr-mask/disk-config.nix
@@ -0,0 +1,56 @@
+{lib, ...}: {
+ flake.diskoConfigurations.ltrr-mask = {
+ disko.devices = {
+ disk.disk1 = {
+ device = lib.mkDefault "/dev/vda";
+ type = "disk";
+ content = {
+ type = "gpt";
+ partitions = {
+ boot = {
+ name = "boot";
+ size = "1M";
+ type = "EF02";
+ };
+ esp = {
+ name = "ESP";
+ size = "500M";
+ type = "EF00";
+ content = {
+ type = "filesystem";
+ format = "vfat";
+ mountpoint = "/boot";
+ };
+ };
+ root = {
+ name = "root";
+ size = "100%";
+ content = {
+ type = "lvm_pv";
+ vg = "pool";
+ };
+ };
+ };
+ };
+ };
+ lvm_vg = {
+ pool = {
+ type = "lvm_vg";
+ lvs = {
+ root = {
+ size = "100%FREE";
+ content = {
+ type = "filesystem";
+ format = "ext4";
+ mountpoint = "/";
+ mountOptions = [
+ "defaults"
+ ];
+ };
+ };
+ };
+ };
+ };
+ };
+ };
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-24 09:09:16 +0000