initial commit

hosts/rx4/boot.nix

@@ -0,0 +1,7 @@
+{
+  boot.loader.systemd-boot = {
+    enable = true;
+    configurationLimit = 20;
+  };
+  boot.loader.efi.canTouchEfiVariables = true;
+}

hosts/rx4/default.nix

@@ -0,0 +1,26 @@
+{
+  inputs,
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    ./boot.nix
+    ./hardware.nix
+    ./networking.nix
+    ./packages.nix
+    ./secrets
+    ./services
+
+    ../../users/sid
+
+    inputs.synix.nixosModules.common
+    inputs.synix.nixosModules.device.server
+
+    outputs.nixosModules.common
+    outputs.nixosModules.deploy
+  ];
+
+  system.stateVersion = "25.11";
+}

hosts/rx4/disks.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+
+SSD='/dev/disk/by-id/nvme-KINGSTON_SNV3SM3500G_50026B7283B1AFB4_1'
+MNT='/mnt'
+SWAP_GB=8
+
+# Helper function to wait for devices
+wait_for_device() {
+  local device=$1
+  echo "Waiting for device: $device ..."
+  while [[ ! -e $device ]]; do
+    sleep 1
+  done
+  echo "Device $device is ready."
+}
+
+# Function to install a package if it's not already installed
+install_if_missing() {
+  local cmd="$1"
+  local package="$2"
+  if ! command -v "$cmd" &> /dev/null; then
+    echo "$cmd not found, installing $package..."
+    nix-env -iA "nixos.$package"
+  fi
+}
+
+install_if_missing "sgdisk" "gptfdisk"
+install_if_missing "partprobe" "parted"
+
+wait_for_device $SSD
+
+echo "Wiping filesystem on $SSD..."
+wipefs -a $SSD
+
+echo "Clearing partition table on $SSD..."
+sgdisk --zap-all $SSD
+
+echo "Partitioning $SSD..."
+sgdisk -n1:1M:+1G         -t1:EF00 -c1:BOOT $SSD
+sgdisk -n2:0:+"$SWAP_GB"G -t2:8200 -c2:SWAP $SSD
+sgdisk -n3:0:0            -t3:8304 -c3:ROOT $SSD
+partprobe -s $SSD
+udevadm settle
+
+wait_for_device ${SSD}-part1
+wait_for_device ${SSD}-part2
+wait_for_device ${SSD}-part3
+
+echo "Formatting partitions..."
+mkfs.vfat -F 32 -n BOOT "${SSD}-part1"
+mkswap -L SWAP "${SSD}-part2"
+mkfs.ext4 -L ROOT "${SSD}-part3"
+
+echo "Mounting partitions..."
+mount -o X-mount.mkdir "${SSD}-part3" "$MNT"
+mkdir -p "$MNT/boot"
+mount -t vfat -o fmask=0077,dmask=0077,iocharset=iso8859-1 "${SSD}-part1" "$MNT/boot"
+
+echo "Enabling swap..."
+swapon "${SSD}-part2"
+
+echo "Partitioning and setup complete:"
+lsblk -o NAME,FSTYPE,SIZE,MOUNTPOINT,LABEL

hosts/rx4/hardware.nix

@@ -0,0 +1,48 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "sd_mod"
+    "sdhci_pci"
+    "usb_storage"
+    "usbhid"
+    "xhci_pci"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/ROOT";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-label/BOOT";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-label/SWAP"; }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/rx4/networking.nix

@@ -0,0 +1,51 @@
+{
+  networking.hostName = "rx4";
+  networking.domain = "sid.ovh";
+
+  # boot.kernel.sysctl = {
+  #   "net.ipv4.conf.all.forwarding" = 1;
+  #   "net.ipv6.conf.all.forwarding" = 1;
+  # };
+  #
+  # networking.interfaces.enp2s0 = {
+  #   useDHCP = false;
+  #   ipv4.addresses = [
+  #     {
+  #       address = "192.168.100.1";
+  #       prefixLength = 24;
+  #     }
+  #   ];
+  # };
+  #
+  # networking.nat = {
+  #   enable = true;
+  #   internalInterfaces = [ "enp2s0" ];
+  #   externalInterface = "enp0s20f0u1";
+  # };
+  #
+  # services.dnsmasq = {
+  #   enable = true;
+  #   settings = {
+  #     interface = "enp2s0";
+  #     bind-interfaces = true;
+  #     dhcp-range = "192.168.100.10,192.168.100.50,24h";
+  #     dhcp-option = [
+  #       "3,192.168.100.1" # default Gateway
+  #       "6,192.168.100.1" # DNS
+  #     ];
+  #   };
+  # };
+  #
+  # networking.firewall.interfaces."enp2s0" = {
+  #   allowedUDPPorts = [
+  #     53
+  #     67
+  #   ];
+  #   allowedTCPPorts = [ 53 ];
+  # };
+  #
+  # networking.firewall.extraCommands = ''
+  #   iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
+  #   iptables -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
+  # '';
+}

hosts/rx4/packages.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+
+{
+  environment.systemPackages = with pkgs; [
+    gitMinimal
+  ];
+}

hosts/rx4/secrets/default.nix

@@ -0,0 +1,5 @@
+{ inputs, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.sops ];
+}

hosts/rx4/secrets/secrets.yaml

@@ -0,0 +1,42 @@
+tailscale:
+    auth-key: ENC[AES256_GCM,data:T4w4IbcQRPYEqAWLE0QhZGG7gx50TN8YPvGvtselFKJruOyW3fTQABQ7vbxJeEw8,iv:/STVNXjA4RHdIXtOn8kq0oke+GS3dD14/RxOdbBRZLQ=,tag:8UNhM6PIPq0LoVO9sYiJQw==,type:str]
+alditalk:
+    username: ENC[AES256_GCM,data:QFcW1IIEbALNeagT8Q==,iv:nXDJUPMZc95YSCabTouYqT0Rw5FIlGH/VzizzDr5vmI=,tag:aOqN1bI8lm3dEd1bIEtSew==,type:str]
+    password: ENC[AES256_GCM,data:JP2I4nYQnKpCKL6qyXHc0kVu5Sc=,iv:QsjmGhLHS7FHsWirpYaRrSNvbo1SjjYtzG8F8GeBS6s=,tag:prjUsIG+tk69GKmq2knasw==,type:str]
+netdata:
+    stream:
+        rx4:
+            uuid: ENC[AES256_GCM,data:2X2wlQwU+EdiPB9xXwNgttcrELX+NPKFsrqfi24+EOY0GgZC,iv:CTapkA5NiItbOPM5dl1Q2GOilVcHz0RlTkilEscSmeg=,tag:0BoLmmNriYJNo0YGKR93OA==,type:str]
+miniflux:
+    admin-password: ENC[AES256_GCM,data:a2M7rkxkOLuNM3DIPJe7dUIMMRY=,iv:NlgjXkqtbZOHkzpohr0EKBYrVdhsm+wuQu24o7X91QA=,tag:HAkH50jm9CSW+r44N3cwSg==,type:str]
+syncthing:
+    gui-pw: ENC[AES256_GCM,data:mN4rxYr5DZgvbpIkwSFIuPvviJE=,iv:Kyl3mZFOejVwEwBCKteJQpgbCosREp9C4T4JYhWz6KQ=,tag:6myk9lr/44CH/hyUPgRH0Q==,type:str]
+forgejo-runner:
+    token: ENC[AES256_GCM,data:DZgi6ocpV0MplgQ6Et85vHxmkMfC4qYbLLdyRuj/4z8tJauz1w6DUQ==,iv:+SZYsv6sDn2Nc1WxhTn0dJGN9nXYZw16/HVtXJGXpHc=,tag:8Oa5mC7cUy85+lXHbRcCcg==,type:str]
+webdav:
+    user: ENC[AES256_GCM,data:vCLx,iv:Nra/FprNfd02HpvqOb5uYK+IGRFHhNwnFXWrX71c0C0=,tag:TjbKKOKBTq31o/5MxmqIsA==,type:str]
+    pass: ENC[AES256_GCM,data:jfIoob6R6OhqKa2EujRzTQbvIlA=,iv:HvB088H2Z2uLCveT4YfNEdkK5VU0lBFD5FrZhx79fg0=,tag:1RnrfeUEURx0C575GTxi9A==,type:str]
+sops:
+    age:
+        - recipient: age19yeqvv28fgrtk6jsh3xyaf0lch86kna6rcz4dwe962yyyyevu30sx474xy
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQenJrZTFtMlRIK0lIQUFQ
+            KzdXWEt0ekRxdnREaEx4R1lYU2hINkl6UkJzCkNsbDlvcFlIcVk3aTk2eHNNNVJ5
+            QVNtTWZsbTRHVTl5MjBmd05Ed2E5emcKLS0tIExJME56bWZGbVNoTitucEdNT1FC
+            cE5FZitXSFlFT0xjTENaejFtRyt0QjQKYDiGb/dIBrWwxOrbNPUkNUwSOKK3++gN
+            SYkc6TsJdLK9WNaIt2IyQiL3FQ28NEs9cm+kg/3PRUkYzWwxRzGXqQ==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16y79w6d9c607zest8ed8rgxajmqmw86grz8d5e8c34nej36j4gysst8pl9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ZWdBSWQvTERSc3JWRHZz
+            b3FWKzE5R0NZS253UC9NRlNoT3VYOWwvNVFFCk4rbUpnVFBGMHQ2TUlpWEZYS21m
+            L0ovMVkxT0IvZms5WGFCMjIxNWFpa00KLS0tIDZuWDZ2NXpwMkNHMWxSU1UwTXlv
+            NE5yK3ZaOG5PdXNSUnlIUmFSSmRFancKk57hCmo79HvI3hzzgQvgOK7oK5/dcQR8
+            f3R4OGF5+212VXEHR/hAEbKzV7CY4y6HhFyrGZ9bUKm1RrxtnVqUyA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-14T18:41:58Z"
+    mac: ENC[AES256_GCM,data:2e546c6VEf7vFGgSM344upn5C7YDGAwi8cLA/RV68ukJMKLvH1gdra4ii77uOaC1sCNan5mV0Kjs5ZVYj81O8PU3WJa9ra8TeAt8F690zTxNWSo1F/4sZxAk8d1WIBoNn4IPkYxi8Ry9+xqK13Q9PvplHc14VArMYC86wU+k5hc=,iv:T3td5G+pdfWzSLDuVkb75uWub6eBPxjqJgOrv3wvaiQ=,tag:vlQJVzFJEDncDzjA3JWM6Q==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0

hosts/rx4/services/alditalk-extender.nix

@@ -0,0 +1,43 @@
+{
+  outputs,
+  config,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.alditalk-extender
+  ];
+
+  services.alditalk-extender = {
+    enable = true;
+    package = pkgs.local.alditalk-true-unlimited;
+    envFile = config.sops.templates.alditalk-extender.path;
+  };
+
+  sops.secrets = {
+    "alditalk/username" = {
+      owner = "alditalk";
+      group = "alditalk";
+      mode = "0400";
+    };
+    "alditalk/password" = {
+      owner = "alditalk";
+      group = "alditalk";
+      mode = "0400";
+    };
+  };
+
+  sops.templates = {
+    alditalk-extender = {
+      owner = "alditalk";
+      group = "alditalk";
+      mode = "0400";
+      content = ''
+        USERNAME=${config.sops.placeholder."alditalk/username"}
+        PASSWORD=${config.sops.placeholder."alditalk/password"}
+      '';
+    };
+  };
+}

hosts/rx4/services/default.nix

@@ -0,0 +1,31 @@
+{
+  inputs,
+  outputs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.synix.nixosModules.openssh
+    inputs.clients.nixosModules.syncthing
+
+    outputs.nixosModules.tailscale
+
+    ./forgejo.nix
+    ./miniflux.nix
+    ./netdata.nix
+    ./nginx.nix
+    ./open-webui-oci.nix
+    ./print-server.nix
+    ./rss-bridge.nix
+    # ./webdav.nix # FIXME
+
+    # ./alditalk-extender.nix # FIXME
+  ];
+
+  # bootstrap
+  # services.syncthing.enable = true;
+  # services.syncthing.guiAddress = "0.0.0.0:8384";
+
+  services.transmission.enable = true;
+}

hosts/rx4/services/forgejo.nix

@@ -0,0 +1,29 @@
+{
+  outputs,
+  config,
+  ...
+}:
+
+{
+  imports = [
+    outputs.nixosModules.forgejo
+    outputs.nixosModules.forgejo-runner
+  ];
+
+  services.forgejo = {
+    enable = true;
+  };
+
+  services.forgejo-runner = {
+    enable = true;
+    url = config.services.forgejo.settings.server.ROOT_URL;
+    tokenFile = config.sops.templates."forgejo-runner/token".path;
+  };
+
+  sops = {
+    secrets."forgejo-runner/token" = { };
+    templates."forgejo-runner/token".content = ''
+      TOKEN=${config.sops.placeholder."forgejo-runner/token"}
+    '';
+  };
+}

hosts/rx4/services/miniflux.nix

@@ -0,0 +1,13 @@
+{ inputs, constants, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.miniflux ];
+
+  services.miniflux = {
+    enable = true;
+    config = {
+      ADMIN_USERNAME = "sid";
+      PORT = constants.services.miniflux.port;
+    };
+  };
+}

hosts/rx4/services/netdata.nix

@@ -0,0 +1,54 @@
+{
+  config,
+  constants,
+  ...
+}:
+
+{
+  services.netdata = {
+    enable = true;
+    config.global = {
+      "debug log" = "syslog";
+      "access log" = "syslog";
+      "error log" = "syslog";
+    };
+    configDir = {
+      "stream.conf" = config.sops.templates."netdata/stream.conf".path;
+    };
+  };
+
+  sops =
+    let
+      owner = config.services.netdata.user;
+      group = config.services.netdata.group;
+      mode = "0400";
+      restartUnits = [ "netdata.service" ];
+    in
+    {
+      # generate with `uuidgen`
+      secrets."netdata/stream/rx4/uuid" = {
+        inherit
+          owner
+          group
+          mode
+          restartUnits
+          ;
+      };
+
+      templates."netdata/stream.conf" = {
+        inherit
+          owner
+          group
+          mode
+          restartUnits
+          ;
+        # child node
+        content = ''
+          [stream]
+          enabled = yes
+          destination = ${constants.hosts.sid.ip}:${builtins.toString constants.services.netdata.port}
+          api key = ${config.sops.placeholder."netdata/stream/rx4/uuid"}
+        '';
+      };
+    };
+}

hosts/rx4/services/nginx.nix

@@ -0,0 +1,37 @@
+{
+  inputs,
+  constants,
+  config,
+  ...
+}:
+
+let
+  cfg = config.services.nginx;
+in
+{
+  imports = [
+    inputs.synix.nixosModules.nginx
+  ];
+
+  systemd.tmpfiles.rules = [
+    "d /var/www 0755 gitea-runner ${cfg.group} -"
+  ];
+
+  systemd.services.gitea-runner-default.serviceConfig = {
+    ReadWritePaths = [ "/var/www" ];
+  };
+
+  services.nginx = {
+    enable = true;
+    openFirewall = false;
+    forceSSL = false;
+
+    virtualHosts = {
+      "${constants.services.docs.fqdn}" = {
+        locations."/" = {
+          root = "/var/www/doc";
+        };
+      };
+    };
+  };
+}

hosts/rx4/services/open-webui-oci.nix

@@ -0,0 +1,30 @@
+{
+  inputs,
+  constants,
+  config,
+  ...
+}:
+
+{
+  imports = [ inputs.synix.nixosModules.open-webui-oci ];
+
+  services.open-webui-oci = {
+    enable = true;
+    externalUrl = "https://" + constants.services.open-webui-oci.fqdn;
+    port = 8083;
+    # environmentFile = config.sops.templates."open-webui-oci/environment".path;
+    # environment = {
+    #   AUDIO_STT_ENGINE = "openai";
+    #   AUDIO_TTS_ENGINE = "openai";
+    # };
+  };
+
+  # sops = {
+  #   secrets."open-webui-oci/stt-api-key" = { };
+  #   secrets."open-webui-oci/tts-api-key" = { };
+  #   templates."open-webui-oci/environment".content = ''
+  #     AUDIO_STT_OPENAI_API_KEY=${config.sops.placeholder."open-webui-oci/stt-api-key"}
+  #     AUDIO_TTS_OPENAI_API_KEY=${config.sops.placeholder."open-webui-oci/tts-api-key"}
+  #   '';
+  # };
+}

hosts/rx4/services/print-server.nix

@@ -0,0 +1,12 @@
+{
+  inputs,
+  ...
+}:
+
+{
+  imports = [
+    inputs.synix.nixosModules.print-server
+  ];
+
+  services.print-server.enable = true;
+}

hosts/rx4/services/rss-bridge.nix

@@ -0,0 +1,14 @@
+{ inputs, constants, ... }:
+
+{
+  imports = [ inputs.synix.nixosModules.rss-bridge ];
+
+  services.rss-bridge = {
+    enable = true;
+    reverseProxy = {
+      enable = true;
+      subdomain = constants.services.rss-bridge.subdomain;
+      forceSSL = false;
+    };
+  };
+}

hosts/rx4/services/webdav.nix

@@ -0,0 +1,86 @@
+{ constants, config, ... }:
+
+# FIXME: floccus throws error: NetworkError when attempting to fetch resource.
+
+let
+  cfg = config.services.webdav;
+
+  inherit (constants.services.webdav) fqdn port;
+in
+{
+  services.webdav = {
+    enable = true;
+    environmentFile = config.sops.templates."webdav/env-file".path;
+
+    settings = {
+      inherit port;
+      address = "127.0.0.1";
+      prefix = "/";
+      directory = "/srv/webdav";
+      users = [
+        {
+          username = "{env}WEBDAV_USER";
+          password = "{env}WEBDAV_PASS";
+          permissions = "CRUD";
+        }
+      ];
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${cfg.settings.directory} 0750 ${cfg.user} ${cfg.group} -"
+  ];
+
+  networking.firewall.allowedTCPPorts = [ port ];
+
+  services.nginx = {
+    enable = true;
+    virtualHosts."${fqdn}" = {
+      listen = [
+        {
+          addr = "0.0.0.0";
+          inherit port;
+        }
+      ];
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        extraConfig = ''
+          add_header 'Access-Control-Allow-Origin' '*' always;
+          add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PROPFIND, OPTIONS' always;
+          add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Depth' always;
+
+          if ($request_method = 'OPTIONS') {
+              add_header 'Access-Control-Allow-Origin' '*';
+              add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, PROPFIND, OPTIONS';
+              add_header 'Access-Control-Allow-Headers' 'Authorization,DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Depth';
+              return 204;
+          }
+        '';
+      };
+    };
+  };
+
+  sops =
+    let
+      owner = cfg.user;
+      group = cfg.group;
+      mode = "0400";
+    in
+    {
+      secrets = {
+        "webdav/user" = {
+          inherit owner group mode;
+        };
+        "webdav/pass" = {
+          inherit owner group mode;
+        };
+      };
+      templates."webdav/env-file" = {
+        inherit owner group mode;
+        content = ''
+          WEBDAV_USER=${config.sops.placeholder."webdav/user"}
+          WEBDAV_PASS=${config.sops.placeholder."webdav/pass"}
+        '';
+      };
+    };
+}