server

hosts/emenel-services/configuration.nix

@@ -2,19 +2,61 @@
 
   imports = with nix-config.nixosModules; [
     ./hardware-configuration.nix
-    ./networking.nix # generated at runtime by nixos-infect
     ./disko-config.nix
 
     forgejo
   ];
 
+  nixpkgs = {
+    config = {
+      allowUnfree = true;
+    };
+    overlays = builtins.attrValues nix-config.overlays ++ [
+      inputs.nh.overlays.default
+    ];
+  };
+
+  nix = {
+    settings = {
+      experimental-features = [
+        "nix-command"
+        "flakes"
+      ];
+      substituters = [
+        "https://nix-community.cachix.org"
+        "https://cache.garnix.io"
+      ];
+      trusted-public-keys = [
+        "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+        "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g="
+      ];
+    };
+
+    channel.enable = false; # remove nix-channel related tools & configs, we use flakes instead.
+  };
+
+  sops = {
+    age.keyFile = "/home/emenel/.config/sops/age/keys.txt"; # must have no password!
+    age.generateKey = true;
+    defaultSopsFile = ./secrets.yaml;
+    secrets = {
+      forgejo_emenel = {};
+    };
+  };
+
+  # Set your time zone.
+  time.timeZone = "America/Toronto";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_CA.UTF-8";
+
   boot.tmp.cleanOnBoot = true;
   boot.loader.grub.enable = true;
   zramSwap.enable = true;
   networking.hostName = "services-nixos";
   networking.domain = "";
+  networking.useDHCP = true;
   services.openssh.enable = true;
-  users.users.root.openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbzcaEyzlGJkDL8EMcVmrAWRlyYtilTjpIR2VGxkMHo'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvtBCUQEi7r6mXdaULEaMMvGH1IWZBX9tXpjbIECar2'' ];
 
   environment.systemPackages = with pkgs; [
     wget
@@ -24,9 +66,9 @@
     rsync
     gnupg
     util-linux
+    git
   ];
 
-
   users.users.emenel = {
     openssh.authorizedKeys.keys = [''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbzcaEyzlGJkDL8EMcVmrAWRlyYtilTjpIR2VGxkMHo'' ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFvtBCUQEi7r6mXdaULEaMMvGH1IWZBX9tXpjbIECar2'' ];
 
@@ -43,6 +85,25 @@
     ];
   };
 
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  programs.nh = {
+    enable = true;
+    clean = {
+      enable = true;
+      dates = "daily";
+      extraArgs = "--keep 4";
+    };
+    flake = "/home/emenel/source/nixos-config";
+    package = pkgs.nh;
+  };
+
+
+
+
 
   system.stateVersion = "25.05"; # Did you read the comment?
 

hosts/emenel-services/secrets.yaml

@@ -0,0 +1,16 @@
+forgejo_emenel: ENC[AES256_GCM,data:MRVA7m6FK3wZR7cUVAUq+m7LutgRjyCyfrZ27AnUWstTTiTXX8XyjmF+o3aZZDTNSd8KGhYjLInkJ8Yfu50k+YEkQbbb5Icy,iv:HpV+6+fYndqEkOcXV1CsbVfwOBNy9jcXMjtZWs9+x0o=,tag:io0/0X6sTD0s2Hp8S1zEUQ==,type:str]
+sops:
+    age:
+        - recipient: age10k8v6pfm3p7cmsgn6wu5ufpcquqgpvqh76l23xf326et55dacc0qlr8fe8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYU3V0dndPTnhpenhaQVYv
+            aDV2eVl4Ujd1MjRkZUtXY1Q5RW1laHhncWp3CnlEQTlZb3NhUEVuaVBHVWNzbTQv
+            QmZNWE90aWx3d21lWk4waFFobGEzUFEKLS0tIERLQXM3V0pRVkNEbFpCeU9nZ3lE
+            cjFEbnNkZ1pTeTVWaVZMem1hQkpaZTQKTVytdDtekDO9fTDSS5kYLFQv2UaBpOaw
+            4oaCbr4w7ipWImITphpQ0F5t6dxWSQ6cIpdXIf9eT3eVSVlBBC/wyw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-04-13T17:11:18Z"
+    mac: ENC[AES256_GCM,data:qIQl4PKsIRG7+3M/OSp1VhUfs/T/3ORSr9bt29T5BahCBElrfEa+t2QBizO4gPxFJzFJN/sMZBXuobLP4qyNaV3/ECQ1qiipUYPA4ocZZYd9vkb5HjkzlDDiFyOwflUmq6Nt4n6/g46L4KA5LF2W/STczskaGfkbRpS1OJA0MBo=,iv:VWj7+cRjrQIKJGhgvrXAe/rUFlx4ZCpF+O3H1O6t9zQ=,tag:8mTG8hK/zYKlxTxfKQkapQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.10.1