Add 'old-conf/' from commit '62a64a79a8'

git-subtree-dir: old-conf
git-subtree-mainline: 4667974392
git-subtree-split: 62a64a79a8

old-conf/nixos-modules/cli/default.nix

@@ -0,0 +1,16 @@
+{ config, lib, pkgs, inputs, ... }:
+with lib;
+with lib.my;
+let
+  cfg = config.ragon.cli;
+in
+{
+  options.ragon.cli.enable = lib.mkEnableOption "Enables ragons CLI stuff";
+  options.ragon.cli.maximal = mkBoolOpt true;
+  config = lib.mkIf cfg.enable {
+    security.sudo.extraConfig = "Defaults lecture = never";
+    # root shell
+    users.extraUsers.root.shell = pkgs.zsh;
+
+  };
+}

old-conf/nixos-modules/networking/tailscale.nix

@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.tailscale;
+in
+{
+  options.ragon.services.tailscale.enable = lib.mkEnableOption "Enables tailscale";
+  options.ragon.services.tailscale.exitNode = lib.mkEnableOption "Exit Node";
+  options.ragon.services.tailscale.extraUpCommands = lib.my.mkOpt lib.types.str "";
+  config = lib.mkIf cfg.enable {
+    # enable the tailscale service
+    ragon.persist.extraDirectories = [
+      "/var/lib/tailscale"
+    ];
+    services.tailscale.enable = true;
+    services.tailscale.useRoutingFeatures = "server";
+    # ragon.agenix.secrets.tailscaleKey = { };
+    # boot.kernel.sysctl = lib.mkIf cfg.exitNode {
+    #   "net.ipv4.ip_forward" = 1;
+    #   "net.ipv6.conf.all.forwarding" = 1;
+    # };
+    networking.firewall = {
+      # always allow traffic from your Tailscale network
+      trustedInterfaces = [ "tailscale0" ];
+
+
+      checkReversePath = lib.mkDefault "loose";
+      # allow the Tailscale UDP port through the firewall
+      allowedUDPPorts = [ config.services.tailscale.port ];
+    };
+    # systemd.services.tailscale-autoconnect = {
+    #   description = "Automatic connection to Tailscale";
+
+    #   # make sure tailscale is running before trying to connect to tailscale
+    #   after = [ "network-pre.target" "tailscale.service" ];
+    #   wants = [ "network-pre.target" "tailscale.service" ];
+    #   wantedBy = [ "multi-user.target" ];
+
+    #   # set this service as a oneshot job
+    #   serviceConfig.Type = "oneshot";
+
+    #   # have the job run this shell script
+    #   script = with pkgs; ''
+    #     # wait for tailscaled to settle
+    #     sleep 2
+
+    #     # check if we are already authenticated to tailscale
+    #     status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)"
+    #     if [ $status = "Running" ]; then # if so, then do nothing
+    #       exit 0
+    #     fi
+    #     key=$(<${config.age.secrets.tailscaleKey.path})
+    #     # otherwise authenticate with tailscale
+    #     ${tailscale}/bin/tailscale up -authkey $key ${lib.optionalString cfg.exitNode "--advertise-exit-node"} ${cfg.extraUpCommands}
+    #   '';
+    # };
+  };
+}

old-conf/nixos-modules/services/authelia.nix

@@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.authelia;
+  instanceName = "main";
+  stateDir = "/var/lib/authelia-${instanceName}";
+in
+{
+  options.ragon.services.authelia.enable = lib.mkEnableOption "Enables the authelia SSO Server";
+  options.ragon.services.authelia.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "sso.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+
+    ragon.agenix.secrets.autheliaStorageEncryption = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaSessionSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaOidcHmacSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaJwtSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaEmail = { owner = "authelia-main"; };
+    services.authelia.instances.${instanceName} = {
+      enable = true;
+      secrets = {
+        storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryption.path;
+        sessionSecretFile = config.age.secrets.autheliaSessionSecret.path;
+        oidcIssuerPrivateKeyFile = config.age.secrets.autheliaOidcIssuerPrivateKey.path;
+        oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path;
+        jwtSecretFile = config.age.secrets.autheliaJwtSecret.path;
+      };
+      settingsFiles = [
+        config.age.secrets.autheliaEmail.path
+      ];
+      settings = {
+        theme = "auto";
+        default_2fa_method = "webauthn";
+        access_control = {
+          default_policy = "one_factor";
+        };
+        authentication_backend = {
+          file = {
+            path = "${stateDir}/users.yml";
+          };
+        };
+        session = {
+          domain = cfg.domain;
+        };
+        storage = {
+          postgres = {
+            host = "/run/postgresql";
+            port = "5432";
+            database = "authelia";
+            username = "authelia-main";
+            password = "dosentmatter";
+          };
+        };
+
+      };
+    };
+    services.postgresql = {
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "authelia" ];
+      ensureUsers = [
+        {
+          name = "authelia-main";
+          #ensureDBOwnership = true;
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "${stateDir}"
+    ];
+  };
+}

old-conf/nixos-modules/services/bitwarden.nix

@@ -0,0 +1,44 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.bitwarden;
+in
+{
+  options.ragon.services.bitwarden.enable = lib.mkEnableOption "Enables the vaultwarden BitWarden Server";
+  options.ragon.services.bitwarden.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "bw.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+    services.vaultwarden = {
+      enable = true;
+      package = pkgs.unstable.vaultwarden;
+      #backupDir = "/persistent/backups/vaultwarden";
+      config = {
+        domain = "https://${cfg.domain}";
+        signupsAllowed = true;
+        rocketPort = 8222;
+        rocketAddress = "127.0.0.1";
+        databaseUrl = "postgresql://%2Frun%2Fpostgresql/vaultwarden";
+        webVaultEnabled = true;
+      };
+      dbBackend = "postgresql";
+
+    };
+    services.postgresql = {
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "vaultwarden" ];
+      ensureUsers = [
+        {
+          name = "vaultwarden";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "/var/lib/bitwarden_rs"
+    ];
+  };
+}

old-conf/nixos-modules/services/caddy/custom-caddy.nix

@@ -0,0 +1,48 @@
+{ pkgs, lib, ... }:
+
+with pkgs;
+
+caddy.override {
+  buildGo125Module = args: buildGo125Module (args // {
+    src = stdenv.mkDerivation rec {
+      pname = "caddy-using-xcaddy-${xcaddy.version}";
+      inherit (caddy) version;
+
+      dontUnpack = true;
+      dontFixup = true;
+
+      nativeBuildInputs = [
+        cacert
+        git
+        go
+      ];
+
+      plugins = [
+        "github.com/caddy-dns/desec@v1.0.1"
+      ];
+
+      configurePhase = ''
+        export GOCACHE=$TMPDIR/go-cache
+        export GOPATH="$TMPDIR/go"
+        export XCADDY_SKIP_BUILD=1
+      '';
+
+      buildPhase = ''
+        ${xcaddy}/bin/xcaddy build "${lib.last (lib.splitString "/" caddy.src.rev)}" ${lib.concatMapStringsSep " " (plugin: "--with ${plugin}") plugins}
+        cd buildenv*
+        go mod vendor
+      '';
+
+      installPhase = ''
+        cp -r --reflink=auto . $out
+      '';
+
+      outputHash = "sha256-a2GeG7TYBnCz30jBKQmmQz8Y3vutRpa+tboaahJ5xeQ=";
+      outputHashMode = "recursive";
+    };
+
+    subPackages = [ "." ];
+    ldflags = [ "-s" "-w" ]; ## don't include version info twice
+    vendorHash = null;
+  });
+}

old-conf/nixos-modules/services/caddy/default.nix

@@ -0,0 +1,14 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.ragon.services.caddy;
+in
+{
+  options.ragon.services.caddy.enable = lib.mkEnableOption "enables the caddy webserver";
+  config = lib.mkIf cfg.enable {
+    services.caddy = {
+      enable = true;
+      package = import ./custom-caddy.nix { inherit lib; pkgs = pkgs.unstable; };
+    };
+    ragon.persist.extraDirectories = [ config.services.caddy.dataDir ];
+  };
+}

old-conf/nixos-modules/services/docker.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.docker;
+in
+{
+  options.ragon.services.docker.enable = lib.mkEnableOption "Enables docker";
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.backend = "podman";
+    virtualisation.podman.enable = true;
+    virtualisation.podman.dockerCompat = true;
+    virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
+    ragon.user.extraGroups = [ "docker" "podman" ];
+    ragon.persist.extraDirectories = [
+      "/var/lib/docker"
+      "/var/cache/docker"
+    ];
+  };
+}

old-conf/nixos-modules/services/hedgedoc.nix

@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.hedgedoc;
+in
+{
+  options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server";
+  options.ragon.services.hedgedoc.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "md.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+    # ragon.agenix.secrets.autheliaHedgedoc = { owner = "authelia-main"; };
+    # services.authelia.instances.main.settingsFiles = [
+    #   config.age.secrets.autheliaHedgedoc.path
+    # ];
+    services.hedgedoc = {
+      enable = true;
+      environmentFile = "${config.age.secrets.hedgedocSecret.path}";
+      settings = {
+        protocolUseSSL = true;
+        sessionSecret = "$SESSION_SECRET";
+        allowAnonymous = false;
+        allowAnonymousEdits = false;
+        allowFreeURL = true;
+        email = false;
+        oauth2 = {
+          providerName = "authentik";
+          clientID = "$CLIENT_ID";
+          clientSecret = "$CLIENT_SECRET";
+          scope = "openid email profile";
+          userProfileURL = "https://auth.hailsatan.eu/application/o/userinfo/";
+          tokenURL = "https://auth.hailsatan.eu/application/o/token/";
+          authorizationURL = "https://auth.hailsatan.eu/application/o/authorize/";
+          userProfileUsernameAttr = "preferred_username";
+          userProfileDisplayNameAttr = "name";
+          userProfileEmailAttr = "email";
+        };
+        domain = "${cfg.domain}";
+        db = {
+          dialect = "postgres";
+          host = "/run/postgresql";
+          database = "hedgedoc";
+        };
+      };
+
+    };
+    ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc";
+    services.postgresql = {
+
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "hedgedoc" ];
+      ensureUsers = [
+        {
+          name = "hedgedoc";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "/var/lib/hedgedoc"
+    ];
+  };
+}

old-conf/nixos-modules/services/libvirt.nix

@@ -0,0 +1,18 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.libvirt;
+  domain = config.ragon.services.nginx.domain;
+in
+{
+  options.ragon.services.libvirt.enable = lib.mkEnableOption "Enables libvirt and stuff";
+  config = lib.mkIf cfg.enable {
+    virtualisation.libvirtd = {
+      enable = true;
+    };
+    ragon.user.extraGroups = [ "kvm" "libvirtd" ];
+    security.polkit.enable = true;
+    ragon.persist.extraDirectories = [
+      "/var/lib/libvirt"
+    ];
+  };
+}

old-conf/nixos-modules/services/msmtp.nix

@@ -0,0 +1,21 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.msmtp;
+in
+{
+  options.ragon.services.msmtp.enable = lib.mkEnableOption "Enables msmtp";
+  config = lib.mkIf cfg.enable {
+    programs.msmtp = {
+      enable = true;
+    };
+    environment.etc."msmtprc".enable = false;
+    ragon.agenix.secrets.msmtprc = {
+      path = "/etc/msmtprc";
+      mode = "0644";
+    };
+    ragon.agenix.secrets.aliases = {
+      path = "/etc/aliases";
+      mode = "0644";
+    };
+  };
+}

old-conf/nixos-modules/services/paperless.nix

@@ -0,0 +1,32 @@
+{ config, inputs, lib, pkgs, ... }:
+with lib;
+with lib.my;
+let
+  cfg = config.ragon.services.paperless;
+  domain = config.ragon.services.nginx.domain;
+in
+{
+  options.ragon.services.paperless.enable = mkEnableOption "Enables paperless ng";
+  options.ragon.services.paperless.location =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "http://${config.services.paperless.address}:${toString config.services.paperless.port}";
+    };
+  config = mkIf cfg.enable {
+    services.paperless = {
+      enable = true;
+      mediaDir = mkDefault "/data/documents/paperless";
+      consumptionDir = "/data/applications/paperless-consumption";
+      consumptionDirIsPublic = true;
+      passwordFile = "${config.age.secrets.paperlessAdminPW.path}";
+      extraConfig = {
+        PAPERLESS_OCR_LANGUAGE = "deu+eng";
+        PAPERLESS_TIME_ZONE = config.time.timeZone;
+      };
+    };
+    ragon.agenix.secrets.paperlessAdminPW = { group = "${config.services.paperless.user}"; mode = "0440"; };
+    ragon.persist.extraDirectories = [
+      "${config.services.paperless.dataDir}"
+    ];
+  };
+}

old-conf/nixos-modules/services/photoprism.nix

@@ -0,0 +1,38 @@
+{ config, lib, pkgs, ... }:
+with lib;
+with lib.my;
+let
+  cfg = config.ragon.services.photoprism;
+  domain = config.ragon.services.nginx.domain;
+in
+{
+  options.ragon.services.photoprism.enable = mkEnableOption "Enables the hedgedoc BitWarden Server";
+  options.ragon.services.photoprism.location =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "http://127.0.0.1:${toString config.ragon.services.photoprism.port}";
+    };
+  options.ragon.services.photoprism.port =
+    mkOption {
+      type = lib.types.str;
+      default = "28452";
+    };
+  config = lib.mkIf cfg.enable {
+    virtualisation.oci-containers.containers.photoprism = {
+      ports = [ "127.0.0.1:${cfg.port}:2342" ];
+      image = "photoprism/photoprism:latest";
+      environmentFiles = [ config.age.secrets.photoprismEnv.path ];
+      workdir = "/photoprism"; # upstream says so
+      user = "1000:100";
+      volumes = [
+        "/data/pictures:/photoprism/originals"
+        "/data/applications/photoprismimport:/photoprism/import"
+        "/var/lib/photoprism:/photoprism/storage"
+      ];
+    };
+    ragon.agenix.secrets.photoprismEnv.owner = "root";
+    ragon.persist.extraDirectories = [
+      "/var/lib/photoprism"
+    ];
+  };
+}

old-conf/nixos-modules/services/samba.nix

@@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+with lib;
+with lib.my;
+with builtins;
+let
+  cfg = config.ragon.services.samba;
+  allowedIPs = cfg.allowedIPs;
+  cfgExports = cfg.exports;
+in
+{
+  options.ragon.services.samba.enable = mkEnableOption "Enables Samba";
+  options.ragon.services.samba.shares = mkOption {
+    type = lib.types.attrs;
+    default = { };
+  };
+  config = mkIf cfg.enable {
+    services.samba = {
+      enable = true;
+      shares = cfg.shares;
+    };
+    ragon.persist.extraDirectories = [
+      "/var/lib/samba"
+    ];
+
+    networking.firewall.allowedTCPPorts = [ 139 445 ];
+    networking.firewall.allowedUDPPorts = [ 137 138 ];
+  };
+}

old-conf/nixos-modules/services/ssh.nix

@@ -0,0 +1,14 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.ssh;
+  pubkeys = import ../../data/pubkeys.nix;
+in
+{
+  options.ragon.services.ssh.enable = lib.mkEnableOption "Enables sshd";
+  config = lib.mkIf cfg.enable {
+    services.openssh.settings.PermitRootLogin = "without-password";
+    services.openssh.enable = true;
+    services.openssh.settings.PasswordAuthentication = false;
+    users.users.root.openssh.authorizedKeys.keys = pubkeys.ragon.user;
+  };
+}

old-conf/nixos-modules/services/tailscale-openvpn.nix

@@ -0,0 +1,85 @@
+{ options, config, lib, pkgs, ... }:
+with lib;
+{
+  options.ragon.services.tailscale-openvpn = {
+    enable = mkEnableOption "Tailscale OpenVPN Bridge";
+    config = mkOption {
+      type = types.attrsOf types.str;
+    };
+    tsAuthKey = mkOption { type = types.str; };
+    script = mkOption { type = types.str; };
+  };
+  config =
+    let
+      cfg = config.ragon.services.tailscale-openvpn;
+      bridgeExt = "br-ovpn-ext";
+      container = server: "ovpn-${server}";
+      bridge = server: "br-ovpn-${server}";
+    in
+    mkIf cfg.enable
+      {
+        networking.bridges = {
+          ${bridgeExt}.interfaces = [ ];
+        };
+        networking.interfaces = {
+          ${bridgeExt}.ipv4.addresses = [{ address = "192.168.129.1"; prefixLength = 24; }];
+        };
+
+        networking.nat = {
+          enable = true;
+          internalInterfaces = [ bridgeExt ];
+        };
+
+
+        systemd.services = {
+          "container@".after = [ "network.target" ];
+        } // (mapAttrs'
+          (server: _: nameValuePair ("container@${container server}") ({ requires = [ "network-addresses-${bridgeExt}.service" ]; }))
+          cfg.config
+        );
+        containers = builtins.listToAttrs (imap0
+          (i: name: nameValuePair name
+            {
+              autoStart = true;
+              ephemeral = true;
+              enableTun = true;
+              privateNetwork = true;
+              hostBridge = bridgeExt;
+              localAddress = "192.168.129.${toString (i + 2)}/24";
+              bindMounts = {
+                "/host/run" = { hostPath = "/run"; isReadOnly = true; };
+                "/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = true; };
+              };
+              config = {
+                networking.nameservers = [ "9.9.9.9" ];
+                systemd.services.ovpnScript = {
+                  wantedBy = ["multi-user.target"];
+                  script = ''${pkgs.bash}/bin/bash /host${cfg.script}'';
+                  unitConfig.Type = "oneshot";
+                  requiredBy = [ "tailscaled.service" "openvpn-ovpn.service"];
+                  path = [ pkgs.dig pkgs.iproute2 ];
+                };
+                services.openvpn.servers.ovpn = {
+                  config = ''
+                    config /host${cfg.config.${name}}
+                  '';
+                  up = "echo nameserver $nameserver | ${pkgs.openresolv}/sbin/resolvconf -m 0 -a $dev";
+                  down = "${pkgs.openresolv}/sbin/resolvconf -d $dev";
+                };
+                services.tailscale = {
+                  enable = true;
+                  useRoutingFeatures = "server";
+                  extraUpFlags = [ "--advertise-exit-node" ];
+                  authKeyFile = "/host${cfg.tsAuthKey}";
+                  openFirewall = true;
+                };
+                system.stateVersion = "23.11";
+              };
+
+            })
+          (builtins.attrNames cfg.config));
+
+
+
+      };
+}

old-conf/nixos-modules/services/ts3.nix

@@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.ts3;
+in
+{
+  options.ragon.services.ts3.enable = lib.mkEnableOption "Enables the Teamspeak 3 Server";
+  config = lib.mkIf cfg.enable {
+    services.teamspeak3 = {
+      enable = true;
+    };
+    networking.firewall.allowedTCPPorts = [
+      config.services.teamspeak3.queryPort
+      config.services.teamspeak3.fileTransferPort
+    ];
+    networking.firewall.allowedUDPPorts = [
+      config.services.teamspeak3.defaultVoicePort
+    ];
+    ragon.persist.extraDirectories = [
+      "${config.services.teamspeak3.dataDir}"
+    ];
+  };
+}

old-conf/nixos-modules/system/agenix.nix

@@ -0,0 +1,37 @@
+{ options, config, inputs, lib, pkgs, ... }:
+
+with builtins;
+with lib;
+with lib.my;
+let
+  secretsDir = "${toString ../../secrets}";
+  secretsFile = "${secretsDir}/secrets.nix";
+  cfg = config.ragon.agenix;
+in
+{
+  options.ragon.agenix = {
+    enable = mkBoolOpt true;
+    secrets = mkOption {
+      type = types.attrs;
+      default = { };
+    };
+  };
+  config = mkIf cfg.enable {
+    environment.systemPackages = [ inputs.agenix.packages.${pkgs.system}.default ];
+    # Set passwords
+    users.users.root.hashedPasswordFile = config.age.secrets.rootPasswd.path;
+    age.identityPaths =
+      [
+        "/persistent/etc/ssh/ssh_host_ed25519_key"
+      ];
+    age.secrets = mapAttrs (name: obj: ({ file = "${secretsDir}/${name}.age"; } // obj))
+      (cfg.secrets //
+        {
+          rootPasswd = { };
+        }
+      );
+    assertions = [
+      { assertion = (pathExists secretsFile); message = "${secretsFile} does not exist"; }
+    ];
+  };
+}

old-conf/nixos-modules/system/fs.nix

@@ -0,0 +1,80 @@
+{ config, lib, pkgs, ... }:
+with lib;
+with lib.my;
+let
+  cfg = config.ragon.system.fs;
+  nix = cfg.nix;
+  varlog = cfg.varlog;
+  persistent = cfg.persistent;
+  persistentSnapshot = cfg.persistentSnapshot;
+  arcSize = cfg.arcSize;
+  hostName = config.networking.hostName;
+in
+{
+  options.ragon.system.fs = {
+    enable = lib.mkEnableOption "Enables ragons fs stuff, (tmpfs,zfs,backups,...)";
+    mediadata = mkBoolOpt true;
+    swap = mkBoolOpt true;
+    persistentSnapshot = mkBoolOpt true;
+    nix = lib.mkOption {
+      type = lib.types.str;
+      default = "pool/nix";
+    };
+    varlog = lib.mkOption {
+      type = lib.types.str;
+      default = "pool/varlog";
+    };
+    persistent = lib.mkOption {
+      type = lib.types.str;
+      default = "pool/persist";
+    };
+    arcSize = lib.mkOption {
+      type = lib.types.int;
+      default = 2;
+      description = "Sets the ZFS Arc Size (in GB)";
+    };
+  };
+  config = lib.mkIf cfg.enable {
+    services.zfs.autoScrub.enable = true;
+    services.sanoid = {
+      enable = mkDefault persistentSnapshot;
+    } // (if persistentSnapshot then { datasets."${persistent}" = { }; } else { });
+    boot.kernelParams = [ "zfs.zfs_arc_max=${toString (arcSize * 1024 * 1024 * 1024)}" ];
+    fileSystems."/" =
+      {
+        device = "none";
+        fsType = "tmpfs";
+        options = [ "size=8G" "defaults" "mode=755" ];
+      };
+    fileSystems."/nix" =
+      {
+        device = "${nix}";
+        fsType = "zfs";
+        neededForBoot = true;
+      };
+
+    fileSystems."/persistent" =
+      {
+        device = "${persistent}";
+        fsType = "zfs";
+        neededForBoot = true;
+      };
+
+    fileSystems."/var/log" =
+      {
+        device = "${varlog}";
+        fsType = "zfs";
+      };
+
+    fileSystems."/boot" =
+      {
+        device = mkDefault "/dev/disk/by-label/boot";
+        fsType = "vfat";
+        options = [ "noauto" "x-systemd.automount" ];
+      };
+    swapDevices = mkIf cfg.swap [
+      { device = "/persistent/pagefile.sys"; }
+    ];
+
+  };
+}

old-conf/nixos-modules/system/persist.nix

@@ -0,0 +1,39 @@
+{ config, lib, pkgs, inputs, ... }:
+let
+  cfg = config.ragon.persist;
+in
+{
+  options.ragon.persist.enable = lib.mkEnableOption "Enables persistence";
+  options.ragon.persist.extraFiles = lib.mkOption {
+    type = lib.types.listOf lib.types.str;
+    default = [ ];
+  };
+  options.ragon.persist.extraDirectories = lib.mkOption {
+    type = lib.types.listOf lib.types.anything;
+    default = [ ];
+  };
+  options.ragon.persist.baseDir = lib.mkOption {
+    type = lib.types.str;
+    default = "/persistent";
+  };
+  config = lib.mkIf cfg.enable {
+
+    environment.persistence.${cfg.baseDir} = {
+      directories = [
+        "/etc/nixos"
+        "/etc/NetworkManager/system-connections"
+        "/var/lib/nixos"
+        "/root/.ssh"
+      ] ++ (lib.unique cfg.extraDirectories);
+      files = [
+        "/etc/machine-id"
+        "/etc/ssh/ssh_host_rsa_key"
+        "/etc/ssh/ssh_host_rsa_key.pub"
+        "/etc/ssh/ssh_host_ed25519_key"
+        "/etc/ssh/ssh_host_ed25519_key.pub"
+      ] ++ cfg.extraFiles;
+    };
+
+  };
+
+}

old-conf/nixos-modules/system/security.nix

@@ -0,0 +1,27 @@
+{ config, lib, pkgs, ... }:
+with lib;
+with lib.my;
+let
+  cfg = config.ragon.system.security;
+in
+{
+  options.ragon.system.security = {
+    enable = mkBoolOpt true;
+  };
+  config = mkIf cfg.enable {
+    security.sudo.execWheelOnly = true;
+    services.openssh = {
+      settings.PasswordAuthentication = false;
+      allowSFTP = true; # just use rsync, lol
+      settings.KbdInteractiveAuthentication = false;
+      extraConfig = ''
+        AllowTcpForwarding yes
+        X11Forwarding no
+        AllowAgentForwarding no
+        AllowStreamLocalForwarding no
+        AuthenticationMethods publickey
+      '';
+    };
+
+  };
+}

old-conf/nixos-modules/user/default.nix

@@ -0,0 +1,68 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.user;
+  uid = cfg.uid;
+  username = cfg.username;
+  extraGroups = cfg.extraGroups;
+  extraAuthorizedKeys = cfg.extraAuthorizedKeys;
+  pubkeys = import ../../data/pubkeys.nix;
+
+in
+{
+  options.ragon.user = {
+    enable = lib.mkEnableOption "Enables my user.";
+    uid = lib.mkOption {
+      type = lib.types.nullOr lib.types.int;
+      default = 1000;
+    };
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "ragon";
+      description = "My username for this system.";
+    };
+    extraGroups = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+    };
+    extraAuthorizedKeys = lib.mkOption {
+      type = lib.types.listOf lib.types.str;
+      default = [ ];
+      description = "Additional authorized keys";
+    };
+    persistent = {
+      homeDir = lib.mkOption {
+        type = lib.types.str;
+        default = "/persistent/home/${username}";
+        description = "Location of persistent home files";
+      };
+      extraFiles = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
+      extraDirectories = lib.mkOption {
+        type = lib.types.listOf lib.types.str;
+        default = [ ];
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+
+    # Let ~/bin/ be in $PATH
+    environment.homeBinInPath = true;
+    ragon.persist.extraDirectories = [ "/home/${username}" ];
+    programs.zsh.enable = true;
+
+    # Define my user account
+    users.extraUsers.${username} = {
+      isNormalUser = true;
+      uid = uid;
+      extraGroups = [ "wheel" "cdrom" ] ++ extraGroups;
+      shell = pkgs.zsh;
+      openssh.authorizedKeys.keys = pubkeys.ragon.user ++ extraAuthorizedKeys;
+      hashedPasswordFile = config.age.secrets.ragonPasswd.path;
+    };
+    ragon.agenix.secrets.ragonPasswd = { };
+
+  };
+}