Configure beryllium for usage

Justfile

@@ -17,10 +17,10 @@ deploy:
   }}
 
 europium:
-  nixos-rebuild switch --flake .#europium --target-host europium --build-host europium --use-remote-sudo
+  nixos-rebuild switch --flake .#europium --target-host europium-deploy --build-host europium --use-remote-sudo
 
 beryllium:
-  nixos-rebuild switch --flake .#beryllium --target-host beryllium --build-host beryllium --use-remote-sudo
+  nixos-rebuild switch --flake .#beryllium --target-host beryllium-deploy --build-host beryllium --use-remote-sudo
   
 # Opens the elements configuration in the default editor
 edit:

flake.lock

@@ -934,6 +934,21 @@
         "type": "github"
       }
     },
+    "quadlet": {
+      "locked": {
+        "lastModified": 1754008153,
+        "narHash": "sha256-MYT1mDtSkiVg343agxgBFsnuNU3xS8vRy399JXX1Vw0=",
+        "owner": "SEIAROTg",
+        "repo": "quadlet-nix",
+        "rev": "1b2d27d460d8c7e4da5ba44ede463b427160b5c4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SEIAROTg",
+        "repo": "quadlet-nix",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "agenix": "agenix",
@@ -947,6 +962,7 @@
         "hyprland": "hyprland",
         "musnix": "musnix",
         "nixpkgs": "nixpkgs_4",
+        "quadlet": "quadlet",
         "rose-pine-hyprcursor": "rose-pine-hyprcursor",
         "snowfall": "snowfall",
         "split-monitor-workspaces": "split-monitor-workspaces"

flake.nix

@@ -35,9 +35,17 @@
         ];
         beryllium.modules = [
           copyparty.nixosModules.default
+          quadlet.nixosModules.quadlet
+        ];
+        europium.modules = [
+          quadlet.nixosModules.quadlet
         ];
       };
 
+      homes.users."christopher@beryllium".modules = with inputs; [
+        quadlet.homeManagerModules.quadlet
+      ];
+
       # Configure nixpkgs when instantiating the package set
       # TODO: This is already specified elsewhere. Still needed here?
       channels-config = {
@@ -110,6 +118,7 @@
       inputs.hyprland.follows = "hyprland";
     };
 
+    quadlet.url = "github:SEIAROTg/quadlet-nix";
     musnix.url = "github:musnix/musnix";
 
     docker-compose-1.url = github:nixos/nixpkgs/b0f0b5c6c021ebafbd322899aa9a54b87d75a313;

homes/x86_64-linux/christopher@beryllium/default.nix

@@ -0,0 +1,32 @@
+{
+  pkgs,
+  config,
+  ...
+}: {
+  elements.secrets = {
+    rekeyPath = "christopher_beryllium";
+    key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUKDCjB0VpQubi8BfnYKbh4MIE1tcvKQesdoPE4NXAf";
+
+    needs = {
+      traefik-env = "traefik.env.age";
+    };
+  };
+
+  # virtualisation.quadlet.containers = {
+  #   echo = {
+  #     autoStart = true;
+  #     serviceConfig = {
+  #       RestartSec = "10";
+  #       Restart = "always";
+  #     };
+  #     containerConfig = {
+  #       image = "docker.io/mendhak/http-https-echo:31";
+  #       publishPorts = ["127.0.0.1:8080:8080"];
+  #     };
+  #   };
+  # };
+
+  home.packages = with pkgs; [
+    helix
+  ];
+}

secrets/rekeyed/beryllium/f5fac061d23fe6d1347e4e94aabe277f-smbSecrets.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 pySEWw kigbWfXfeb8YlBMpSWM+jDPtjYeAltdTORqPQ7kqnFg
+P8j10qrMzjWZ91FVnn4sLugS/AcS2XrMr9TRal5gRVc
+-> m0^G"4-grease p]TT RuLz
+9HFjCiuy7w
+--- j57VRBCbLMVDI2s7DnpBwTvVzzvqwMdXL6Ec/9Tg6MA
+c‘DÍ_FT,hº³
}/<2F>;A8õüPýþØ%/:E)pè”Õ€
+mœ‚¾qý{J­–UÚë†kï¸n
\8L}j›'Ãî‰yaãJ

secrets/rekeyed/christopher_beryllium/8118cd92c3025c1f5bd7a4f4aabbf554-traefik-env.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 pySEWw yyra9wL+n2gFPpbmnkvbsxBverCR/r7yPSw3aCD0slk
+65Vc/tQKzfsFC5smIqHmXA7NlSJLW8oXAYPYiX3bGcw
+-> MV*6+^H-grease uV!LS]1* B5lCK], yjN7.
+O1RM77BbFx0SsKlEXUVAJCswHGS1oKfX1ZvBNcF47W0o//6iiBHOWTvpaW15xVMZ
+00g
+--- XNgzqoXEkkzK8TE/A81FFduXsiDouJFXV/9o/m/bnss
+Q1‡©0#ÍšÎi~d¹Ç~ïòEðlÔgG–^OÕ,ÊP:¹¡Ö£¨ëø[if>•,@i<>|D‹J¹åm)P8hé·2ÈVÃãüÑkš)ø7›£>u@qò¡–
Í#͈×<CB86>ïfå<>¨ä<C2A8>™Û¥+¡O,œa<C593>,ð%éátRË[7<>îN

secrets/traefik.env.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> X25519 bXMX40Vz9sJqcVcb3ote48FAUxB+GzTQ4rOP8rI8O34
+KlAn7X9p9EqKxmiBOBg/apVLCSMAoOTsEF4BW8pBxng
+-> piv-p256 Kmn3OQ A5tjfx5HhP+RRxXD3dQmuZnxezXp1SdmlGbhBazV8EMz
+B/6jGDqQagB2ZSxC2WhZcDcu6YfJokHTR0DtrIJ45Tk
+-> f!=YO-grease (YufTYP (VD px s8\X~Fzn
+WYavDbOneKQ/pdc369k8fqDS2ITD+rQ
+--- HE0AabwaJ9U/2CWSqIghcWxhIW9fwNCqCkZFhcb+xnU
+�169C77jܲm0
,ˆ¬¼' Ã
+:“fxB¶âè<C3A2>¤ûð¢ëRÞ]¥b
Š\÷
ç7^¹k°h<C2B0>>ºƒæ–‰¤¾­üª¡|žÀ[ßxj’ƒdIÄ
+æU¼ÖÈ"erR–»Y½Š±@6=4Øü}w

systems/x86_64-linux/beryllium/default.nix

@@ -3,6 +3,7 @@
 # NUC / HomeLab environment
 {
   lib,
+  config,
   pkgs,
   ...
 }: {
@@ -48,23 +49,72 @@
     users = ["christopher"];
     secrets = {
       key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBUKDCjB0VpQubi8BfnYKbh4MIE1tcvKQesdoPE4NXAf";
+      needs = {
+        smbSecrets = "smb-secrets.age";
+      };
     };
   };
 
+  networking.firewall.enable = false;
+  networking.dhcpcd.IPv6rs = false;
+
+  users.users.christopher.linger = true; # autostart of quadlets before login
+  users.users.christopher.autoSubUidGidRange = true;
   users.users.christopher.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVKJfY6B9TsUPdPXy3tkqL42sJgJRz3NOOKTqhytMMf christopher@cobalt"];
+  users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMVKJfY6B9TsUPdPXy3tkqL42sJgJRz3NOOKTqhytMMf christopher@cobalt"];
 
   services = {
-    openssh.enable = true;
-    openssh.ports = [7319];
-    openssh.settings.PasswordAuthentication = false;
+    openssh = {
+      enable = true;
+      ports = [7319];
+      settings.PasswordAuthentication = false;
+    };
 
-    beszel-agent.enable = true;
-    beszel-agent.key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkUPOw28Cu2LMuzfmvjT/L2ToNHcADwGyGvSpJ4wH2T";
+    beszel-agent = {
+      enable = true;
+      key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMkUPOw28Cu2LMuzfmvjT/L2ToNHcADwGyGvSpJ4wH2T";
+    };
   };
 
-  virtualisation.podman.enable = true;
+  boot.kernel.sysctl = {
+    # We require this so that a rootless traefik can bind to port 80.
+    "net.ipv4.ip_unprivileged_port_start" = "80";
+  };
+
+  # virtualisation.quadlet.enable = true;
+  virtualisation.podman = {
+    enable = true;
+    defaultNetwork.settings = {
+      dns_enabled = true;
+      # Override the default subnet as it overlaps with my LAN.
+      subnets = [
+        {
+          gateway = "172.16.0.1";
+          subnet = "172.16.0.0/16";
+        }
+      ];
+    };
+  };
+
+  fileSystems."/mnt/nuc/_NAS_Media" = {
+    device = "//10.1.0.1/_NAS_Media";
+    fsType = "cifs";
+    options = let
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},credentials=${config.age.secrets.smbSecrets.path},uid=100999,gid=10999,vers=1.0"];
+  };
+
+  fileSystems."/mnt/nuc/Ix" = {
+    device = "//10.1.0.1/Ix";
+    fsType = "cifs";
+    options = let
+      automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s";
+    in ["${automount_opts},credentials=${config.age.secrets.smbSecrets.path},uid=100999,gid=10999,vers=1.0"];
+  };
 
   environment.systemPackages = with pkgs; [
+    cifs-utils
+    helix
     podman-compose
   ];
 }

systems/x86_64-linux/beryllium/hardware.nix

@@ -14,4 +14,14 @@
   virtualisation.virtualbox.guest.enable = true;
 
   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  fileSystems."/mnt/external" = {
+    device = "/dev/disk/by-uuid/0fc53086-d326-4663-973c-aa224a3f8589";
+    fsType = "ext4";
+    options = [
+      "nofail"
+      "exec"
+      "users"
+    ];
+  };
 }