feat: init

.gitignore

@@ -0,0 +1,2 @@
+/.pre-commit-config.yaml
+/result

config/acme.nix

@@ -0,0 +1,13 @@
+{config, ...}: {
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "hey@winston.sh";
+    certs."winston.sh" = {
+      extraDomainNames = [
+        "*.winston.sh"
+      ];
+      dnsProvider = "porkbun";
+      credentialsFile = config.age.secrets."lego/porkbun-credentials".path;
+    };
+  };
+}

config/default.nix

@@ -0,0 +1,11 @@
+{
+  imports = [
+    ./games
+    ./secrets
+    ./services
+    ./acme.nix
+    ./network.nix
+    ./nix.nix
+    ./users.nix
+  ];
+}

config/games/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./valheim.nix
+  ];
+}

config/games/valheim.nix

@@ -0,0 +1,20 @@
+{lib, ...}: {
+  nixpkgs.config.allowUnfreePredicate = pkg:
+    builtins.elem (lib.getName pkg) [
+      "valheim-server"
+      "steamworks-sdk-redist"
+    ];
+
+  services.valheim = {
+    enable = true;
+    crossplay = true;
+    openFirewall = true;
+    password = "hunter2";
+    serverName = "Nixheim";
+    worldName = "Owoheim";
+  };
+
+  users.users.valheim = {
+    createHome = true;
+  };
+}

config/network.nix

@@ -0,0 +1,11 @@
+{
+  networking.firewall.enable = true;
+  services = {
+    fail2ban.enable = true;
+    openssh = {
+      enable = true;
+      ports = [1322];
+      settings.PasswordAuthentication = false;
+    };
+  };
+}

config/nix.nix

@@ -0,0 +1,3 @@
+{
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+}

config/secrets/.identities/yubikey5ci.txt

@@ -0,0 +1,9 @@
+#       Serial: 17700673, Slot: 1
+#         Name: age identity 30be8d70
+#      Created: Sun, 02 Jul 2023 11:06:17 +0000
+#   PIN policy: Once   (A PIN is required once per session, if set)
+# Touch policy: Always (A physical touch is required for every decryption)
+#    Recipient: age1yubikey1qfkn095xth4ukxjye98ew4ul6xdkyz7sek0hd67yfjs5z6tv7q9jgnfchls
+AGE-PLUGIN-YUBIKEY-1GYTSUQVZXZLG6UQYHVHNU
+
+

config/secrets/containers/ghcr-token.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 zj2A2A 1dnkWG8Ic+DVFRirpo9Hz8J1CbLW78igaa67ftcEEmw
+9QI26X2BtxrUVio0D4PmV1BiR5GhF2lmGbFWFghUbgo
+-> piv-p256 ML6NcA AoEmMFTu3hck1RApBe9jgTWYxM+U6Icum3P/cYjxtDHF
+gbn+RbHuvjVnowcj2ut0/u7qU4t9fwu2bOnY3zzdeaM
+-> %}]%Q(-grease 3 t^3 VxG \V{K%:pS
+XVFJBwehSiw
+--- zjRwouGqjn//jgr4Glva3Jx8jQo+TAGt2nMacZvT8Aw
+—kâèTè6ÄWÛ oV¸ËÝ-{”òâÞä&sÿ¿å‰4a\Št<C5A0>Æh¼#V¼JØ
+Åû
Ö}}{?5<>€Z¦+…ª¯/Ô™

config/secrets/default.nix

@@ -0,0 +1,7 @@
+{
+  age.secrets = with builtins;
+    listToAttrs (map (k: {
+      name = substring 0 (stringLength k - 4) k;
+      value = {file = ./. + "/${k}";};
+    }) (attrNames (import ./secrets.nix)));
+}

config/secrets/lego/porkbun-credentials.age

@@ -0,0 +1,11 @@
+age-encryption.org/v1
+-> ssh-ed25519 zj2A2A F7giWWpkO4uib8YrTUUzjsiHBVEDF7Zr+l0r3PfXNWU
+VRryBJU5hX8YJ9G2qadqwac5rQAsCOi2+zk/ZQC8AB4
+-> piv-p256 ML6NcA A9kB33XAGcnv5fE4DU8t80COVFcj1F52+/yqnKrhp6zb
+CBN7fYeRzpV1mkSyySZ6yXcI0/TDmL0kW6f9i6G4+i0
+-> f5eV-grease 7a'rDO> `"f !a2
+98yuvIuXcXNbBHRIp+AqecZz0X0rjgTCerkwJR7VcnxtTwr66MTAwoeIv3LpVYT/
+8okBLxhmhhh57GJwMSJDI04UHubtl3dNQsZGDXVYp/xqK7GlhYob
+--- hzqeb35v+5Go+1CqJU9yk+VfsZriQUKcswVqXF+Cxhw
+¯ûÖ€óµö
0fõå³
+Gô¥¬?ëé$g3löÚZª%‚¨Êg
PA<ÊÎ_wú÷á4T!˜Þq)B£3›á7ï’ÙV²‡™ï1‹G°Š×_ºsë)s¾ãÜb¼G -w¹DM¬vº<76>%&Ú¿oGGίé?ΦÉÑ;¬‡B ½Ø†"£JíßpñÛ[»‡â—õ]mëŠÏç<C38F>C2@Û<>§ô‹Y®ÚÖ@I1¢(3÷x°½=ÜK)­ÉhâÀ¹/H8'Ðzîâ@šëbˆ®Ë«ó‘ؽ÷

config/secrets/secrets.nix

@@ -0,0 +1,13 @@
+let
+  users.winston = "age1yubikey1qfkn095xth4ukxjye98ew4ul6xdkyz7sek0hd67yfjs5z6tv7q9jgnfchls";
+  systems.main-node = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFcY5fuyxK8rs3eocLuLnvSPDL6qcvq7oUdYrE+wLj0y";
+
+  default = [users.winston systems.main-node];
+in {
+  "containers/faerber.env.age".publicKeys = default;
+  "containers/pepperjack.env.age".publicKeys = default;
+  "containers/ghcr-token.age".publicKeys = default;
+  "lego/porkbun-credentials.age".publicKeys = default;
+  "services/invidious/config.json.age".publicKeys = default;
+  "services/invidious/password-database.age".publicKeys = default;
+}

config/secrets/services/invidious/config.json.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 zj2A2A uy090JTFBmjPc0j2Em0zNPcCHe9Seei2srS4Ee/SxA8
+PwovctZhzN5/qz/CBsbhZM24hR96nXBJP+kVgqTpU+A
+-> piv-p256 ML6NcA AtNqkaYFpMfoN1rERuJ70sMvdYmJnE/Aaf+NYBzeIQ9M
+FmDGncGbmWKx72XslOUvZEShtYoM4iuUhlHQqcD7hIc
+-> pP3QG-grease |8 4 h gp4`[
+SUMev8xAjCCR/rqf
+--- deAzSOQkmifm4lVq1rI4aFX6aizyIk1zeczOZ70NQB4
+ZLß{‡ö|=víöºáJK¿ÔŠ§°N<C2B0>HѺ>g»ïë
†¹yÊø7]$å
ëo¼$ aü<>•«ÝpÊN·ÛBïs7Œ¯

config/secrets/services/invidious/password-database.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 zj2A2A xD77WFTcXcFVc0eYiUO23mM6eUyzAq89Fqj6ZbnysC8
+dsf0iHniJD81xO1/5QyrMrbBTVA5Pp+EnzbRJnqNijQ
+-> piv-p256 ML6NcA AqgOiVHO21MZ2VAmRhYZO7Kuwuv2RVT2MyGj2JTNZ4Ub
+nvybVN766NUkoEgpfLlJdoMOIVsOY94tIhF+wHMESf0
+-> n-grease v5D,E1 Xs1 ; )apR
+ZMbnYAWO9fyMXeZMChugD+kTbKcU+j3kyT+5lPfizhwc9LAn4Ql50Afc
+--- 1HswhlIJWOU/Lj5jBUu8tNfw68a3MUgPb2pGy5dn0rI
+î,´gÒ·³È§(¼}®"°tÍß“çécê¾[+W¤:‹Œ¹Óg<C393>‰ÝS‰´ÏWlÙõ‚ºÆ‡üö§û1a*ˆ ïÌ!¼Ž<02>(¾ˆŒµïø“6$

config/services/containers.nix

@@ -0,0 +1,45 @@
+{config, ...}: let
+  ghcrLogin = {
+    registry = "ghcr.io";
+    username = "nekowinston";
+    passwordFile = config.age.secrets."containers/ghcr-token".path;
+  };
+  websitePort = "14139";
+in {
+  virtualisation.oci-containers.containers = {
+    faerber-bot = {
+      image = "ghcr.io/nekowinston/faerber/faerber-discord-bot:latest";
+      environmentFiles = [
+        config.age.secrets."containers/faerber.env".path
+      ];
+    };
+
+    pepperjack = {
+      image = "docker.io/phasecorex/red-discordbot:latest";
+      environment = {
+        TOKEN = "~";
+        OWNER = "505490445468696576";
+      };
+      environmentFiles = [
+        config.age.secrets."containers/pepperjack.env".path
+      ];
+      volumes = [
+        "/srv/data-pepperjack:/data"
+      ];
+    };
+
+    website = {
+      image = "ghcr.io/nekowinston/winston.sh/winston-sh:latest";
+      login = ghcrLogin;
+      ports = ["127.0.0.1:${websitePort}:3000"];
+    };
+  };
+
+  services.nginx.virtualHosts."winston.sh" = {
+    locations."/".proxyPass = "http://127.0.0.1:${websitePort}";
+    forceSSL = true;
+
+    enableACME = false;
+    useACMEHost = "winston.sh";
+  };
+}

config/services/default.nix

@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./containers.nix
+    ./invidious.nix
+    ./nginx.nix
+  ];
+}

config/services/invidious.nix

@@ -0,0 +1,35 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services.invidious = {
+    enable = true;
+    package = pkgs.unstable.invidious;
+
+    database.passwordFile = config.age.secrets."services/invidious/password-database".path;
+    domain = "iv.winston.sh";
+    port = 3030;
+    nginx.enable = true;
+
+    settings = {
+      external_port = lib.mkForce 443;
+      popular_enabled = false;
+      statistics_enabled = false;
+      use_pubsub_feeds = true;
+      default_user_preferences = {
+        region = "US";
+      };
+    };
+    extraSettingsFile = config.age.secrets."services/invidious/config.json".path;
+  };
+
+  services.nginx.virtualHosts.${config.services.invidious.domain} = {
+    forceSSL = true;
+    enableACME = false;
+    useACMEHost = "winston.sh";
+  };
+
+  age.secrets."services/invidious/config.json".mode = "777";
+}

config/services/nginx.nix

@@ -0,0 +1,38 @@
+{pkgs, ...}: {
+  services.nginx = {
+    enable = true;
+    package = pkgs.nginxMainline;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    # https://github.com/NixOS/nixpkgs/issues/180980#issuecomment-1179723811
+    virtualHosts = {
+      "defaultDummy404" = {
+        default = true;
+        serverName = "_";
+        locations."/".extraConfig = "return 404;";
+        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
+      };
+      "defaultDummy404ssl" = let
+        snakeoilCert = pkgs.runCommand "nginx-snakeoil-cert" {buildInputs = [pkgs.openssl];} ''
+          mkdir "$out"
+          openssl req -newkey rsa:4096 -x509 -sha256 -days 36500 -subj '/CN=Snakeoil CA' -nodes -out "$out/cert.pem" -keyout "$out/cert.key"
+        '';
+      in {
+        default = true;
+        serverName = "_";
+        locations."/".extraConfig = "return 404;";
+        locations."/.well-known/acme-challenge".root = "/var/lib/acme/acme-challenge";
+        # Dummy SSL config
+        onlySSL = true;
+        sslCertificate = "${snakeoilCert}/cert.pem";
+        sslCertificateKey = "${snakeoilCert}/cert.key";
+      };
+    };
+  };
+  networking.firewall.allowedTCPPorts = [80 443];
+  users.users.nginx.extraGroups = ["acme"];
+}

config/users.nix

@@ -0,0 +1,18 @@
+{pkgs, ...}: {
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  users.users.winston = {
+    isNormalUser = true;
+    extraGroups = ["wheel"];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh"
+    ];
+    shell = pkgs.bashInteractive;
+  };
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILm0O46zW/XfVOSwz0okRWYeOAg+wCVkCtCAoVTpZsOh"
+    ];
+    shell = pkgs.bashInteractive;
+  };
+}

flake.lock

@@ -0,0 +1,290 @@
+{
+  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": [],
+        "home-manager": [],
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1684153753,
+        "narHash": "sha256-PVbWt3qrjYAK+T5KplFcO+h7aZWfEj1UtyoKlvcDxh0=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "db5637d10f797bb251b94ef9040b237f4702cde3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "locked": {
+        "lastModified": 1667395993,
+        "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1681202837,
+        "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "cfacdce06f30d2b68473a46042957675eebb3401",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1660459072,
+        "narHash": "sha256-8DFJjXG8zqoONA1vXtgeKXy68KdJL5UaXR8NtVMUbx8=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "a20de23b925fd8264fd7fad6454652e142fd7f73",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "nixinate": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688141737,
+        "narHash": "sha256-qHrNMYWukOKmKVf6wXOGKj1xxUnOGjvTRbt/PLLXuBE=",
+        "owner": "matthewcroughan",
+        "repo": "nixinate",
+        "rev": "7902ae845e6cc5bd450e510cdf5e009a6e4a44d9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "matthewcroughan",
+        "repo": "nixinate",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1677676435,
+        "narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1678872516,
+        "narHash": "sha256-/E1YwtMtFAu2KUQKV/1+KFuReYPANM2Rzehk84VxVoc=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "9b8e5abb18324c7fe9f07cb100c3cd4a29cda8b8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-22.11",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-unstable": {
+      "locked": {
+        "lastModified": 1688188316,
+        "narHash": "sha256-CXuQllDKCxtZaB/umnZOvoJ/d4kJguYgffeTA9l1B3o=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "8277b539d371bf4308fc5097911aa58bfac1794f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1688109178,
+        "narHash": "sha256-BSdeYp331G4b1yc7GIRgAnfUyaktW2nl7k0C577Tttk=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "b72aa95f7f096382bff3aea5f8fde645bca07422",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1681303793,
+        "narHash": "sha256-JEdQHsYuCfRL2PICHlOiH/2ue3DwoxUX7DJ6zZxZXFk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "fe2ecaf706a5907b5e54d979fbde4924d84b65fc",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "flake-utils": "flake-utils",
+        "gitignore": "gitignore",
+        "nixpkgs": "nixpkgs_3",
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1682596858,
+        "narHash": "sha256-Hf9XVpqaGqe/4oDGr30W8HlsWvJXtMsEPHDqHZA6dDg=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "fb58866e20af98779017134319b5663b8215d912",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "agenix": "agenix",
+        "nixinate": "nixinate",
+        "nixpkgs": "nixpkgs_2",
+        "nixpkgs-unstable": "nixpkgs-unstable",
+        "pre-commit-hooks": "pre-commit-hooks",
+        "valheim-server": "valheim-server"
+      }
+    },
+    "steam-fetcher": {
+      "inputs": {
+        "flake-utils": [
+          "valheim-server",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "valheim-server",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1686720327,
+        "narHash": "sha256-tXr09buKDKv81pnmcIwJ7eq2MaaU+4qfYrp6Mvb8buw=",
+        "owner": "nix-community",
+        "repo": "steam-fetcher",
+        "rev": "30964171f7c1711dc6edbe98f0839a40477a6f54",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "steam-fetcher",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "valheim-server": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "steam-fetcher": "steam-fetcher"
+      },
+      "locked": {
+        "lastModified": 1686971068,
+        "narHash": "sha256-0EePXsNXJf+Ipt4AdWRbHbK2gSgLO9f6oeKUaugbUIk=",
+        "owner": "aidalgol",
+        "repo": "valheim-server-flake",
+        "rev": "8934c7fd73bf7cec262cc05fba92bb5e79ec195c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "aidalgol",
+        "repo": "valheim-server-flake",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,77 @@
+{
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.05";
+    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
+
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.darwin.follows = "";
+      inputs.home-manager.follows = "";
+    };
+    valheim-server = {
+      url = "github:aidalgol/valheim-server-flake";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixinate = {
+      url = "github:matthewcroughan/nixinate";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    pre-commit-hooks.url = "github:cachix/pre-commit-hooks.nix";
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    ...
+  } @ inputs: let
+    system = "x86_64-linux";
+    overlays = final: prev: {
+      unstable = inputs.nixpkgs-unstable.legacyPackages.${prev.system};
+    };
+  in {
+    apps = inputs.nixinate.nixinate.${system} self;
+
+    nixosConfigurations.main-node = nixpkgs.lib.nixosSystem {
+      inherit system;
+      modules = [
+        {
+          _module.args.nixinate = {
+            host = "main-node";
+            buildOn = "remote";
+            hermetic = false;
+          };
+          nixpkgs.overlays = [overlays];
+        }
+        ./hosts/main-node
+        ./config
+        inputs.agenix.nixosModules.default
+        inputs.valheim-server.nixosModules.default
+      ];
+    };
+
+    checks.${system}.pre-commit-check = inputs.pre-commit-hooks.lib.${system}.run {
+      src = ./.;
+      hooks = {
+        alejandra.enable = true;
+        deadnix.enable = true;
+        shellcheck.enable = true;
+        stylua.enable = true;
+      };
+      settings.deadnix = {
+        noLambdaPatternNames = true;
+        noLambdaArg = true;
+      };
+    };
+
+    devShells.${system}.default = let
+      pkgs = nixpkgs.legacyPackages.${system};
+    in
+      pkgs.mkShell {
+        inherit (self.checks.${system}.pre-commit-check) shellHook;
+        buildInputs = [
+          inputs.agenix.packages.${system}.agenix
+        ];
+      };
+  };
+}

hosts/main-node/default.nix

@@ -0,0 +1,39 @@
+{pkgs, ...}: {
+  imports = [./hardware-configuration.nix];
+
+  boot = {
+    loader = {
+      grub.enable = true;
+      grub.device = "/dev/sda";
+    };
+    kernelPackages = pkgs.linuxPackages_latest;
+  };
+
+  networking = {
+    hostName = "main-node";
+    nameservers = [
+      "46.38.225.230"
+      "46.38.252.230"
+      "2a03:4000:0:1::e1e6"
+      "2a03:4000:8000::fce6"
+    ];
+    interfaces.ens3 = {
+      useDHCP = true;
+      ipv4.addresses = [
+        {
+          address = "188.68.44.196";
+          prefixLength = 32;
+        }
+      ];
+    };
+  };
+  time.timeZone = "Europe/Vienna";
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "23.05";
+}

hosts/main-node/hardware-configuration.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = [];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
+    fsType = "btrfs";
+    options = ["subvol=root"];
+  };
+
+  fileSystems."/home" = {
+    device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
+    fsType = "btrfs";
+    options = ["subvol=home"];
+  };
+
+  fileSystems."/nix" = {
+    device = "/dev/disk/by-uuid/8e282da8-0e52-4515-8647-fff793b8ead8";
+    fsType = "btrfs";
+    options = ["subvol=nix"];
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+  services.qemuGuest.enable = true;
+}