Rebase to flake parts #1

modules/hosts/nix-server/configuration.nix

@@ -0,0 +1,82 @@
+{ self, inputs, ... }: {
+  flake.nixosModules.nix-serverConfiguration =
+    {
+      self,
+      config,
+      lib,
+      pkgs,
+      ...
+    }:
+    {
+      imports = [
+        self.nixosModules.nix-serverHardware
+        inputs.sops-nix.nixosModules.sops
+        self.nixosModules.system
+        self.nixosModules.users
+        ./_services/attic-cache-server.nix
+        ./_services/portainer.nix
+        ./_services/swiftshare.nix
+        ./_services/immich.nix
+      ];
+
+      boot.loader.grub = {
+        enable = true;
+        efiSupport = false;
+        device = "/dev/sda";
+      };
+
+      services.qemuGuest.enable = true;
+
+      services.openssh = {
+        enable = true;
+        settings = {
+          PasswordAuthentication = true;
+          KbdInteractiveAuthentication = false;
+          PermitRootLogin = "no";
+          UseDns = false;
+        };
+      };
+
+      sops = {
+        defaultSopsFile = ../../../secrets/secrets.yaml;
+        defaultSopsFormat = "yaml";
+        age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+      };
+
+      sops.secrets."users/server/hashedPassword".neededForUsers = true;
+
+      security.sudo.wheelNeedsPassword = true;
+
+      nix.settings = {
+        experimental-features = [ "nix-command" "flakes" ];
+        trusted-users = [ "root" "@wheel" ];
+        allowed-users = [ "root" "@wheel" ];
+      };
+
+      chiasson.system = {
+        networking = {
+          hostName = "nix-server";
+          networkManager.enable = true;
+        };
+
+        caching.attic = {
+          enable = true;
+          cacheName = "nixos-new";
+          endpoint = "http://127.0.0.1:8080";
+          publicKey = "nixos-new:8NySIcT0HP7KvGQKgBRWoWESxxRA8BVYo8S85UNpNX0=";
+        };
+        extraPackages = with pkgs; [ btop ];
+      };
+
+      chiasson.users = {
+        enabled = [ "server" ];
+        hostOverrides.server = {
+          hashedPasswordFile = config.sops.secrets."users/server/hashedPassword".path;
+        };
+      };
+
+      services.xserver.enable = lib.mkDefault false;
+
+      system.stateVersion = "25.11";
+    };
+}

modules/hosts/nix-server/hardware.nix

@@ -0,0 +1,36 @@
+{ ... }: {
+  flake.nixosModules.nix-serverHardware =
+    {
+      config,
+      lib,
+      pkgs,
+      modulesPath,
+      ...
+    }:
+    {
+      imports = [
+        (modulesPath + "/profiles/qemu-guest.nix")
+      ];
+
+      boot.initrd.availableKernelModules = [
+        "ata_piix"
+        "uhci_hcd"
+        "virtio_pci"
+        "virtio_scsi"
+        "sd_mod"
+        "sr_mod"
+      ];
+      boot.initrd.kernelModules = [ ];
+      boot.kernelModules = [ ];
+      boot.extraModulePackages = [ ];
+
+      fileSystems."/" = {
+        device = "/dev/disk/by-uuid/2185ce3a-8287-4a95-8268-ab0efd3d9a4d";
+        fsType = "ext4";
+      };
+
+      swapDevices = [ ];
+
+      nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+    };
+}

modules/hosts/nix-server/secrets.yaml

@@ -0,0 +1,46 @@
+swiftshare:
+    ghcr-token: ENC[AES256_GCM,data:wNzBA8Ib5WjxoKkGiWkfeGspKzy/vzbwwAp/+cjRF9Vsmlyx67OovQ==,iv:MCrkALYCHiPDb1tNQaWRrxuYSRXD6JtzJzEOr1aqhBk=,tag:okQfIP5IJUUIFfwAlZM1ow==,type:str]
+    database-password: ENC[AES256_GCM,data:r9GSaoQ7bS644ipb3kU=,iv:KYDTzYtjfz5meDb0nemY1lhSFEorKHL0hSRIcQaHg5c=,tag:RVjAfb8XGsybAgIc2/hH+g==,type:str]
+    auth-secret: ENC[AES256_GCM,data:tTXLMWASBfF49gBFrf+CZ3R4oTt7hEGUhAqEdvoQtm0zbb2VUhTq7y4tH/c=,iv:Halfu9hBex4SEUMHLAicqApTxZP0NV9pJZTr+bBSek4=,tag:1WqN75zT+zoka9sIXOJGfQ==,type:str]
+    oauth-discord-client-secret: ENC[AES256_GCM,data:a9Iarcpl1HOFXdsDMh3H662T8yqVvGtfguVICwWVrAg=,iv:LsUserWQcEDV0TiRWj1sHh5/ZiFQzyc1gRWg+Ewwjik=,tag:33Ml08oHVXl0ZMmiwQ2mig==,type:str]
+    oauth-github-client-secret: ENC[AES256_GCM,data:Y1L7BJ6j4Zkc9arHd8Jj+k0VfaLeku7nOpKVmd5+UE1lYVYcwmDwZg==,iv:+dcRw84e/4owHxhANhCcNI5CtUYa6c/P9+ezcnI3V+8=,tag:vl1YtLb/u60Me/+zjyHyzg==,type:str]
+    oauth-google-client-id: ENC[AES256_GCM,data:1nh64Fpkaa75fO+pciY5KlXI0vPr,iv:ng8wzk/h1wgbsNXjJYluTRnahp1HaPt8APthXSh0U4I=,tag:VS+D3TOu8Mj2FLFL7q8Jtw==,type:str]
+    oauth-google-client-secret: ENC[AES256_GCM,data:+OzBthA/RmWArclZEjG26fw0PkKN,iv:MNGiUKgEgfMvcNddbJLUneFbsq00h0S7c6Xe/bJrIXo=,tag:x9hWXfF+BOkxi/iYaOYHZQ==,type:str]
+    smtp-pass: ENC[AES256_GCM,data:8ca5tCT6XbAJJYrbMyXD6w==,iv:V/GdXA4ovOsOKujO56DZr7HIn4zyinsJgZ9J3Cmvtf4=,tag:o3FicSWq8ZINKh2nEdbf6g==,type:str]
+    minio-access-key: ENC[AES256_GCM,data:dPNWWKj5B7Wh8Q==,iv:ZhYDHhlftojfkXdXFsXE4szjpxGTFT2Ho0JRR9pEuhc=,tag:leqceh2drncIb6m0fTBxoQ==,type:str]
+    minio-secret-key: ENC[AES256_GCM,data:szkx+MTbMWmfbQ==,iv:+1zlHJRKMR4XDv1rrkOeilz06YA1W/1o+egylm/ZjPs=,tag:70QO3dPp9WRd71Puzl47QA==,type:str]
+immich:
+    database-password: ENC[AES256_GCM,data:YWLt2pty/yVrrF7K,iv:uqrQGfST/A6LzRZ4+O0puXA1bd/7CL5A/T7jU+/++X8=,tag:/gNGK3z4RembX+tBET4M5g==,type:str]
+sops:
+    age:
+        - recipient: age1yyzgmazjxkvwtfcv9re3lqmt2ru5dcrfu3sauysm0wzfwzvyap8qkjkq32
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVWpFK2RRSHRxVFVSdEdI
+            S01BSEZQUTZCV0tvM1lpSFNYc3g3ek5QNjJrClNyVUtKYnRtWVRYRkE2SStWRVRR
+            dWVCWVNsU0NIancvZ2VmWEp3V2drNk0KLS0tIEVQNjZkZXJYRUt1aHVrczNmU0RJ
+            ZUpnemRBSmlSZVpmRW0wNFhIK3BibVkKdD14ki8dJbYMjsBkC1Nm5TOM6M33eLJ6
+            IUrKDWeZXEVe2sMhBb31Zv+tinwtHSsvpxDIsjstpxtH+5wTyoQVdA==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1elk6zwmcylwfk7gd4pjda7g29upftjvxys8py42s8d42jklnyv7s7dm9z2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1bFJDNDdsWGIzMDl3TmRr
+            MStsZVFRa1dIVmJGU3krWWlpc2FZMU9EREF3CkdDZFc0Y3ZIMVZxNHorWFRHaWwy
+            d21DV05OZVRNYUpGSUxtVS9DRENjY0UKLS0tIDMxcGZ5akZqTXI2V1NCUmhzQWxF
+            NUZIYnZIMDRWTXpwTURMc2tzelp3VjAKHHBkHhz+t03W0ojsOBB2i3K4ZMUXvrwF
+            4mjNqNBcAJ1uHgJP7qvpNjxEW1LcsdQKmXavoqizX+XfLaA3zEwB0Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1p05z980kdtngk9mw67hfev72h7xhslplpxfk9yskgmf0hl4lu3ls04zht9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwTWR0N3UwdTB0UDZxRmV5
+            R3dkYUhZaElMbkxxSllTNWkrb05VSkJrMUNRCjZTUTlvVTU2MHY5ZS9oU2pCSlFu
+            dHdiRGdKSEJUaVB2MEN4SzB5OVhPT2MKLS0tIGlyb2RXZFRVSzZKS3lyN1VFZ1J6
+            WWZwbkR4dTFjK2NZcW9pTTNHd252N3cKiz8l9AWciFOBU+wcT9T1WA4bToPYfq8G
+            Nf0uOoSWPTJ/2SRNkSu7FMumATH4ldQ6TFSwKda3mBfBwhnFzLq10Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-30T18:45:45Z"
+    mac: ENC[AES256_GCM,data:DD9NZcYQVSByaQvGAB7b/Wpk7SWBBsWtzAM9MkIHMmyxNomiPPUFQR6+18QDUCHQXk1xXMUi79bnTRz8SdoBXVjbHG8Qhy3n6D1sFeEgXC42pgem7hBPfmJlgcIPNYEguXPISLsp/Zx9ISEnH5Zul0v8/G2ACN7Y/U3jtaHx4U8=,iv:g1k16EhTR+t9jCpvhmiXYZV99aMk1DrS4frpl5q93lM=,tag:FigaXNw+IbpZ7E0a+ySb3g==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2