feat(nixos): Begin setting up NixOS Jellyfin home server

flake.nix

@@ -19,6 +19,22 @@
 
   outputs = inputs@{ self, nixpkgs, home-manager, ... }: {
     nixosConfigurations = {
+      server = nixpkgs.lib.nixosSystem {
+        specialArgs = { inherit inputs; };
+        system = "x86_64-linux";
+        modules = [
+          ./nixos-modules/common.nix
+          ./hosts/server/default.nix
+          home-manager.nixosModules.home-manager
+          {
+            home-manager = {
+              useUserPackages = true;
+              users.mat = import ./home-manager/server.nix;
+              extraSpecialArgs = { inherit inputs; };
+            };
+          }
+        ];
+      };
       pc = nixpkgs.lib.nixosSystem {
         specialArgs = {
           inherit inputs;

home-manager/home.nix

@@ -1,5 +1,4 @@
 { inputs, config, pkgs, lib, ... }:
-
 let
   inherit (pkgs) stdenv;
   inherit (stdenv) isLinux;

home-manager/modules/fish.nix

@@ -57,6 +57,8 @@ in {
         "home-manager switch --flake ~/git/dotfiles/.#mac"
       else
         "sudo nixos-rebuild switch --flake ~/git/dotfiles/.#pc";
+      nix-server-apply =
+        "sudo nixos-rebuild switch --flake ~/git/dotfiles/.#server";
       oplocal =
         "./js/oph/dist/mac-arm64/1Password.app/Contents/MacOS/1Password";
     } // pkgs.lib.optionalAttrs isLinux {

home-manager/modules/ssh.nix

@@ -3,6 +3,7 @@
     enable = true;
     forwardAgent = true;
     matchBlocks = {
+      "nixos-server" = { port = "6969"; };
       "gitlab.1password.io" = {
         port = 2227;
         hostname = "ssh.gitlab.1password.io";

home-manager/server.nix

@@ -0,0 +1,37 @@
+{ inputs, pkgs, ... }: {
+  nixpkgs.overlays = [
+    (final: prev:
+      (import ../packages {
+        inherit inputs;
+        inherit pkgs;
+      }))
+  ];
+  home = {
+    username = "mat";
+    homeDirectory = "/home/mat";
+    # This value determines the Home Manager release that your configuration is
+    # compatible with. This helps avoid breakage when a new Home Manager release
+    # introduces backwards incompatible changes.
+    #
+    # You should not change this value, even if you update Home Manager. If you do
+    # want to update the value, then make sure to first check the Home Manager
+    # release notes.
+    stateVersion = "22.11";
+  };
+  xdg.enable = true;
+  xdg.configFile."nix/nix.conf".text = ''
+    experimental-features = nix-command flakes
+    # see https://github.com/nix-community/nix-direnv#via-home-manager
+    keep-derivations = true
+    keep-outputs = true
+  '';
+  imports = [
+    ./modules/fish.nix
+    ./modules/nvim.nix
+    ./modules/ssh.nix
+    ./modules/starship.nix
+    ./modules/git.nix
+    ./modules/fzf.nix
+    ./modules/bat.nix
+  ];
+}

hosts/pc/default.nix

@@ -1,9 +1,22 @@
 { pkgs, config, ... }: {
-  imports = [ ./hardware-configuration.nix ];
+  networking.hostName = "nixos-pc";
+  imports = [
+    ./desktop_environment.nix
+    ./_1password.nix
+    ./allowed-unfree.nix
+    ./hardware-configuration.nix
+  ];
+  users.users.mat = {
+    shell = pkgs.fish;
+    isNormalUser = true;
+    description = "mat";
+    # generated via: nix-shell -p pkgs.openssl --run "openssl passwd -1"
+    hashedPassword = "$1$kWL6uedh$2zhN6tfwSD8dhWG5jONJK.";
+    home = "/home/mat";
+    extraGroups = [ "networkmanager" "wheel" ];
+  };
   powerManagement.cpuFreqGovernor = "performance";
-  users.users.mat.shell = pkgs.fish;
   hardware = {
-
     # use proprietary nvidia drivers
     opengl.enable = true;
     nvidia = {

hosts/server/default.nix

@@ -0,0 +1,52 @@
+{ pkgs, ... }: {
+  networking.hostName = "nixos-server";
+  services = {
+    openssh = {
+      # only allow SSH key auth
+      passwordAuthentication = false;
+      permitRootLogin = "no";
+      ports = [ 6969 ];
+    };
+
+    jellyfin = {
+      enable = true;
+      # see: https://jellyfin.org/docs/general/networking/index.html
+      # ports are:
+      # TCP: 8096, 8920
+      # UDP: 1900 7359
+      openFirewall = true;
+    };
+  };
+
+  # enable vaapi on OS-level
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      vaapiIntel
+      vaapiVdpau
+      libvdpau-va-gl
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+    ];
+  };
+
+  users = {
+    mutableUsers = false;
+    users = {
+      mat = {
+        shell = pkgs.fish;
+        isNormalUser = true;
+        # generated via: nix-shell -p pkgs.openssl --run "openssl passwd -1"
+        hashedPassword = "$1$kWL6uedh$2zhN6tfwSD8dhWG5jONJK.";
+        home = "/home/mat";
+        extraGroups = [ "wheel" ];
+        openssh.authorizedKeys.keys = [
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDsT6GLG7sY8YKX7JM+jqS3EAti3YMzwHKWViveqkZvu"
+        ];
+      };
+    };
+  };
+}

nixos-modules/common.nix

@@ -1,23 +1,54 @@
-{ lib, pkgs, ... }: {
-  imports = [ ./desktop_environment.nix ./_1password.nix ./allowed-unfree.nix ];
-
+{ pkgs, ... }: {
   # See https://github.com/nix-community/nix-direnv
   nix.extraOptions = ''
     keep-outputs = true
     keep-derivations = true
   '';
 
   environment.systemPackages = [ pkgs.mullvad-vpn ];
-  services.mullvad-vpn.enable = true;
-  networking.wireguard.enable = true;
+  services = {
+    mullvad-vpn.enable = true;
+
+    # Enable the X11 windowing system.
+    xserver.enable = true;
+
+    # Configure keymap in X11
+    xserver = {
+      layout = "us";
+      xkbVariant = "";
+    };
+
+    # Enable CUPS to print documents.
+    printing.enable = true;
+    pipewire = {
+      enable = true;
+      alsa.enable = true;
+      alsa.support32Bit = true;
+      pulse.enable = true;
+      # If you want to use JACK applications, uncomment this
+      #jack.enable = true;
+
+      # use the example session manager (no others are packaged yet so this is enabled by default,
+      # no need to redefine it in your config for now)
+      #media-session.enable = true;
+    };
+  };
+
+  boot = {
+    loader = {
+      # bootloader
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+      efi.efiSysMountPoint = "/boot/efi";
+    };
+  };
+
+  networking = {
+    wireguard.enable = true;
+    # Enable networking
+    networkmanager.enable = true;
+  };
 
-  # bootloader
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-  boot.loader.efi.efiSysMountPoint = "/boot/efi";
-  networking.hostName = "nixos";
-  # Enable networking
-  networking.networkmanager.enable = true;
   # Set your time zone.
   time.timeZone = "America/New_York";
 
@@ -36,40 +67,10 @@
     LC_TIME = "en_US.UTF-8";
   };
 
-  # Enable the X11 windowing system.
-  services.xserver.enable = true;
-
-  # Configure keymap in X11
-  services.xserver = {
-    layout = "us";
-    xkbVariant = "";
-  };
-
-  # Enable CUPS to print documents.
-  services.printing.enable = true;
-
   # Enable sound with pipewire.
   sound.enable = true;
   hardware.pulseaudio.enable = false;
   security.rtkit.enable = true;
-  services.pipewire = {
-    enable = true;
-    alsa.enable = true;
-    alsa.support32Bit = true;
-    pulse.enable = true;
-    # If you want to use JACK applications, uncomment this
-    #jack.enable = true;
-
-    # use the example session manager (no others are packaged yet so this is enabled by default,
-    # no need to redefine it in your config for now)
-    #media-session.enable = true;
-  };
-
-  users.users.mat = {
-    isNormalUser = true;
-    description = "mat";
-    extraGroups = [ "networkmanager" "wheel" ];
-  };
 
   # This value determines the NixOS release from which the default
   # settings for stateful data, like file locations and database versions