temmie/nfs-mounts: generate systemd units ourselves

base/default.nix

@@ -10,10 +10,12 @@
     (fp /users)
     (fp /modules/snakeoil-certs.nix)
 
+    ./flake-input-exporter.nix
     ./networking.nix
     ./nix.nix
+    ./programs.nix
+    ./sops.nix
     ./vm.nix
-    ./flake-input-exporter.nix
 
     ./services/acme.nix
     ./services/auto-upgrade.nix
@@ -40,6 +42,9 @@
   boot.tmp.cleanOnBoot = lib.mkDefault true;
   boot.kernelPackages = lib.mkDefault pkgs.linuxPackages_latest;
 
+  boot.loader.systemd-boot.enable = lib.mkDefault true;
+  boot.loader.efi.canTouchEfiVariables = lib.mkDefault true;
+
   time.timeZone = "Europe/Oslo";
 
   i18n.defaultLocale = "en_US.UTF-8";
@@ -48,22 +53,8 @@
     keyMap = "no";
   };
 
-  environment.systemPackages = with pkgs; [
-    file
-    git
-    gnupg
-    htop
-    nano
-    net-tools
-    ripgrep
-    rsync
-    screen
-    tmux
-    vim
-    wget
-
-    kitty.terminfo
-  ];
+  # Don't install the /lib/ld-linux.so.2 stub
+  environment.ldso32 = null;
 
   # .bash_profile already works, but lets also use .bashrc like literally every other distro
   # https://man.archlinux.org/man/core/bash/bash.1.en#INVOCATION
@@ -77,8 +68,6 @@
     fi
   '';
 
-  programs.zsh.enable = true;
-
   # security.lockKernelModules = true;
   security.protectKernelImage = true;
   security.sudo.execWheelOnly = true;
@@ -86,6 +75,14 @@
     Defaults lecture = never
   '';
 
+  # These are servers, sleep is for the weak
+  systemd.sleep.extraConfig = lib.mkDefault ''
+    AllowSuspend=no
+    AllowHibernation=no
+  '';
+
+  users.mutableUsers = lib.mkDefault false;
+
   users.groups."drift".name = "drift";
 
   # Trusted users on the nix builder machines

base/nix.nix

@@ -37,4 +37,9 @@
       "unstable=${inputs.nixpkgs-unstable}"
     ];
   };
+
+  # Make builds to be more likely killed than important services.
+  # 100 is the default for user slices and 500 is systemd-coredumpd@
+  # We rather want a build to be killed than our precious user sessions as builds can be easily restarted.
+  systemd.services.nix-daemon.serviceConfig.OOMScoreAdjust = lib.mkDefault 250;
 }

base/programs.nix

@@ -0,0 +1,60 @@
+{ pkgs, lib, ... }:
+{
+  # We don't need fonts on headless machines
+  fonts.fontconfig.enable = lib.mkDefault false;
+
+  # Extra packags for better terminal emulator compatibility in SSH sessions
+  environment.enableAllTerminfo = true;
+
+  environment.systemPackages = with pkgs; [
+    # Debug dns outside resolvectl
+    dig
+
+    # Debug and find files
+    file
+
+    # Check computer specs
+    lshw
+
+    # Scan for open ports with netstat
+    net-tools
+
+    # Grep for files quickly
+    ripgrep
+
+    # Copy files over the network
+    rsync
+
+    # Access various state, often in /var/lib
+    sqlite-interactive
+
+    # Debug software which won't debug itself
+    strace
+
+    # Download files from the internet
+    wget
+  ];
+
+  # Clone/push nix config and friends
+  programs.git.enable = true;
+
+  # Gitea gpg, oysteikt sops, etc.
+  programs.gnupg.agent.enable = true;
+
+  # Monitor the wellbeing of the machines
+  programs.htop.enable = true;
+
+  # Keep sessions running during work over SSH
+  programs.tmux.enable = true;
+
+  # Same reasoning as tmux
+  programs.screen.enable = true;
+
+  # Edit files on the system without resorting to joe(1)
+  programs.nano.enable = true;
+  # Same reasoning as nano
+  programs.vim.enable = true;
+
+  # Some people like this shell for some reason
+  programs.zsh.enable = true;
+}

base/services/nginx.nix

@@ -67,10 +67,10 @@
     };
 
     ${config.networking.fqdn} = {
-      sslCertificate = "/etc/certs/nginx.crt";
-      sslCertificateKey = "/etc/certs/nginx.key";
-      addSSL = true;
-      extraConfig = "return 444;";
+      sslCertificate = lib.mkDefault "/etc/certs/nginx.crt";
+      sslCertificateKey = lib.mkDefault "/etc/certs/nginx.key";
+      addSSL = lib.mkDefault true;
+      extraConfig = lib.mkDefault "return 444;";
     };
   };
 }

base/services/smartd.nix

@@ -1,7 +1,9 @@
 { config, pkgs, lib, ... }:
 {
   services.smartd = {
-    enable = lib.mkDefault true;
+    # NOTE: qemu guests tend not to have SMART-reporting disks. Please override for the
+    #       hosts with disk passthrough.
+    enable = lib.mkDefault (!config.services.qemuGuest.enable);
     notifications = {
       mail = {
         enable = true;

base/sops.nix

@@ -0,0 +1,12 @@
+{ config, fp, lib, ... }:
+{
+  sops.defaultSopsFile = let
+    secretsFilePath = fp /secrets/${config.networking.hostName}/${config.networking.hostName}.yaml;
+  in lib.mkIf (builtins.pathExists secretsFilePath) secretsFilePath;
+
+  sops.age = lib.mkIf (config.sops.defaultSopsFile != null) {
+    sshKeyPaths = lib.mkDefault [ "/etc/ssh/ssh_host_ed25519_key" ];
+    keyFile = "/var/lib/sops-nix/key.txt";
+    generateKey = true;
+  };
+}

flake.nix

@@ -105,6 +105,9 @@
           } // specialArgs;
 
           modules = [
+            {
+              networking.hostName = lib.mkDefault name;
+            }
             configurationPath
           ] ++ (lib.optionals enableDefaults [
             sops-nix.nixosModules.sops

hosts/bakke/configuration.nix

@@ -6,20 +6,13 @@
       ./filesystems.nix
     ];
 
-  sops.defaultSopsFile = ../../secrets/bakke/bakke.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bakke";
   networking.hostId = "99609ffc";
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp2s0";
     address = with values.hosts.bakke; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.05";
 }

hosts/bekkalokk/configuration.nix

@@ -19,16 +19,6 @@
     ./services/qotd
   ];
 
-  sops.defaultSopsFile = fp /secrets/bekkalokk/bekkalokk.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bekkalokk";
-
   systemd.network.networks."30-enp2s0" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp2s0";
     address = with values.hosts.bekkalokk; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,7 +26,7 @@
 
   services.btrfs.autoScrub.enable = true;
 
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";
 }

hosts/bicep/configuration.nix

@@ -15,16 +15,6 @@
     ./services/matrix
   ];
 
-  sops.defaultSopsFile = fp /secrets/bicep/bicep.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "bicep";
-
   #systemd.network.networks."30-enp6s0f0" = values.defaultNetworkConfig // {
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     #matchConfig.Name = "enp6s0f0";
@@ -36,16 +26,9 @@
     anyInterface = true;
   };
 
-  # There are no smart devices
-  services.smartd.enable = false;
-
-  # we are a vm now
   services.qemuGuest.enable = true;
 
-  # Enable the OpenSSH daemon.
-  services.openssh.enable = true;
-
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "22.11";
 }

hosts/bikkje/configuration.nix

@@ -25,6 +25,7 @@
       ];
 
       networking = {
+        hostName = "bikkje";
         firewall = {
           enable = true;
           # Allow SSH and HTTP and ports for email and irc
@@ -36,9 +37,11 @@
         useHostResolvConf = mkForce false;
       };
 
-      system.stateVersion = "23.11";
       services.resolved.enable = true;
-    };
-  };
 
+      # Don't change (even during upgrades) unless you know what you are doing.
+      # See https://search.nixos.org/options?show=system.stateVersion
+      system.stateVersion = "23.11";
+    };
+  };
 };

hosts/brzeczyszczykiewicz/configuration.nix

@@ -8,28 +8,14 @@
       ./services/grzegorz.nix
     ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "brzeczyszczykiewicz";
-
   systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
     matchConfig.Name = "eno1";
     address = with values.hosts.brzeczyszczykiewicz; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  fonts.fontconfig.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/georg/configuration.nix

@@ -8,24 +8,11 @@
       (fp /modules/grzegorz.nix)
     ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "georg";
-
   systemd.network.networks."30-eno1" = values.defaultNetworkConfig // {
     matchConfig.Name = "eno1";
     address = with values.hosts.georg; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-
-
   services.spotifyd = {
     enable = true;
     settings.global = {
@@ -41,15 +28,9 @@
     5353 # spotifyd is its own mDNS service wtf
   ];
 
+  fonts.fontconfig.enable = true;
 
-
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
-
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/gluttony/configuration.nix

@@ -10,8 +10,7 @@
     (fp /base)
   ];
 
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.systemd-boot.enable = false;
 
   systemd.network.enable = lib.mkForce false;
   networking =
@@ -19,7 +18,6 @@
       hostConf = values.hosts.gluttony;
     in
     {
-      hostName = "gluttony";
       tempAddresses = "disabled";
       useDHCP = false;
 
@@ -47,5 +45,9 @@
       };
     };
 
-  system.stateVersion = "25.11"; # Don't change unless you know what you are doing.
+  services.qemuGuest.enable = true;
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/ildkule/configuration.nix

@@ -10,11 +10,7 @@
       ./services/journald-remote.nix
     ];
 
-  sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
+  boot.loader.systemd-boot.enable = false;
   boot.loader.grub.device = "/dev/vda";
   boot.tmp.cleanOnBoot = true;
   zramSwap.enable = true;
@@ -24,7 +20,6 @@
   networking = let
     hostConf = values.hosts.ildkule;
   in {
-    hostName = "ildkule";
     tempAddresses = "disabled";
     useDHCP = lib.mkForce true;
 
@@ -43,13 +38,9 @@
     };
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # No devices with SMART
-  services.smartd.enable = false;
-
-  system.stateVersion = "23.11"; # Did you read the comment?
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.11";
 }

hosts/kommode/configuration.nix

@@ -9,16 +9,6 @@
     ./services/nginx.nix
   ];
 
-  sops.defaultSopsFile = fp /secrets/kommode/kommode.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "kommode"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.kommode; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -26,7 +16,9 @@
 
   services.btrfs.autoScrub.enable = true;
 
-  environment.systemPackages = with pkgs; [];
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.11";
 }

hosts/lupine/configuration.nix

@@ -9,12 +9,6 @@
   ];
 
   sops.defaultSopsFile = fp /secrets/lupine/lupine.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
 
   systemd.network.networks."30-enp0s31f6" = values.defaultNetworkConfig // {
     matchConfig.Name = "enp0s31f6";
@@ -28,7 +22,7 @@
   # There are no smart devices
   services.smartd.enable = false;
 
-  # Do not change, even during upgrades.
+  # Don't change (even during upgrades) unless you know what you are doing.
   # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "25.05";
 }

hosts/shark/configuration.nix

@@ -6,33 +6,14 @@
       (fp /base)
     ];
 
-  sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "shark"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.shark; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
-
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "23.05"; # Did you read the comment?
+  services.qemuGuest.enable = true;
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "23.05";
 }

hosts/skrott/configuration.nix

@@ -9,6 +9,7 @@
     consoleLogLevel = 0;
     enableContainers = false;
     loader.grub.enable = false;
+    loader.systemd-boot.enable = false;
     kernelPackages = pkgs.linuxPackages;
   };
 
@@ -21,13 +22,6 @@
 
   # TODO: can we reduce further?
 
-  system.stateVersion = "25.05";
-
-  sops.defaultSopsFile = fp /secrets/skrott/skrott.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
   sops.secrets = {
     "dibbler/postgresql/url" = {
       owner = "dibbler";
@@ -70,4 +64,8 @@
     wantedBy = [ "getty.target" ]; # to start at boot
     serviceConfig.Restart = "always"; # restart when session is closed
   };
+
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.05";
 }

hosts/temmie/configuration.nix

@@ -8,32 +8,14 @@
       ./services/nfs-mounts.nix
     ];
 
-  # sops.defaultSopsFile = fp /secrets/shark/shark.yaml;
-  # sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  # sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  # sops.age.generateKey = true;
-
-  boot.loader.systemd-boot.enable = true;
-  boot.loader.efi.canTouchEfiVariables = true;
-
-  networking.hostName = "temmie"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.temmie; [ (ipv4 + "/25") (ipv6 + "/64") ];
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
+  services.qemuGuest.enable = true;
 
-  # List services that you want to enable:
-
-  # This value determines the NixOS release from which the default
-  # settings for stateful data, like file locations and database versions
-  # on your system were taken. It's perfectly fine and recommended to leave
-  # this value at the release version of the first install of this system.
-  # Before changing this value read the documentation for this option
-  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
-  system.stateVersion = "25.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "25.11";
 }

hosts/temmie/services/nfs-mounts.nix

@@ -1,21 +1,51 @@
-{ pkgs, lib, ... }:
-{
-  fileSystems = let
+{ lib, ... }:
+let
   # See microbel:/etc/exports
-    shorthandAreas = lib.listToAttrs (map
-      (l: lib.nameValuePair "/run/pvv-home-mounts/${l}" "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}")
-      [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ]);
-  in { }
-  //
-  (lib.mapAttrs (_: device: {
-    inherit device;
-    fsType = "nfs";
-    options = [
+  letters = [ "a" "b" "c" "d"  "h" "i" "j" "k" "l" "m" "z" ];
+in
+{
+  systemd.mounts = map (l: {
+    description = "PVV Homedirs Partition ${l}";
+
+    before = [ "remote-fs.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    type = "nfs";
+    what = "homepvv${l}.pvv.ntnu.no:/export/home/pvv/${l}";
+    where = "/run/pvv-home-mounts/${l}";
+
+    options = lib.concatStringsSep "," [
       "nfsvers=3"
-      "noauto"
       "proto=tcp"
-      "x-systemd.automount"
-      "x-systemd.idle-timeout=300"
+      "auto"
+      "async"
+
+      # We don't want to update access time constantly
+      "noatime"
+
+      # No SUID/SGID, no special devices
+      "nosuid"
+      "nodev"
+
+      # TODO: are there cgi scripts that modify stuff in peoples homedirs?
+      # "ro"
+      "rw"
+
+      # TODO: can we enable this and still run cgi stuff?
+      # "noexec"
     ];
-  }) shorthandAreas);
+  }) letters;
+
+  systemd.automounts = map (l: {
+    description = "PVV Homedirs Partition ${l}";
+
+    wantedBy = [ "multi-user.target" ];
+
+    where = "/run/pvv-home-mounts/${l}";
+
+    automountConfig = {
+      # Unmount if not accessed in 5 mins
+      TimeoutIdleSec = "5min";
+    };
+  }) letters;
 }

hosts/ustetind/configuration.nix

@@ -7,12 +7,7 @@
     ./services/gitea-runners.nix
   ];
 
-  sops.defaultSopsFile = fp /secrets/ustetind/ustetind.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
-  networking.hostName = "ustetind";
+  boot.loader.systemd-boot.enable = false;
 
   networking.useHostResolvConf = lib.mkForce false;
 
@@ -39,5 +34,7 @@
     };
   };
 
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
   system.stateVersion = "24.11";
 }

hosts/wenche/configuration.nix

@@ -14,15 +14,9 @@
     "armv7l-linux"
   ];
 
-  sops.defaultSopsFile = fp /secrets/wenche/wenche.yaml;
-  sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
-  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
-  sops.age.generateKey = true;
-
+  boot.loader.systemd-boot.enable = false;
   boot.loader.grub.device = "/dev/sda";
 
-  networking.hostName = "wenche"; # Define your hostname.
-
   systemd.network.networks."30-ens18" = values.defaultNetworkConfig // {
     matchConfig.Name = "ens18";
     address = with values.hosts.wenche; [ (ipv4 + "/25") (ipv6 + "/64") ];
@@ -36,9 +30,9 @@
     package = config.boot.kernelPackages.nvidiaPackages.production;
   };
 
-  # List packages installed in system profile
-  environment.systemPackages = with pkgs; [
-  ];
+  services.qemuGuest.enable = true;
 
-  system.stateVersion = "24.11"; # Did you read the comment?
+  # Don't change (even during upgrades) unless you know what you are doing.
+  # See https://search.nixos.org/options?show=system.stateVersion
+  system.stateVersion = "24.11";
 }

modules/grzegorz.nix

@@ -37,9 +37,13 @@ in {
   services.nginx.enable = true;
   services.nginx.virtualHosts = {
     ${config.networking.fqdn} = {
+      # NOTE: this overrides the default config in base/services/nginx.nix
+      addSSL = false;
       forceSSL = true;
       enableACME = true;
+
       kTLS = true;
+
       serverAliases = [
         "${machine}.pvv.org"
       ];