From 5622a6dd4c204629456606bd88c756291934b31a Mon Sep 17 00:00:00 2001
From: Jake Ginesin <jakeginesin@gmail.com>
Date: Sun, 17 Aug 2025 01:03:44 -0400
Subject: [PATCH] generation 491 25.11.20250714.62e0f05

---
 flake.nix                      |   7 +++
 hosts/server/configuration.nix |  77 +++++++++++++++++++++++++++++++++
 hosts/server/ssh.nix           |  19 ++++++++
 secrets/secrets.nix            |   1 +
 secrets/ssh-pub.age            | Bin 0 -> 320 bytes
 5 files changed, 104 insertions(+)
 create mode 100644 hosts/server/configuration.nix
 create mode 100644 hosts/server/ssh.nix
 create mode 100644 secrets/ssh-pub.age

diff --git a/flake.nix b/flake.nix
index b5507d3..6c48584 100644
--- a/flake.nix
+++ b/flake.nix
@@ -53,6 +53,13 @@
       ];
     };
 
+    nixosConfigurations.server = nixpkgs.lib.nixosSystem {
+      modules = [
+        baseModule
+        ./hosts/thonkpad/configuration.nix
+      ];
+    };
+
     nixosConfigurations.rq = nixpkgs.lib.nixosSystem {
       modules = [
         baseModule
diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
new file mode 100644
index 0000000..eada54e
--- /dev/null
+++ b/hosts/server/configuration.nix
@@ -0,0 +1,77 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ./hardware-configuration.nix
+    ../../system/system.nix
+    ./ssh.nix
+  ];
+
+  options = {
+    res = lib.mkOption {
+      type = lib.types.str;
+      default = "1920x1080";
+      description = "screen resolution";
+    };
+  };
+
+  config = {
+    networking.hostName = "server"; # Define your hostname.
+    res = "2560x1440";
+
+    home-manager = {
+      useGlobalPkgs = true;
+      useUserPackages = true;
+      backupFileExtension = "backup";
+      users.synchronous.imports = [../../home/home.nix];
+    };
+
+    # Bootloader.
+    # boot.loader.grub.enable = true;
+    # boot.loader.grub.device = "/dev/nvme0n1";
+    # boot.loader.grub.useOSProber = true;
+    # boot.loader.grub.version = 2;
+    # services.logind.lidSwitchExternalPower = "ignore";
+
+    boot.loader.systemd-boot.enable = true;
+    boot.loader.efi.canTouchEfiVariables = true;
+    boot.loader.grub.enable = false;
+
+    age = {
+      secrets = {
+        zsh_remote = {
+          file = ../../secrets/zsh_remote.age;
+          owner = "synchronous";
+          mode = "0400";
+        };
+        tailscale-rq = {
+          file = ../../secrets/tailscale-rq.age;
+          owner = "synchronous";
+          mode = "0400";
+        };
+        ssh-pub = {
+          file = ../../secrets/ssh-pub.age;
+          owner = "synchronous";
+          mode = "0400";
+        };
+      };
+      secretsDir = "/home/synchronous/.agenix/agenix";
+      secretsMountPoint = "/home/synchronous/.agenix/agenix.d";
+      identityPaths = ["/home/synchronous/.ssh/id_ed25519"];
+    };
+
+    #boot = {
+    #  loader.systemd-boot = {
+    #    enable = true;
+    #    editor = false;
+    #  };
+    #  kernelPackages = pkgs.linuxPackages;
+    #};
+    # boot.loader.systemd-boot.enable = true;
+    # boot.loader.efi.canTouchEfiVariables = true;
+    # boot.loader.grub.enable = false;
+  };
+}
diff --git a/hosts/server/ssh.nix b/hosts/server/ssh.nix
new file mode 100644
index 0000000..e88f023
--- /dev/null
+++ b/hosts/server/ssh.nix
@@ -0,0 +1,19 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  services.openssh.enable = true;
+
+  # Disable password login for security
+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.PermitRootLogin = "no";
+
+  # Add your authorized key for a specific user
+  users.users.yourusername = {
+    isNormalUser = true;
+    openssh.authorizedKeys.keys = [
+      config.age.secrets.ssh-pub
+    ];
+  };
+}
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index aa8d71e..eefca9d 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -4,4 +4,5 @@ let
 in {
   "zsh_remote.age".publicKeys = [key];
   "tailscale-rq.age".publicKeys = [key];
+  "ssh-pub.age".publicKeys = [key];
 }
diff --git a/secrets/ssh-pub.age b/secrets/ssh-pub.age
new file mode 100644
index 0000000000000000000000000000000000000000..6b8c0d43c288eb79eee9f77eaf5ddd9ac5c415e9
GIT binary patch
literal 320
zcmV-G0l)rXXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LF>y|6b9W$5
zbVq1ZHflppYD!pjId(~8D{fY7dTx1aPe@2}VrOt-Fh@)@H)3xvGjj?=aXD;wFm`iK
zQD<&AV?jkVO+sZkc6K;#S#)T0P;W+BdR1C$b4o#YPEiUiEiE8<Oi5^LS65JSX;)WA
zHe*L?a!znLOIm78SaLW)XIDuxby7=AW?@w;d2<T)a8>JlO|1xdc)X;7hzXz)-fU>@
z1|B1m&J|KwKI6+lo~8sS-Tf<b<Vp((rNGcSn!N&IBPGE<S@kSHNZt1k*JOtj1A1;|
z=M<abct?XPqlmVqP68Z}c?t(Z?Z<6euhI1#gK<tcPR~v18bYZ93qvp<#Q@z%m5`!w
ST@+<GsmEror2H!YHlk>l-+EvG

literal 0
HcmV?d00001