mv hosts nixosConfigurations

2025-09-14 13:00:03 +02:00 · 2025-09-14 13:00:03 +02:00 · 4d28e476dc
commit 4d28e476dc
parent 232728a053
24 changed files with 8 additions and 8 deletions
--- a/nixosConfigurations/forgejo-runner-1/configuration.nix
+++ b/nixosConfigurations/forgejo-runner-1/configuration.nix
@ -0,0 +1,15 @@
+{ ... }:
+{
+  # uncomment for build check on non arm system (requires --impure)
+  # nixpkgs.buildPlatform = builtins.currentSystem;
+  services.tailscale.useRoutingFeatures = "both";
+  system.autoUpgrade.allowReboot = true;
+
+  users.users = {
+    root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
+    ];
+  };
+}
--- a/nixosConfigurations/forgejo-runner-1/forgejo-runner.nix
+++ b/nixosConfigurations/forgejo-runner-1/forgejo-runner.nix
@ -0,0 +1,29 @@
+{ pkgs, ... }:
+{
+  config = {
+    environment.systemPackages = with pkgs; [
+      forgejo-runner
+    ];
+
+    # https://wiki.nixos.org/wiki/Forgejo
+
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "cccb";
+        url = "https://git.berlin.ccc.de";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = "/etc/forgejo-runner/registration_token";
+        labels = [
+          "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:rust-24.04"
+          "ubuntu-24.04:docker://ghcr.io/catthehacker/ubuntu:rust-24.04"
+        ];
+        settings = {
+          container.network = "bridge";
+        };
+      };
+    };
+  };
+}
--- a/nixosConfigurations/forgejo-runner-1/hardware.nix
+++ b/nixosConfigurations/forgejo-runner-1/hardware.nix
@ -0,0 +1,63 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  config = {
+    nixpkgs = {
+      hostPlatform = "aarch64-linux";
+      system = "aarch64-linux";
+    };
+
+    boot = {
+      tmp.cleanOnBoot = true;
+      kernelParams = [ "console=tty" ];
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+      };
+      initrd = {
+        availableKernelModules = [
+          "xhci_pci"
+          "virtio_scsi"
+          "sr_mod"
+          "virtio_gpu"
+        ];
+        kernelModules = [ ];
+      };
+    };
+
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-uuid/47bc77ff-12e1-4d39-bb5c-fb100ccd3aab";
+        fsType = "ext4";
+      };
+      "/boot" = {
+        device = "/dev/disk/by-uuid/05F2-8F9A";
+        fsType = "vfat";
+        options = [
+          "fmask=0077"
+          "dmask=0077"
+        ];
+      };
+    };
+
+    swapDevices = [
+      { device = "/dev/disk/by-uuid/bbd18a70-b0bb-4e1a-b45b-3c1f8ecc0c10"; }
+    ];
+
+    networking.useNetworkd = true;
+    systemd.network = {
+      enable = true;
+      networks."10-wan" = {
+        matchConfig.Name = "enp1s0";
+        networkConfig.DHCP = "ipv4";
+        address = [
+          "2a01:4f8:c013:a524::1/64"
+        ];
+        routes = [
+          { Gateway = "fe80::1"; }
+        ];
+      };
+    };
+  };
+}
--- a/nixosConfigurations/forgejo-runner-1/imports.nix
+++ b/nixosConfigurations/forgejo-runner-1/imports.nix
@ -0,0 +1,7 @@
+{ nixosModules, ... }:
+{
+  imports = [
+    nixosModules.podman
+    ./forgejo-runner.nix
+  ];
+}
--- a/nixosConfigurations/hetzner-vpn2/configuration.nix
+++ b/nixosConfigurations/hetzner-vpn2/configuration.nix
@ -0,0 +1,21 @@
+{ ... }:
+{
+  # uncomment for build check on non arm system (requires --impure)
+  # nixpkgs.buildPlatform = builtins.currentSystem;
+
+  services.tailscale.useRoutingFeatures = "both";
+
+  users.users = {
+    root.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICdYqY3Y1/f1bsAi5Qfyr/UWuX9ixu96IeAlhoQaJkbf''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
+    ];
+    #ronja.openssh.authorizedKeys.keys = [
+    #  ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key''
+    #];
+  };
+
+  system.autoUpgrade.allowReboot = true;
+}
--- a/nixosConfigurations/hetzner-vpn2/hardware.nix
+++ b/nixosConfigurations/hetzner-vpn2/hardware.nix
@ -0,0 +1,63 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  config = {
+    nixpkgs = {
+      hostPlatform = "aarch64-linux";
+      system = "aarch64-linux";
+    };
+
+    boot = {
+      tmp.cleanOnBoot = true;
+      kernelParams = [ "console=tty" ];
+      loader = {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+      };
+      initrd = {
+        availableKernelModules = [
+          "xhci_pci"
+          "virtio_scsi"
+          "sr_mod"
+          "virtio_gpu"
+        ];
+        kernelModules = [ ];
+      };
+    };
+
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-uuid/3263489d-9819-433c-b198-9d2e732a94e4";
+        fsType = "ext4";
+      };
+      "/boot" = {
+        device = "/dev/disk/by-uuid/6C25-6BDC";
+        fsType = "vfat";
+        options = [
+          "fmask=0077"
+          "dmask=0077"
+        ];
+      };
+    };
+
+    swapDevices = [
+      { device = "/dev/disk/by-uuid/e147721d-86b5-40d7-a231-c6ea391c563d"; }
+    ];
+
+    networking.useNetworkd = true;
+    systemd.network = {
+      enable = true;
+      networks."10-wan" = {
+        matchConfig.Name = "enp1s0";
+        networkConfig.DHCP = "ipv4";
+        address = [
+          "2a01:4f8:c013:65dd::1/64"
+        ];
+        routes = [
+          { Gateway = "fe80::1"; }
+        ];
+      };
+    };
+  };
+}
--- a/nixosConfigurations/hetzner-vpn2/imports.nix
+++ b/nixosConfigurations/hetzner-vpn2/imports.nix
@ -0,0 +1,5 @@
+{
+  imports = [
+    ./nginx.nix
+  ];
+}
--- a/nixosConfigurations/hetzner-vpn2/nginx.nix
+++ b/nixosConfigurations/hetzner-vpn2/nginx.nix
@ -0,0 +1,104 @@
+{ pkgs, ... }:
+let
+  blog-domain-socket = "/run/nginx/blog.sock";
+  anubis-domain-socket = "/run/anubis/anubis-blog.sock";
+in
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@zerforschen.plus";
+  };
+
+  security.pam.services.nginx.setEnvironment = false;
+  systemd.services = {
+    nginx.serviceConfig = {
+      SupplementaryGroups = [
+        "shadow"
+        "anubis"
+      ];
+    };
+    anubis-main.serviceConfig = {
+      SupplementaryGroups = [ "nginx" ];
+    };
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      additionalModules = [ pkgs.nginxModules.pam ];
+
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+
+      virtualHosts =
+        #let
+        #  servicesDomain = "services.zerforschen.plus";
+        #  mkServiceConfig =
+        #    { host, port }:
+        #    {
+        #      addSSL = true;
+        #      enableACME = true;
+        #      locations."/" = {
+        #        proxyPass = "http://${host}:${toString port}/";
+        #        extraConfig = ''
+        #          # bind to tailscale ip
+        #          proxy_bind 100.88.118.60;
+        #          # pam auth
+        #          limit_except OPTIONS {
+        #            auth_pam  "Password Required";
+        #            auth_pam_service_name "nginx";
+        #          }
+        #        '';
+        #      };
+        #    };
+        #  pc2 = "vinzenz-pc2.donkey-pentatonic.ts.net";
+        #in
+        {
+          #"code.${servicesDomain}" = lib.mkMerge [
+          #  (mkServiceConfig {
+          #    host = pc2;
+          #    port = 8542;
+          #  })
+          #  { locations."/".proxyWebsockets = true; }
+          #];
+          #"view.${servicesDomain}" = mkServiceConfig {
+          #  host = pc2;
+          #  port = 1313;
+          #};
+
+          "zerforschen.plus" = {
+            addSSL = true;
+            enableACME = true;
+            locations."/" = {
+              proxyPass = ("http://unix:" + anubis-domain-socket);
+            };
+          };
+
+          "blog-in-anubis" = {
+            root = pkgs.zerforschen-plus-content;
+            listen = [
+              {
+                addr = ("unix:" + blog-domain-socket);
+              }
+            ];
+          };
+        };
+    };
+
+    anubis.instances.main = {
+      enable = true;
+      settings = {
+        BIND = anubis-domain-socket;
+        TARGET = "unix://" + blog-domain-socket;
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+    5201
+  ];
+}
--- a/nixosConfigurations/ronja-pc/configuration.nix
+++ b/nixosConfigurations/ronja-pc/configuration.nix
@ -0,0 +1,26 @@
+{
+  config,
+  pkgs,
+  ...
+}:
+{
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "de";
+    variant = "";
+  };
+
+  # Configure console keymap
+  console.keyMap = "de";
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    #  vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    #  wget
+  ];
+
+  # Open ports in the firewall.
+  # networking.firewall.allowedTCPPorts = [ ... ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+}
--- a/nixosConfigurations/ronja-pc/hardware.nix
+++ b/nixosConfigurations/ronja-pc/hardware.nix
@ -0,0 +1,42 @@
+{ lib, ... }:
+{
+  boot = {
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ahci"
+        "nvme"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/27eccf93-a79f-4fcb-8588-ec55d913508f";
+      fsType = "btrfs";
+      options = [ "subvol=@" ];
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/85D4-43FC";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  swapDevices = [
+    { device = "/dev/disk/by-uuid/bf9d19fb-499b-4bfb-b67d-131fa5bf8259"; }
+  ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = true;
+}
--- a/nixosConfigurations/ronja-pc/imports.nix
+++ b/nixosConfigurations/ronja-pc/imports.nix
@ -0,0 +1,12 @@
+{ nixosModules, ... }:
+{
+  imports = [
+    ../../modules/gnome.nix
+    ../../modules/gaming.nix
+    nixosModules.steam
+    ../../modules/desktop-environment.nix
+    ../../modules/desktop-hardware.nix
+
+    ../../home/ronja
+  ];
+}
--- a/nixosConfigurations/vinzenz-lpt2/configuration.nix
+++ b/nixosConfigurations/vinzenz-lpt2/configuration.nix
@ -0,0 +1,45 @@
+{ ... }:
+{
+  imports = [ ./nginx.nix ];
+
+  config = {
+    nix.settings.extra-platforms = [
+      "aarch64-linux"
+      "i686-linux"
+    ];
+
+    services.xserver.xkb = {
+      # Configure keymap in X11
+      layout = "de";
+      variant = "";
+    };
+
+    # Configure console keymap
+    console.keyMap = "de";
+
+    users.users.vinzenz.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO1CRn4yYTL4XUdCebE8Z4ZeuMujBjorTdWifg911EOv vinzenz-pc2 home roaming''
+    ];
+
+    #users.users.ronja.openssh.authorizedKeys.keys = [
+    #  ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ronja-ssh-host-key''
+    #];
+
+    programs = {
+      adb.enable = true;
+      light = {
+        enable = true;
+        brightnessKeys = {
+          enable = true;
+          step = 5;
+        };
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      8776
+      1337
+    ];
+  };
+}
--- a/nixosConfigurations/vinzenz-lpt2/hardware.nix
+++ b/nixosConfigurations/vinzenz-lpt2/hardware.nix
@ -0,0 +1,63 @@
+{ lib, ... }:
+{
+  imports = [ ../../modules/intel-graphics.nix ];
+  config = {
+    # intel cpu
+    boot.kernelModules = [
+      "kvm-intel"
+      "xe"
+    ];
+    hardware.cpu.intel.updateMicrocode = true;
+
+    boot.loader = {
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    networking.useDHCP = lib.mkDefault true;
+
+    hardware.enableRedistributableFirmware = true;
+
+    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+
+    boot.initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "thunderbolt"
+        "nvme"
+      ];
+      luks.devices = {
+        "luks-2c654ff2-3c42-48d3-a1e3-9545679afaa3" = {
+          device = "/dev/disk/by-uuid/2c654ff2-3c42-48d3-a1e3-9545679afaa3";
+        };
+      };
+    };
+
+    fileSystems = {
+      "/" = {
+        device = "/dev/disk/by-uuid/e4dad0c8-26a1-45e9-bbd9-48565eb6574e";
+        fsType = "btrfs";
+        options = [ "subvol=@" ];
+      };
+
+      "/boot" = {
+        device = "/dev/disk/by-uuid/E2B7-2BC1";
+        fsType = "vfat";
+      };
+    };
+
+    swapDevices = [
+      {
+        device = "/var/lib/swapfile";
+        size = 32 * 1024;
+      }
+    ];
+
+    services.thermald.enable = true;
+    services.hardware.bolt.enable = true; # thunderbolt security
+  };
+}
--- a/nixosConfigurations/vinzenz-lpt2/imports.nix
+++ b/nixosConfigurations/vinzenz-lpt2/imports.nix
@ -0,0 +1,15 @@
+{ nixosModules, ... }:
+{
+  imports = [
+    ../../modules/gnome.nix
+    ../../modules/gaming.nix
+    nixosModules.steam
+    nixosModules.printing
+    nixosModules.podman
+    ../../modules/desktop-environment.nix
+    ../../modules/desktop-hardware.nix
+
+    ../../home/vinzenz
+    ../../home/ronja
+  ];
+}
--- a/nixosConfigurations/vinzenz-lpt2/nginx.nix
+++ b/nixosConfigurations/vinzenz-lpt2/nginx.nix
@ -0,0 +1,66 @@
+{ pkgs, ... }:
+let
+  blog-domain-socket = "/run/nginx/blog.sock";
+  anubis-domain-socket = "/run/anubis/anubis-blog.sock";
+in
+{
+  users.groups = {
+    anubis.members = [ "nginx" ];
+    nginx.members = [ "anubis" ];
+  };
+  services = {
+    nginx = {
+      enable = true;
+
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+
+      virtualHosts = {
+        #"vinzenz-lpt2" = {
+        #  locations."/" = {
+        #    proxyPass = "http://127.0.0.1:3000/";
+        #    proxyWebsockets = true;
+        #  };
+        #
+        #  serverAliases = [ "172.23.42.96" ];
+        #};
+
+        "vinzenz-lpt2" = {
+          locations."/" = {
+            proxyPass = ("http://unix:" + anubis-domain-socket);
+          };
+        };
+
+        "vinzenz-lpt2-in-anubis" = {
+          root = pkgs.zerforschen-plus-content;
+          listen = [
+            {
+              addr = ("unix:" + blog-domain-socket);
+            }
+          ];
+        };
+      };
+    };
+
+    #networking.firewall = {
+    #  allowedTCPPorts = [
+    #    80
+    #    8001
+    #    3000
+    #  ];
+    #  allowedUDPPorts = [ 2342 ];
+    #};
+
+    anubis = {
+      instances.main = {
+        enable = true;
+        settings = {
+          BIND = anubis-domain-socket;
+          TARGET = "unix://" + blog-domain-socket;
+        };
+      };
+    };
+  };
+}
--- a/nixosConfigurations/vinzenz-lpt2/zerforschen-plus.nix
+++ b/nixosConfigurations/vinzenz-lpt2/zerforschen-plus.nix
@ -0,0 +1,38 @@
+{
+  pkgs,
+  ...
+}:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@zerforschen.plus";
+  };
+
+  security.pam.services.nginx.setEnvironment = false;
+  systemd.services.nginx.serviceConfig = {
+    SupplementaryGroups = [ "shadow" ];
+  };
+
+  services.nginx = {
+    enable = true;
+    additionalModules = [ pkgs.nginxModules.pam ];
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    virtualHosts = {
+      "zerforschen.plus" = {
+        #addSSL = true;
+        #enableACME = true;
+        root = pkgs.zerforschen-plus-content;
+      };
+    };
+  };
+
+  #networking.firewall.allowedTCPPorts = [
+  #  80
+  #  443
+  #];
+}
--- a/nixosConfigurations/vinzenz-pc2/configuration.nix
+++ b/nixosConfigurations/vinzenz-pc2/configuration.nix
@ -0,0 +1,36 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./hardware.nix
+    ./vscode-server.nix
+    ./hass.nix
+  ];
+  config = {
+    nix.settings.extra-platforms = [
+      "aarch64-linux"
+      "i686-linux"
+    ];
+
+    services.xserver.xkb = {
+      # Configure keymap in X11
+      layout = "de";
+      variant = "";
+    };
+
+    # Configure console keymap
+    console.keyMap = "de";
+
+    users.users.vinzenz.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINrY6tcgnoC/xbgL7vxSjddEY9MBxRXe9n2cAHt88/TT home roaming''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFCJUpbpB3KEKVoKWsKoar9J4RNah8gmQoSH6jQEw5dY vinzenz-pixel-JuiceSSH''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPDNpLDmctyqGpow/ElQvdhY4BLBPS/sigDJ1QEcC7wC vinzenz-lpt2-roaming''
+    ];
+
+    users.users.ronja.openssh.authorizedKeys.keys = [
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALWKm+d6KL6Vl3grPOcGouiNTkvdhXuWJmcrdEBY2nw ssh-host-key''
+      ''ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgN6J8KyVyQqBAz+y3drXDmIsxOPkdPB+ISgpIP9Eld Generated By Termius''
+    ];
+
+    environment.systemPackages = with pkgs; [ lact ];
+  };
+}
--- a/nixosConfigurations/vinzenz-pc2/fstab.nix
+++ b/nixosConfigurations/vinzenz-pc2/fstab.nix
@ -0,0 +1,37 @@
+{
+  "/" = {
+    device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
+    fsType = "btrfs";
+    options = [ "subvol=@" ];
+  };
+
+  "/home" = {
+    device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
+    fsType = "btrfs";
+    options = [ "subvol=@home" ];
+  };
+
+  "/games" = {
+    device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
+    fsType = "btrfs";
+    options = [ "subvol=@games" ];
+  };
+
+  "/boot" = {
+    device = "/dev/disk/by-uuid/AF67-8F16";
+    fsType = "vfat";
+  };
+
+  #"/mnt/nixos_btrfs_root" = {
+  #  # subvolume with id 5 is always the root volume
+  #  # this is convenient for managing the flat subvolume hierarchy
+  #  device = "/dev/disk/by-uuid/0e9c983a-e733-447e-8181-f41d6670c4b8";
+  #  fsType = "btrfs";
+  #  options = [ "subvolid=5" ];
+  #};
+
+  "/mnt/ssd2" = {
+    device = "/dev/disk/by-uuid/6b2a647d-c68e-4c07-85bf-c9bfc5db7e8a";
+    fsType = "ext4";
+  };
+}
--- a/nixosConfigurations/vinzenz-pc2/hardware.nix
+++ b/nixosConfigurations/vinzenz-pc2/hardware.nix
@ -0,0 +1,25 @@
+{ ... }:
+{
+  imports = [ ../../modules/amd-graphics.nix ];
+  config = {
+    # amd cpu
+    boot.kernelModules = [ "kvm-amd" ];
+    hardware.cpu.amd.updateMicrocode = true;
+
+    boot = {
+      initrd.availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "sd_mod"
+      ]; # "usb_storage"
+      loader.efi.efiSysMountPoint = "/boot";
+    };
+
+    fileSystems = import ./fstab.nix;
+    swapDevices = [ ];
+
+    networking.interfaces.eno1.wakeOnLan.enable = true;
+  };
+}
--- a/nixosConfigurations/vinzenz-pc2/hass.nix
+++ b/nixosConfigurations/vinzenz-pc2/hass.nix
@ -0,0 +1,62 @@
+{ pkgs, ... }:
+let
+  hass-image = "ghcr.io/home-assistant/home-assistant:stable";
+  hass-service = "podman-homeassistant";
+in
+{
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers.homeassistant = {
+      image = hass-image;
+      hostname = "hass.lan";
+      serviceName = hass-service;
+      volumes = [ "home-assistant:/config" ];
+      environment.TZ = "Europe/Berlin";
+      extraOptions = [ "--network=host" ];
+    };
+  };
+
+  systemd = {
+    timers.update-hass = {
+      timerConfig = {
+        Unit = "update-hass.service";
+        OnCalendar = "Sun 02:00";
+      };
+      wantedBy = [ "timers.target" ];
+    };
+
+    services.update-hass = {
+      serviceConfig = {
+        Type = "oneshot";
+        ExecStart = pkgs.writeShellScriptBin "update-hass" ''
+          podman pull ${hass-image};
+          systemctl restart ${hass-service};
+        '';
+      };
+    };
+  };
+
+  services = {
+    mosquitto = {
+      enable = true;
+    };
+
+    nginx = {
+      enable = true;
+
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+
+      # TODO: add ssl
+      # TODO: add pam auth
+
+      virtualHosts."hass.lan" = {
+        locations."/" = {
+          proxyPass = "localhost:8123";
+        };
+      };
+    };
+  };
+}
--- a/nixosConfigurations/vinzenz-pc2/imports.nix
+++ b/nixosConfigurations/vinzenz-pc2/imports.nix
@ -0,0 +1,16 @@
+{ nixosModules, ... }:
+{
+  imports = [
+    ../../modules/gnome.nix
+    ../../modules/gaming.nix
+    nixosModules.steam
+    nixosModules.printing
+    nixosModules.podman
+    #../../modules/niri.nix
+    ../../modules/desktop-environment.nix
+    ../../modules/desktop-hardware.nix
+
+    ../../home/vinzenz
+    ../../home/ronja
+  ];
+}
--- a/nixosConfigurations/vinzenz-pc2/vscode-server.nix
+++ b/nixosConfigurations/vinzenz-pc2/vscode-server.nix
@ -0,0 +1,30 @@
+{ pkgs, ... }:
+{
+  services.openvscode-server = {
+    enable = true;
+    package = pkgs.unstable.openvscode-server;
+    telemetryLevel = "off";
+    port = 8542;
+    host = "127.0.0.1";
+    withoutConnectionToken = true;
+    extraPackages = with pkgs; [
+      nodejs
+      git
+      gh
+      direnv
+    ];
+  };
+
+  networking = {
+    firewall = {
+      allowedTCPPorts = [
+        8542
+        8543
+        8544
+        80
+        1313
+        5201
+      ];
+    };
+  };
+}