Original commit

flake.lock

@@ -0,0 +1,153 @@
+{
+  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1758463745,
+        "narHash": "sha256-uhzsV0Q0I9j2y/rfweWeGif5AWe0MGrgZ/3TjpDYdGA=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3b955f5f0a942f9f60cdc9cacb7844335d0f21c3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "release-25.05",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "nix-darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1759509947,
+        "narHash": "sha256-4XifSIHfpJKcCf5bZZRhj8C4aCpjNBaE3kXr02s4rHU=",
+        "owner": "nix-darwin",
+        "repo": "nix-darwin",
+        "rev": "000eadb231812ad6ea6aebd7526974aaf4e79355",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-darwin",
+        "ref": "nix-darwin-25.05",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1759478543,
+        "narHash": "sha256-AetDmsj6lkwyEzAhnayQ8wXKkHremjCDqchKhSoAMhE=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "cacb0bf08c2f851ec166ec665c777cf9fc542283",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-25.05-darwin",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "agenix": "agenix",
+        "home-manager": "home-manager_2",
+        "nix-darwin": "nix-darwin",
+        "nixpkgs": "nixpkgs"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,40 @@
+{
+  description = "Example nix-darwin system flake";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-25.05-darwin";
+    nix-darwin.url = "github:nix-darwin/nix-darwin/nix-darwin-25.05";
+    nix-darwin.inputs.nixpkgs.follows = "nixpkgs";
+    home-manager.url = "github:nix-community/home-manager/release-25.05";
+    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    agenix.url = "github:ryantm/agenix";
+    agenix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs =
+    inputs@{
+      self,
+      nix-darwin,
+      home-manager,
+      nixpkgs,
+      agenix,
+    }:
+    let
+      macbook = import ./systems/macbook/macbook.nix {
+        nix-darwin = nix-darwin;
+        home-manager = home-manager;
+        self = self;
+        agenix = agenix;
+      };
+
+      selene = import ./systems/selene/system.nix {
+        agenix = agenix;
+      };
+    in
+    {
+      # Build darwin flake using:
+      # $ darwin-rebuild build --flake .#Maxiems-MacBook-Pro
+      darwinConfigurations."Maxiems-MacBook-Pro" = macbook;
+      nixosConfigurations.selene = selene;
+    };
+}

keys/asus.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdcSzVRG/BHxDx79A3kM5cZ3ZlMipcSorVIpxAJC2xF maxiem@maxiem-asustufgamingf15fx506lhfx506lh

keys/hetzner.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfmaqbtwSEydV2hge/aDWxfwlKOw/JJZZWy8ycjojH hetzner@maxiemgeldhof.com

keys/jellyfin-key

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 gSqcWw 6TUQ5nbQ/j886U3+MNcFFiUN2GZqmRZryFxQsE5eMFI
+KO/HfhxCWv3IEdEg+A9pEWYmlM+/YGXIdVe/sw4vpaE
+-> ssh-ed25519 lFtjmQ oK6lK9vYjLg/lsUnoxMs6oftFQsSh5U6qkSZoWWrmB8
+rMcN88GFQ8VdxMKVMeJL/gJdrRgdKhs5wHaU2JohD+0
+--- a9kKvgDEZnMMhjuI2XmcAcCXNo3oNpVPCiSHp1ZiYDQ
+KüÇnv6&Ñ´}¶ˆ>‚B?;ÉaÚ0`
²µJú7<C3BA>OÖ(¤.ÖLV4<02>M9b–Æ‹çâ|]&sïõ5

keys/macbook.priv

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 M7OTMg 1m4v/Xmw+N9+pVrttLG1GnH3LCgJSQOOW6T34cIMq08
+kSwgueUJm4DCjgDdi5OGHnhtMNz1zb5lhyYfVmlYp7M
+-> ssh-ed25519 CJLJQg 7zWWonoFKuLQWJaEZGysrGUjcwznXhrbtnpYPULjoWc
+MplLAdVbgYTE99pIhFaMGnO+L6n/xL0kgTaVc4J2NKQ
+--- jYPfNgq9uBO50jSTrwDJ2M0vrx5iYEf4yiGyy9PCA/o
+3·éÆ<C3A9>ôšäŒÏ–2ø>Ú[yÛ+¼ÆD€ýÉ[cª?Àž1Sº—e¦:¯V¾¤Ñû"ÔXÉ[ûøþ[b7iq<69>î‡Y’Z	žýínÔ¼2™¯ni"q kî`ƃJ©:Qù…ýSÙ©gÁù~E\áÎ’£|=Ëvƒ—o} lfŠÈ‘ìÀØt[£×g‘ì>;dc1<63>
<Gçö¾€UíºÇ¶u¡9hx—óÕƒlNü¦”Æ0=D!¥šÇi½‹§éä„< úXê!é2ƒ –6íI<C3AD>MG˜*Sõ!3™Ht4øãvè/Ï&°Àô‹“
ìLY5j<35>Ú<7F>ªúæÛÖ#ŽBðËÝÛäò·ÆX¬K´—«4Ó}Æ‚¤ELâû¨€<C2A8>©ÂŸë<9í|èò;„›ûÄ<˜d_’$£¨¡ËŽÆ<C5BD>Èt¦@lR6™R™™Fn!Û¥³¶ã¥™<ScUƒbT{27 ½)Jº¥ö”t¬ÇÈ$ev¢Öç8ƒ™ìÓG›Ý¤æùä¬zuZ4pmÃÖ™L=iEjnuŸ—H\/oëÝšúɤ_ëÒÜùeˆ õOb³…ª¬‰<C2AC><11>Ñó Z0…›§úrk"_â\Ãë<C383>Ø@Û

keys/macbook.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJfqdqySAsEAXhB/jadKH6Ol5wVAlzyQRwgxq7DXsDgW maxiem@maxiemgeldhof.com

keys/master.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICg1ebl3uHhiGPxW6X2Lii5tvuxyuG74AFh/wqxw8rxC maxiem@maxiemgeldhof.com

keys/secrets.nix

@@ -0,0 +1,11 @@
+let
+  selene = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEiuoUbvgZ2N03MTcWw4z+oUB9SG0jR0fy5AnTTBHym" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfmaqbtwSEydV2hge/aDWxfwlKOw/JJZZWy8ycjojH" ];
+  macbook = [ (builtins.readFile ./macbook.pub) ];
+  master = [ (builtins.readFile ./master.pub) ];
+in
+{
+  "jellyfin-key".publicKeys = selene;
+  "google-storage-key".publicKeys = selene;
+  "macbook.priv".publicKeys = macbook ++ master;
+  "master.priv".publicKeys = macbook ++ master;
+}

modules/servermodules/grafana/grafana.nix

@@ -0,0 +1,70 @@
+{ config, ... }:
+{
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        # Listening Address
+        http_addr = "127.0.0.1";
+        # and Port
+        http_port = 3000;
+        # Grafana needs to know on which domain and URL it's running
+        domain = "grafana.maxiemgeldhof.com";
+      };
+    };
+    provision.datasources.path = ./provision;
+    provision.dashboards.settings = {
+      apiVersion = 1;
+
+      providers = [
+        {
+          name = "default";
+          options.path = ./dashboards;
+        }
+      ];
+    };
+  };
+
+  services.prometheus.exporters.node = {
+    enable = true;
+    port = 9000;
+    # https://github.com/NixOS/nixpkgs/blob/nixos-24.05/nixos/modules/services/monitoring/prometheus/exporters.nix
+    enabledCollectors = [ "systemd" ];
+    # /nix/store/zgsw0yx18v10xa58psanfabmg95nl2bb-node_exporter-1.8.1/bin/node_exporter  --help
+    extraFlags = [
+      "--collector.ethtool"
+      "--collector.softirqs"
+      "--collector.tcpstat"
+      "--collector.wifi"
+    ];
+  };
+
+  services.prometheus = {
+    enable = true;
+    globalConfig.scrape_interval = "30s";
+    scrapeConfigs = [
+      {
+        job_name = "node";
+        static_configs = [
+          {
+            targets = [
+              "localhost:${toString config.services.prometheus.exporters.node.port}"
+              "localhost:8096"
+            ];
+          }
+        ];
+      }
+      {
+        job_name = "jellyfin";
+        static_configs = [
+          {
+            targets = [
+              "localhost:9594"
+            ];
+          }
+        ];
+      }
+
+    ];
+  };
+}

modules/servermodules/grafana/provision/prom.yaml

@@ -0,0 +1,19 @@
+# Configuration file version
+apiVersion: 1
+prune: true
+
+datasources:
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    url: http://localhost:9090
+    jsonData:
+      httpMethod: POST
+      manageAlerts: true
+      allowAsRecordingRulesTarget: true
+      prometheusType: Prometheus
+      prometheusVersion: 3.3.0
+      cacheLevel: 'High'
+      disableRecordingRules: false
+      timeInterval: 10s   # Prometheus scrape interval
+      incrementalQueryOverlapWindow: 10m

modules/servermodules/jellyfin/jellyfin.nix

@@ -0,0 +1,60 @@
+{
+  pkgs,
+  config,
+  exporter-pkg,
+  ...
+}:
+{
+  environment.systemPackages = [
+    pkgs.jellyfin
+    pkgs.jellyfin-web
+    pkgs.jellyfin-ffmpeg
+  ];
+
+  services.jellyfin = {
+    enable = true;
+    configDir = "/jellyfin/config";
+    dataDir = "/jellyfin/data";
+  };
+
+  age.secrets.jellyfin-key = {
+    file = ./secrets/jellyfin-key;
+    owner = "jellyfin";
+  };
+
+  # Define the systemd service
+  systemd.services.jellyfin-exporter = {
+    description = "Jellyfin Exporter for Prometheus";
+    wantedBy = [ "multi-user.target" ];
+    after = [
+      "network-online.target"
+      "run-agenix.d.mount"
+    ]; # Should start after network is up
+    wants = [
+      "network-online.target"
+      "run-agenix.d.mount"
+    ]; # Should start after network is up
+
+    serviceConfig = {
+      # The command to start the exporter
+      # You MUST replace the placeholders below with your actual data
+      ExecStart = ''
+        /bin/sh -c "${exporter-pkg}/bin/jellyfin_exporter \
+          --jellyfin.address=http://localhost:8096 \
+          --jellyfin.token=$(cat ${config.age.secrets.jellyfin-key.path})"
+      '';
+
+      # Run the service as the user we created
+      User = "jellyfin";
+
+      # Automatically restart the service if it fails
+      Restart = "on-failure";
+      RestartSec = "5s";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "L+ /data/movies      -       -      -      -    /mnt/volume-hel1-1/movies"
+    "L+ /data/series      -       -      -      -    /mnt/volume-hel1-1/series"
+  ];
+}

modules/servermodules/nginx.nix

@@ -0,0 +1,76 @@
+{ rootdomain }:
+{
+  systemd.services.nginx.serviceConfig.ReadWritePaths = [ "/logs/nginx" ];
+  services.nginx.enable = true;
+  services.nginx.commonHttpConfig = ''
+      log_format myformat '$remote_addr - $remote_user [$time_local] '
+                      '$host "$request" $status $body_bytes_sent '
+                      '"$http_referer" "$http_user_agent"';
+      '';
+
+  services.nginx.virtualHosts."default" = {
+      enableACME = false;
+      rejectSSL = true;
+      default = true;
+
+      locations."/" = {
+        return = 404;
+      };
+      extraConfig = ''
+        access_log /logs/nginx/nginx-access.log myformat;
+      '';
+  };
+
+
+  services.nginx.virtualHosts."grafana.${rootdomain}" = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+      extraConfig = ''
+        access_log /logs/nginx/nginx-access.log myformat;
+      '';
+  };
+
+  services.nginx.virtualHosts."jellyfin.${rootdomain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8096";
+      proxyWebsockets = true;
+      recommendedProxySettings = true;
+    };
+
+    locations."/metrics" = {
+      proxyPass = "http://127.0.0.1:8096/metrics";
+      recommendedProxySettings = true;
+      extraConfig = ''
+      allow 127.0.0.1;
+      allow 192.168.0.0/16;
+      allow 10.0.0.0/8;
+      allow 172.16.0.0/12;
+      deny all;
+      '';
+    };
+
+    extraConfig = ''
+      access_log /logs/nginx/nginx-access.log myformat;
+    '';
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@${rootdomain}";
+  };
+
+  systemd.tmpfiles.rules = [
+  # Type  Path           Mode    User   Group  Age  Argument
+  "d /logs/nginx        0755    nginx  nginx  -    -"
+  ]
+}
+

modules/servermodules/packages.nix

@@ -0,0 +1,15 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = [
+    pkgs.git
+    pkgs.google-cloud-sdk
+    pkgs.zulu8
+    pkgs.wget
+    pkgs.tmux
+  ];
+  age.secrets.google-storage-key = {
+    file = ./secrets/google-storage-key;
+    owner = "root";
+  };
+  environment.variables.GOOGLE_APPLICATION_CREDENTIALS = config.age.secrets."google-storage-key".path;
+}

modules/usermodules/darwinsettings.nix

@@ -0,0 +1,22 @@
+self:
+{ pkgs, agenix, ... }: {
+  # List packages installed in system profile. To search by name, run:
+  # $ nix-env -qaP | grep wget
+  environment.systemPackages = [ pkgs.vim pkgs.vscode pkgs.git pkgs.nixfmt-rfc-style agenix.packages.aarch64-darwin.default pkgs.python3];
+
+  # Necessary for using flakes on this system.
+  nix.settings.experimental-features = "nix-command flakes";
+  nixpkgs.config.allowUnfree = true;
+
+  # Set Git commit hash for darwin-version.
+  system.configurationRevision = self.rev or self.dirtyRev or null;
+
+  # Used for backwards compatibility, please read the changelog before changing.
+  # $ darwin-rebuild changelog
+  system.stateVersion = 6;
+
+  # The platform the configuration will be used on.
+  nixpkgs.hostPlatform = "aarch64-darwin";
+
+  system.defaults.dock.autohide = true;
+}

systems/macbook/macbook.nix

@@ -0,0 +1,15 @@
+{ nix-darwin, home-manager, agenix, self }:
+nix-darwin.lib.darwinSystem {
+  modules = [
+    { system.primaryUser = "maxiemgeldhof"; }
+    (import ../../modules/usermodules/darwinsettings.nix self)
+    home-manager.darwinModules.home-manager
+    (import ./users.nix)
+    agenix.darwinModules.default
+  ];
+
+  specialArgs = {
+    home-manager=home-manager;
+    agenix = agenix;
+  };
+}

systems/macbook/users.nix

@@ -0,0 +1,14 @@
+{ pkgs, home-manager, config, ... }:
+let
+  userconfig = {
+    home.stateVersion = "25.05";
+    home.homeDirectory = "/Users/maxiemgeldhof";
+
+    programs.home-manager.enable = true;
+  };
+in {
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+  home-manager.users.maxiemgeldhof = userconfig;
+  users.users.maxiemgeldhof.home = "/Users/maxiemgeldhof";
+}

systems/selene/basesettings.nix

@@ -0,0 +1,33 @@
+{ ... }:
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./networking.nix # generated at runtime by nixos-infect
+  ];
+
+  boot.tmp.cleanOnBoot = true;
+  zramSwap.enable = true;
+  networking.hostName = "selene";
+  networking.domain = "";
+  networking.firewall = {
+    enable = true;
+    allowedTCPPorts = [
+      22
+      80
+      443
+    ];
+  };
+
+  services.openssh.enable = true;
+  services.openssh.settings.PasswordAuthentication = false;
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfmaqbtwSEydV2hge/aDWxfwlKOw/JJZZWy8ycjojH hetzner@maxiemgeldhof.com"
+  ];
+
+  age.identityPaths = [ "/root/.ssh/id_ed25519" ];
+  system.stateVersion = "23.11";
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+}

systems/selene/hardware.nix

@@ -0,0 +1,13 @@
+{ modulesPath, ... }:
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+    device = "nodev";
+  };
+  fileSystems."/boot" = { device = "/dev/disk/by-uuid/7AE2-203E"; fsType = "vfat"; };
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" ];
+  boot.initrd.kernelModules = [ "nvme" ];
+  fileSystems."/" = { device = "/dev/sdc1"; fsType = "ext4"; };
+}

systems/selene/networking.nix

@@ -0,0 +1,44 @@
+{ lib, ... }: {
+  # This file was populated at runtime with the networking
+  # details gathered from the active system.
+  networking = {
+    nameservers = [ "8.8.8.8" ];
+    defaultGateway = "172.31.1.1";
+    defaultGateway6 = {
+      address = "fe80::1";
+      interface = "eth0";
+    };
+    dhcpcd.enable = false;
+    usePredictableInterfaceNames = lib.mkForce false;
+    interfaces = {
+      eth0 = {
+        ipv4.addresses = [{
+          address = "37.27.207.39";
+          prefixLength = 32;
+        }];
+        ipv6.addresses = [
+          {
+            address = "2a01:4f9:c010:bbba::1";
+            prefixLength = 64;
+          }
+          {
+            address = "fe80::9000:6ff:fe5c:ed79";
+            prefixLength = 64;
+          }
+        ];
+        ipv4.routes = [{
+          address = "172.31.1.1";
+          prefixLength = 32;
+        }];
+        ipv6.routes = [{
+          address = "fe80::1";
+          prefixLength = 128;
+        }];
+      };
+
+    };
+  };
+  services.udev.extraRules = ''
+    ATTR{address}=="92:00:06:5c:ed:79", NAME="eth0"
+  '';
+}

systems/selene/system.nix

@@ -0,0 +1,19 @@
+{ agenix }:
+nixpkgs.lib.nixosSystem {
+  system = system;
+  specialArgs = {
+    # This selects the package for the current system and passes it
+    exporter-pkg = jellyfin-exporter.packages.${system}.default;
+  };
+
+  modules = [
+    ./basesettings.nix
+    ./users.nix
+    ../../modules/servermodules/packages.nix
+    (import ./nginx.nix "maxiemgeldhof.com")
+    ../../modules/servermodules/grafana.nix
+    ../../modules/servermodules/jellyfin.nix
+    ./volumes.nix
+    agenix.nixosModules.default
+  ];
+}

systems/selene/users.nix

@@ -0,0 +1,17 @@
+{
+  users.users.selene = {
+    isNormalUser = true;
+    home = "/home/selene";
+    hashedPassword = "$y$j9T$KjOwguW/7P9GvbNg6Yy.k/$8xf3aqnJ909HSjxtpe854RKdiXiPpbOLt.aiuJSfeC0";
+    openssh.authorizedKeys.keys = [
+      (builtins.readFile ../../keys/hetzner.pub)
+      (builtins.readFile ../../keys/asus.pub)
+      (builtins.readFile "../../keys/pacbook.pub")
+    ];
+
+    extraGroups = [
+      "wheel"
+      "networkmanager"
+    ];
+  };
+}

systems/selene/volumes.nix

@@ -0,0 +1,21 @@
+{
+  fileSystems."/mnt/volume-hel1-2" = {
+    device = "/dev/disk/by-id/scsi-0HC_Volume_103422022";
+    fsType = "ext4";
+    options = [
+      "defaults"
+      "discard"
+      "nofail"
+    ];
+  };
+
+  fileSystems."/mnt/volume-hel1-1" = {
+    device = "/dev/disk/by-id/scsi-0HC_Volume_103419450";
+    fsType = "ext4";
+    options = [
+      "defaults"
+      "discard"
+      "nofail"
+    ];
+  };
+}