dotfiles/nixos/machines/railbird-sf.nix

{ config, lib, pkgs, forEachUser, inputs, orgAgendaApiContainer ? null, orgAgendaApiImageName ? "org-agenda-api", ... }:
{
  imports = [
    ../configuration.nix
    inputs.agenix.nixosModules.default
  ];

  networking.hostName = "railbird-sf";

  # org-agenda-api hosting with nginx + Let's Encrypt
  # Separate secrets for org-agenda-api: auth password (env format) and SSH key (raw file)
  age.secrets.org-api-auth-password = {
    file = ../secrets/org-api-auth-password.age;
  };
  age.secrets.org-api-ssh-key = {
    file = ../secrets/org-api-ssh-key.age;
    mode = "0400";  # Restrictive permissions for SSH key
  };

  services.org-agenda-api-host = {
    enable = true;
    domain = "rbsf.tplinkdns.com";
    extraDomains = [ "org-agenda-api.rbsf.railbird.ai" ];
    containerImage = orgAgendaApiImageName;
    containerImageFile = orgAgendaApiContainer;
    secretsFile = config.age.secrets.org-api-auth-password.path;
    sshKeyFile = config.age.secrets.org-api-ssh-key.path;
  };

  hardware.enableRedistributableFirmware = true;
  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];
  boot.loader.systemd-boot.enable = true;
  myModules.postgres.enable = true;
  features.full.enable = true;

  services.k3s.role = "agent";
  services.k3s.extraFlags = lib.mkForce ["--node-label nixos-nvidia-cdi=enabled"];

  hardware.nvidia = {
    powerManagement.enable = false;
    # Fine-grained power management. Turns off GPU when not in use.
    # Experimental and only works on modern Nvidia GPUs (Turing or newer).
    powerManagement.finegrained = false;

    # Enable the Nvidia settings menu,
    # accessible via `nvidia-settings`.
    nvidiaSettings = true;
  };

  myModules.base.enable = true;
  myModules.desktop.enable = true;
  myModules.code.enable = true;
  myModules.syncthing.enable = true;
  myModules.fonts.enable = true;
  myModules.plasma.enable = true;
  myModules.nvidia.enable = true;
  myModules.gitea-runner.enable = true;
  myModules.railbird-k3s = {
    enable = false;
    serverAddr = "https://dev.railbird.ai:6443";
  };

  fileSystems."/" =
    { device = "/dev/disk/by-uuid/a317d456-6f84-41ee-a149-8e466e414aae";
    fsType = "ext4";
    };

  fileSystems."/boot" =
    { device = "/dev/disk/by-uuid/B875-39D4";
      fsType = "vfat";
      };

  swapDevices =
    [ { device = "/dev/disk/by-uuid/129345f3-e1e1-4d45-9db9-643160c6d564"; }
    ];

  environment.systemPackages = with pkgs; [
    android-studio
  ];

  networking.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;

  home-manager.users = forEachUser {
     home.stateVersion = "23.11";
  };

  system.stateVersion = "23.11";
}
Split org-api secrets into auth password and SSH key - Auth password uses env file format for systemd EnvironmentFile - SSH key is mounted as a file at /secrets/ssh_key in container - Fixes multi-line SSH key parsing issue in environment files - Update codex PR patch hash Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 20:14:35 -08:00			`{ config, lib, pkgs, forEachUser, inputs, orgAgendaApiContainer ? null, orgAgendaApiImageName ? "org-agenda-api", ... }:`
Added railbird-sf config 2023-11-17 14:24:56 -08:00			`{`
			`imports = [`
			`../configuration.nix`
feat(nixos): add org-agenda-api hosting with nginx + Let's Encrypt Add NixOS module to host org-agenda-api container on railbird-sf: - org-agenda-api-host.nix: New module with nginx reverse proxy and ACME - nginx configured for rbsf.tplinkdns.com with automatic TLS - Container runs on port 51847 (random high port) - Supports nix-built container images via imageFile option Configure railbird-sf to use the new module: - Build org-agenda-api container from flake - Pass container to machine config via specialArgs - Set up agenix secret for container environment Note: Requires creating secrets file with AUTH_PASSWORD and GIT_SSH_PRIVATE_KEY environment variables. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 09:40:19 -08:00			`inputs.agenix.nixosModules.default`
Added railbird-sf config 2023-11-17 14:24:56 -08:00			`];`

[NixOS] Cleanups for railbird-sf 2023-11-17 15:31:32 -07:00			`networking.hostName = "railbird-sf";`

feat(nixos): add org-agenda-api hosting with nginx + Let's Encrypt Add NixOS module to host org-agenda-api container on railbird-sf: - org-agenda-api-host.nix: New module with nginx reverse proxy and ACME - nginx configured for rbsf.tplinkdns.com with automatic TLS - Container runs on port 51847 (random high port) - Supports nix-built container images via imageFile option Configure railbird-sf to use the new module: - Build org-agenda-api container from flake - Pass container to machine config via specialArgs - Set up agenix secret for container environment Note: Requires creating secrets file with AUTH_PASSWORD and GIT_SSH_PRIVATE_KEY environment variables. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 09:40:19 -08:00			`# org-agenda-api hosting with nginx + Let's Encrypt`
Split org-api secrets into auth password and SSH key - Auth password uses env file format for systemd EnvironmentFile - SSH key is mounted as a file at /secrets/ssh_key in container - Fixes multi-line SSH key parsing issue in environment files - Update codex PR patch hash Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 20:14:35 -08:00			`# Separate secrets for org-agenda-api: auth password (env format) and SSH key (raw file)`
			`age.secrets.org-api-auth-password = {`
			`file = ../secrets/org-api-auth-password.age;`
			`};`
			`age.secrets.org-api-ssh-key = {`
			`file = ../secrets/org-api-ssh-key.age;`
			`mode = "0400"; # Restrictive permissions for SSH key`
feat(nixos): add org-agenda-api hosting with nginx + Let's Encrypt Add NixOS module to host org-agenda-api container on railbird-sf: - org-agenda-api-host.nix: New module with nginx reverse proxy and ACME - nginx configured for rbsf.tplinkdns.com with automatic TLS - Container runs on port 51847 (random high port) - Supports nix-built container images via imageFile option Configure railbird-sf to use the new module: - Build org-agenda-api container from flake - Pass container to machine config via specialArgs - Set up agenix secret for container environment Note: Requires creating secrets file with AUTH_PASSWORD and GIT_SSH_PRIVATE_KEY environment variables. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 09:40:19 -08:00			`};`

			`services.org-agenda-api-host = {`
			`enable = true;`
			`domain = "rbsf.tplinkdns.com";`
Add extraDomains support and register rbsf.railbird.ai - org-agenda-api-host now supports extraDomains option for additional domain names, each with its own ACME certificate - Add org-agenda-api.rbsf.railbird.ai as extra domain on railbird-sf Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 22:43:02 -08:00			`extraDomains = [ "org-agenda-api.rbsf.railbird.ai" ];`
Split org-api secrets into auth password and SSH key - Auth password uses env file format for systemd EnvironmentFile - SSH key is mounted as a file at /secrets/ssh_key in container - Fixes multi-line SSH key parsing issue in environment files - Update codex PR patch hash Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 20:14:35 -08:00			`containerImage = orgAgendaApiImageName;`
feat(nixos): add org-agenda-api hosting with nginx + Let's Encrypt Add NixOS module to host org-agenda-api container on railbird-sf: - org-agenda-api-host.nix: New module with nginx reverse proxy and ACME - nginx configured for rbsf.tplinkdns.com with automatic TLS - Container runs on port 51847 (random high port) - Supports nix-built container images via imageFile option Configure railbird-sf to use the new module: - Build org-agenda-api container from flake - Pass container to machine config via specialArgs - Set up agenix secret for container environment Note: Requires creating secrets file with AUTH_PASSWORD and GIT_SSH_PRIVATE_KEY environment variables. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 09:40:19 -08:00			`containerImageFile = orgAgendaApiContainer;`
Split org-api secrets into auth password and SSH key - Auth password uses env file format for systemd EnvironmentFile - SSH key is mounted as a file at /secrets/ssh_key in container - Fixes multi-line SSH key parsing issue in environment files - Update codex PR patch hash Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-31 20:14:35 -08:00			`secretsFile = config.age.secrets.org-api-auth-password.path;`
			`sshKeyFile = config.age.secrets.org-api-ssh-key.path;`
feat(nixos): add org-agenda-api hosting with nginx + Let's Encrypt Add NixOS module to host org-agenda-api container on railbird-sf: - org-agenda-api-host.nix: New module with nginx reverse proxy and ACME - nginx configured for rbsf.tplinkdns.com with automatic TLS - Container runs on port 51847 (random high port) - Supports nix-built container images via imageFile option Configure railbird-sf to use the new module: - Build org-agenda-api container from flake - Pass container to machine config via specialArgs - Set up agenix secret for container environment Note: Requires creating secrets file with AUTH_PASSWORD and GIT_SSH_PRIVATE_KEY environment variables. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-30 09:40:19 -08:00			`};`

[NixOS] Cleanups for railbird-sf 2023-11-17 15:31:32 -07:00			`hardware.enableRedistributableFirmware = true;`
			`boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ];`
			`boot.initrd.kernelModules = [ ];`
			`boot.kernelModules = [ "kvm-amd" ];`
			`boot.extraModulePackages = [ ];`
			`boot.loader.systemd-boot.enable = true;`
[NixOS] Bump flake.lock, make railbird-sf full 2025-08-23 21:02:15 +00:00			`myModules.postgres.enable = true;`
			`features.full.enable = true;`
[NixOS] Cleanups for railbird-sf 2023-11-17 15:31:32 -07:00
[NixOS] railbird-sf is only an agent 2024-10-02 21:55:36 -06:00			`services.k3s.role = "agent";`
[NixOS] Fix 2024-10-02 22:03:01 -06:00			`services.k3s.extraFlags = lib.mkForce ["--node-label nixos-nvidia-cdi=enabled"];`
Added railbird-sf config 2023-11-17 14:24:56 -08:00
			`hardware.nvidia = {`
			`powerManagement.enable = false;`
			`# Fine-grained power management. Turns off GPU when not in use.`
			`# Experimental and only works on modern Nvidia GPUs (Turing or newer).`
			`powerManagement.finegrained = false;`

			`# Enable the Nvidia settings menu,`
[NixOS] Bump flake.lock, make railbird-sf full 2025-08-23 21:02:15 +00:00			# accessible via `nvidia-settings`.
Added railbird-sf config 2023-11-17 14:24:56 -08:00			`nvidiaSettings = true;`
			`};`

[NixOS] modules -> myModules 2024-09-26 14:15:27 -06:00			`myModules.base.enable = true;`
			`myModules.desktop.enable = true;`
			`myModules.code.enable = true;`
			`myModules.syncthing.enable = true;`
			`myModules.fonts.enable = true;`
[NixOS] railbird-sf tweaks 2024-10-01 00:38:01 +00:00			`myModules.plasma.enable = true;`
			`myModules.nvidia.enable = true;`
[NixOS] modules -> myModules 2024-09-26 14:15:27 -06:00			`myModules.gitea-runner.enable = true;`
[NixOS] Enable k3s on biskcomp nixquick and railbird-sf 2024-09-30 20:47:12 -06:00			`myModules.railbird-k3s = {`
[NixOS] Disable k3s for now on railbird-sf 2024-10-08 13:17:26 -06:00			`enable = false;`
[NixOS] Enable k3s on biskcomp nixquick and railbird-sf 2024-09-30 20:47:12 -06:00			`serverAddr = "https://dev.railbird.ai:6443";`
			`};`
Added railbird-sf config 2023-11-17 14:24:56 -08:00
[NixOS] Cleanups for railbird-sf 2023-11-17 15:31:32 -07:00			`fileSystems."/" =`
Added railbird-sf config 2023-11-17 14:24:56 -08:00			`{ device = "/dev/disk/by-uuid/a317d456-6f84-41ee-a149-8e466e414aae";`
[NixOS] Cleanups for railbird-sf 2023-11-17 15:31:32 -07:00			`fsType = "ext4";`
Added railbird-sf config 2023-11-17 14:24:56 -08:00			`};`

			`fileSystems."/boot" =`
			`{ device = "/dev/disk/by-uuid/B875-39D4";`
			`fsType = "vfat";`
[NixOS] Cleanups for railbird-sf 2023-11-17 15:31:32 -07:00			`};`
Added railbird-sf config 2023-11-17 14:24:56 -08:00
			`swapDevices =`
			`[ { device = "/dev/disk/by-uuid/129345f3-e1e1-4d45-9db9-643160c6d564"; }`
			`];`

Add railbird-sf config 2023-11-18 01:06:39 +00:00			`environment.systemPackages = with pkgs; [`
			`android-studio`
			`];`
Added railbird-sf config 2023-11-17 14:24:56 -08:00
			`networking.useDHCP = lib.mkDefault true;`
			`nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";`
			`powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";`
[NixOS] Cleanups for railbird-sf 2023-11-17 15:31:32 -07:00			`hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;`
[NixOS] railbird-sf tweaks 2024-10-01 00:38:01 +00:00
Added railbird-sf config 2023-11-17 14:24:56 -08:00			`home-manager.users = forEachUser {`
[NixOS] Cleanups for railbird-sf 2023-11-17 15:31:32 -07:00			`home.stateVersion = "23.11";`
Added railbird-sf config 2023-11-17 14:24:56 -08:00			`};`

			`system.stateVersion = "23.11";`
			`}`