feat: Convert to a multi-host flake

hosts/anvil/default.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, ... }:
+
+{
+  imports = [
+    ./hardware-configuration.nix
+    # ./nginx.nix  # TODO
+  ];
+
+  networking.hostName = "anvil";
+  system.stateVersion = "24.11";
+  networking.firewall.allowedTCPPorts = [ 8384 ];
+  services.pulseaudio.enable = false;
+
+  boot.initrd.luks.devices."luks-1f261d60-dfb4-4f63-9c77-f331a007108b".device = "/dev/disk/by-uuid/1f261d60-dfb4-4f63-9c77-f331a007108b";
+
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = true;
+    };
+  };
+
+}

hosts/anvil/hardware-configuration.nix

@@ -0,0 +1,20 @@
+# TODO: Replace with actual hardware-configuration.nix from anvil machine
+# Run on anvil: nixos-generate-config --show-hardware-config
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  # Placeholder filesystem - replace with actual values from anvil
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/PLACEHOLDER";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/PLACEHOLDER";
+    fsType = "vfat";
+  };
+}

hosts/anvil/nginx.nix

@@ -0,0 +1,5 @@
+# TODO: Configure anvil's nginx
+{ config, pkgs, lib, ... }:
+
+{
+}

hosts/crossbox/default.nix

@@ -0,0 +1,88 @@
+{ config, pkgs, lib, ... }:
+
+let
+  # Using nixos-24.05 for bisq-desktop (last stable release with working bisq-desktop)
+  # bisq-desktop was removed after 24.05 due to OpenJFX EOL issues
+  bisqPkgs = import (builtins.fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/archive/nixos-24.05.tar.gz";
+    sha256 = "0zydsqiaz8qi4zd63zsb2gij2p614cgkcaisnk11wjy3nmiq0x1s";
+  }) { system = pkgs.system; };
+in
+{
+  imports = [
+    ./hardware-configuration.nix
+    ./nginx.nix
+    ./forgejo.nix
+    ./radicale.nix
+    ./ollama.nix
+    # ./docuseal.nix
+  ];
+
+  environment.systemPackages = with pkgs; [
+    bisqPkgs.bisq-desktop  # v1.9.15-1.9.17 from nixos-24.05
+    bisq2
+    llamacpp-rocm-bin-gfx1151
+    lmstudio
+  ];
+
+  networking.hostName = "crossbox";
+  system.stateVersion = "25.11";
+  networking.firewall.allowedTCPPorts = [ 22 1234 ];
+  services.pulseaudio.enable = false;
+
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      rocmPackages.clr.icd # ROCm OpenCL runtime
+      rocmPackages.clr
+      rocmPackages.rocminfo
+      rocmPackages.rocm-runtime
+    ];
+  };
+
+  boot.kernelParams = [ "amdgpu.gttsize=115200" ];
+  boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  # ROCm environment for gfx1151 (Strix Halo)
+  # gfx1151 lacks TensileLibrary support in most ROCm builds,
+  # so we override to gfx1100 which is close enough and has full library support.
+  # The strix-halo overlay's llamacpp binaries override this with 11.5.1 in their wrappers.
+  environment.variables = {
+    HSA_OVERRIDE_GFX_VERSION = "11.0.0";
+  };
+
+  # List services that you want to enable:
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+    };
+  };
+
+  # Disable automatic suspend.
+  # Otherwise SSH tunnels and HDMI signals break.
+  services.logind = {
+    settings = {
+      Login = {
+        HandleLidSwitch = "ignore";
+	HandleHibernateKey = "ignore";
+	HandleSuspendKey = "ignore";
+	HandlePowerKey = "ignore";
+      };
+    };
+  };
+
+  virtualisation.docker = {
+    enable = true;
+    autoPrune = {
+      enable = true;
+      dates = "weekly";
+    };
+    rootless = {
+      enable = true;
+      setSocketVariable = true;
+    };
+  };
+}

hosts/crossbox/docuseal.nix

@@ -0,0 +1,43 @@
+{ config, pkgs, lib, ... }:
+
+let
+  # Generate a secret key if it doesn't exist
+  secretKeyFile = "/var/lib/docuseal/secret-key-base";
+in
+{
+  services.docuseal = {
+    enable = true;
+    port = 3030;
+    host = "docuseal.binning.net";
+    
+    # Point to the secret key file in the state directory
+    # The service will have access to this since StateDirectory is set
+    secretKeyBaseFile = secretKeyFile;
+  };
+
+  # Create the secret key file if it doesn't exist
+  # This runs before the docuseal service starts
+  systemd.services.docuseal-init-secret = {
+    description = "Initialize DocuSeal secret key";
+    wantedBy = [ "docuseal.service" ];
+    before = [ "docuseal.service" ];
+    
+    serviceConfig = {
+      Type = "oneshot";
+      StateDirectory = "docuseal";
+      StateDirectoryMode = "0750";
+      DynamicUser = true;
+    };
+    
+    script = ''
+      if [ ! -f ${secretKeyFile} ]; then
+        echo "Generating new secret key for DocuSeal..."
+        ${pkgs.openssl}/bin/openssl rand -hex 64 > ${secretKeyFile}
+        chmod 640 ${secretKeyFile}
+        echo "Secret key generated at ${secretKeyFile}"
+      else
+        echo "Secret key already exists at ${secretKeyFile}"
+      fi
+    '';
+  };
+}

hosts/crossbox/forgejo.nix

@@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.forgejo = {
+    enable = true;
+    
+    # Set data directory
+    stateDir = "/srv/forgejo";
+    
+    # Database configuration
+    database = {
+      type = "sqlite3";
+      path = "/srv/forgejo/data/forgejo.db";
+    };
+    
+    # Server settings
+    settings = {
+      server = {
+        DOMAIN = "forgejo.binning.net";
+        SSH_DOMAIN = "ssh.binning.net";
+        SSH_PORT = 2222;
+        ROOT_URL = "https://forgejo.binning.net/";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = 3000;
+      };
+      
+      # Repository settings - uses default: /srv/forgejo/repositories
+      # No need to override repository.ROOT as the default location is good
+      
+      service = {
+        DISABLE_REGISTRATION = true;  # Set to true to disable new user registration
+      };
+      
+      # Session and security
+      session = {
+        COOKIE_SECURE = true;  # Since we're using HTTPS
+      };
+      
+      # Recommended security settings
+      security = {
+        INSTALL_LOCK = true;
+      };
+    };
+  };
+  
+  # Ensure the data directory exists with proper permissions
+  systemd.tmpfiles.rules = [
+    "d /srv/forgejo 0750 forgejo forgejo -"
+    "d /srv/forgejo/data 0750 forgejo forgejo -"
+  ];
+}

hosts/crossbox/hardware-configuration.nix

@@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usbhid" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/da4a61ca-f2f7-47d3-a902-a898e2cf1dfc";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/36FB-9CD5";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  fileSystems."/data" =
+    { device = "/dev/disk/by-uuid/1e785349-ecd9-4b0f-9dc6-f6e3a6fe95f1";
+      fsType = "ext4";
+      options = [ "noatime" "users" "nofail" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/69fc5898-4a33-431e-bea6-3ce7352312bf"; }
+    ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/crossbox/nginx.nix

@@ -0,0 +1,175 @@
+{ config, pkgs, lib, ... }:
+
+let
+  # NOTE: API keys will be loaded from /srv/nginx/secrets at runtime
+  # This file should contain one Bearer token per line
+  # The secrets file is read at runtime via include directive instead of build time
+  # to avoid flake purity issues
+in
+{
+  services.nginx = {
+    enable = true;
+    
+    # Recommended settings
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    
+    # Increase bucket size for long Bearer tokens
+    mapHashBucketSize = 128;
+    
+    # Map directive to check Authorization header against multiple keys
+    # Keys are loaded from /srv/nginx/secrets.map at runtime
+    appendHttpConfig = ''
+      # Check if the Authorization header matches any expected value
+      map $http_authorization $auth_status {
+        default "unauthorized";
+        "" "no_auth";
+        # Add your Bearer tokens here manually, or use include directive
+        # Format: "Bearer YOUR_TOKEN_HERE" "authorized";
+        # You can also create /srv/nginx/secrets.map and include it:
+        # include /srv/nginx/secrets.map;
+      }
+    '';
+    
+    # Virtual hosts configuration
+    virtualHosts = {
+
+      # Main website - Static HTML/CSS
+      "www.binning.net" = {
+        forceSSL = true;
+        
+        #enableACME = true;
+	sslCertificate = "/srv/nginx/binning.net.pem";
+	sslCertificateKey = "/srv/nginx/binning.net.key.pem";
+
+        root = "/srv/www/binning.net";
+        
+        locations."/" = {
+          index = "index.html";
+          tryFiles = "$uri $uri/ =404";
+          extraConfig = ''
+            # Enable Server Side Includes for navbar/footer includes
+            ssi on;
+          '';
+        };
+        
+        # Private blog articles with HTTP basic authentication
+        locations."/blog/private/" = {
+          extraConfig = ''
+            auth_basic "Private Articles";
+            auth_basic_user_file "/srv/nginx/.htpasswd";
+            
+            # Enable Server Side Includes
+            ssi on;
+          '';
+        };
+        
+        # Optional: Custom 404 page
+        extraConfig = ''
+          error_page 404 /404.html;
+        '';
+      };
+
+      # Ollama with Bearer token authentication
+      "ollama.binning.net" = {
+        forceSSL = true;
+        
+        #enableACME = true;
+	sslCertificate = "/srv/nginx/binning.net.pem";
+	sslCertificateKey = "/srv/nginx/binning.net.key.pem";
+
+        locations."/" = {
+          extraConfig = ''
+            # Check auth status
+            if ($auth_status = "no_auth") {
+              return 401 "Unauthorized: Bearer token required\n";
+            }
+            if ($auth_status = "unauthorized") {
+              return 403 "Forbidden: Invalid API key\n";
+            }
+            
+            # Proxy to Ollama (only if authorized)
+            proxy_pass http://localhost:11434;
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            
+            # Timeouts for long-running requests
+            proxy_read_timeout 300s;
+            proxy_connect_timeout 300s;
+            proxy_send_timeout 300s;
+            
+            # Allow large request bodies
+            client_max_body_size 100M;
+            
+            # Logging
+            access_log /var/log/nginx/ollama_access.log;
+            error_log /var/log/nginx/ollama_error.log;
+          '';
+        };
+      };
+      
+      # Forgejo
+      "forgejo.binning.net" = {
+        forceSSL = true;
+        
+        #enableACME = true;
+	sslCertificate = "/srv/nginx/binning.net.pem";
+	sslCertificateKey = "/srv/nginx/binning.net.key.pem";
+
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:3000";
+          # No extraConfig needed - recommendedProxySettings handles headers
+        };
+      };
+      
+      # Radicale  
+      "radicale.binning.net" = {
+        forceSSL = true;
+
+        #enableACME = true;
+	sslCertificate = "/srv/nginx/binning.net.pem";
+	sslCertificateKey = "/srv/nginx/binning.net.key.pem";
+        
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:5232";
+          # recommendedProxySettings handles most headers
+          extraConfig = ''
+            proxy_set_header X-Script-Name "";
+          '';
+        };
+      };
+
+      # DocuSeal
+      "docuseal.binning.net" = {
+	forceSSL = true;
+	
+        #enableACME = true;
+	sslCertificate = "/srv/nginx/binning.net.pem";
+	sslCertificateKey = "/srv/nginx/binning.net.key.pem";
+
+	locations."/" = {
+	  proxyPass = "http://127.0.0.1:3030";
+	  proxyWebsockets = true;
+	};
+      };
+    };
+  };
+
+  # Firewall
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  # ACME/Let's Encrypt
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "hvanb@pm.me";
+  };
+  
+  # Ensure the data directory exists with proper permissions
+  systemd.tmpfiles.rules = [
+    "d /var/lib/www 0750 nginx nginx -"
+  ];
+}

hosts/crossbox/ollama.nix

@@ -0,0 +1,24 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.ollama = {
+    enable = true;
+    host = "0.0.0.0";
+    port = 11434;
+  };
+  
+  # Open firewall port for Ollama
+  networking.firewall.allowedTCPPorts = [ 11434 ];
+  
+  # Install ollama-rocm package
+  environment.systemPackages = with pkgs; [
+    ollama-rocm
+  ];
+  
+  # Add CA certificate for Ollama
+  # Note: Path must be accessible at runtime, not build time
+  # You can copy the cert to /etc/nixos/ and reference it, or use a string path
+  # security.pki.certificateFiles = [
+  #   "/home/brimlock/ollama-ca.crt"
+  # ];
+}

hosts/crossbox/radicale.nix

@@ -0,0 +1,37 @@
+{ config, pkgs, lib, ... }:
+
+{
+  services.radicale = {
+    enable = true;
+
+    # Configuration settings
+    settings = {
+      server = {
+        hosts = [ "127.0.0.1:5232" "[::1]:5232" ];
+      };
+      
+      # Authentication (you can customize this)
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "/srv/radicale/users";
+        htpasswd_encryption = "bcrypt";
+      };
+      
+      # Storage configuration
+      storage = {
+        filesystem_folder = "/srv/radicale/collections";
+      };
+      
+      # Logging
+      logging = {
+        level = "info";
+      };
+
+      rights = {
+        type = "from_file";
+        file = "/srv/radicale/rights";
+      };
+    };
+
+  };
+}