From 680c000c360d11d35b1741f7fa0339c75cef7eae Mon Sep 17 00:00:00 2001
From: Anish Lakhwara <anish+git@lakhwara.com>
Date: Thu, 16 Oct 2025 02:37:11 -0700
Subject: [PATCH] init temp while waiting for public ip address

---
 README.md                                 | 171 ++++++++++++
 flake.lock                                | 300 ++++++++++++++++++++++
 flake.nix                                 |  59 +++++
 home-manager/home.nix                     |  60 +++++
 hosts/asusmini/atproto.nix                |  75 ++++++
 hosts/asusmini/auto-update.nix            |  60 +++++
 hosts/asusmini/default.nix                | 123 +++++++++
 hosts/asusmini/hardware-configuration.nix |  41 +++
 secrets/pds-env.age                       | Bin 0 -> 1068 bytes
 secrets/secrets.nix                       |  13 +
 10 files changed, 902 insertions(+)
 create mode 100644 README.md
 create mode 100644 flake.lock
 create mode 100644 flake.nix
 create mode 100644 home-manager/home.nix
 create mode 100644 hosts/asusmini/atproto.nix
 create mode 100644 hosts/asusmini/auto-update.nix
 create mode 100644 hosts/asusmini/default.nix
 create mode 100644 hosts/asusmini/hardware-configuration.nix
 create mode 100644 secrets/pds-env.age
 create mode 100644 secrets/secrets.nix

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..41c5985
--- /dev/null
+++ b/README.md
@@ -0,0 +1,171 @@
+# Commons Computing NixOS Configuration
+
+Infrastructure-as-code for Commons Computing's ATProto services.
+
+## Services
+
+This flake manages the following services on `asusmini`:
+
+- **PDS** (Personal Data Server) - `pds.commonscomputer.com:5556`
+- **Tangled Knot** (Git forge) - `knot.commonscomputer.com:5555`
+- **Tangled Spindle** (CI runner) - `spindle.commonscomputer.com:6555`
+
+All services are proxied through Caddy with automatic HTTPS.
+
+## Setup
+
+### Prerequisites
+
+```bash
+nix develop
+```
+
+Or install direnv to automatically get the devshell going.
+
+This provides `agenix` and `dnscontrol`.
+
+### Managing Secrets
+
+Secrets are managed with [agenix](https://github.com/ryantm/agenix). If you're unfamiliar with agenix, [here](https://www.splitbrain.org/blog/2025-07/27-agenix) is a good introduction. 
+
+#### Adding a New User's Key
+
+1. Get their SSH public key (ed25519 or RSA)
+2. Add it to `secrets/secrets.nix` in the appropriate key list
+3. Re-encrypt all secrets:
+   ```bash
+   cd secrets
+   agenix -e pds-env.age  # repeat for each secret
+   ```
+
+#### Creating/Editing Secrets
+
+```bash
+cd secrets
+agenix -e pds-env.age
+```
+
+This opens your `$EDITOR` with the decrypted content. Save and close to re-encrypt.
+
+#### Adding New Secrets
+
+1. Add the secret to `secrets/secrets.nix`:
+   ```nix
+   "new-secret.age".publicKeys = allKeys;
+   ```
+2. Create it:
+   ```bash
+   cd secrets
+   agenix -e new-secret.age
+   ```
+3. Reference it in your NixOS config:
+   ```nix
+   age.secrets.new-secret = {
+     file = ../../secrets/new-secret.age;
+     mode = "0400";
+     owner = "service-user";
+   };
+   ```
+
+### Deployment
+
+#### Manual Deployment
+
+From the server:
+```bash
+cd /etc/nixos  # or wherever this repo is cloned
+git pull
+sudo nixos-rebuild switch --flake .#asusmini
+```
+
+#### Auto-Update
+
+A systemd timer runs weekly to:
+1. Pull latest git changes
+2. Run `nix flake update`
+3. Commit and push flake.lock changes
+4. Run `nixos-rebuild switch` with automatic rollback on failure
+
+**Setup required:**
+```bash
+# On the server, generate SSH key for git push
+ssh-keygen -t ed25519 -f /root/.ssh/commons-nix-deploy -N ""
+cat /root/.ssh/commons-nix-deploy.pub
+# Add the public key as a deploy key with write access to the GitHub repo
+
+# Configure git to use the key
+cat >> /root/.ssh/config <<EOF
+Host github.com
+  IdentityFile /root/.ssh/commons-nix-deploy
+EOF
+```
+
+**Manual trigger:**
+```bash
+sudo systemctl start auto-update
+```
+
+**Check status:**
+```bash
+sudo systemctl status auto-update
+sudo journalctl -u auto-update
+```
+
+## Development
+
+### Updating Flake Inputs
+
+```bash
+nix flake update
+```
+
+### Testing Changes Locally
+
+```bash
+nixos-rebuild build --flake .#asusmini
+```
+
+### DNS Management
+
+DNS is managed with dnscontrol (available in dev shell).
+
+## Architecture
+
+```
+┌─────────────────────────────────────────┐
+│           Internet (HTTPS)              │
+└────────────────┬────────────────────────┘
+                 │
+         ┌───────▼────────┐
+         │  Caddy (80/443)│
+         └───────┬────────┘
+                 │
+     ┌───────────┼───────────────┐
+     │           │               │
+┌────▼─────┐ ┌──▼────┐ ┌───────▼──────┐
+│PDS (5556)│ │Knot   │ │Spindle (6555)│
+│          │ │(5555) │ │              │
+└──────────┘ └───────┘ └──────────────┘
+```
+
+
+## Key Files
+
+- `flake.nix` - Main flake configuration
+- `hosts/asusmini/` - Server-specific configuration
+  - `default.nix` - Base system config
+  - `atproto.nix` - ATProto service configs
+  - `hardware-configuration.nix` - Hardware-specific settings
+- `secrets/secrets.nix` - Secret encryption keys
+- `secrets/*.age` - Encrypted secrets
+
+## Admin Contact
+
+Primary admin: Anish
+
+## Notes
+
+- System uses NixOS unstable
+- All services run under dedicated system users
+- Secrets are encrypted at rest and decrypted on boot to `/run/agenix/`
+- Keep at least one personal SSH key in addition to the system key for emergency access
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..366451c
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,300 @@
+{
+  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1754433428,
+        "narHash": "sha256-NA/FT2hVhKDftbHSwVnoRTFhes62+7dxZbxj5Gxvghs=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "9edb1787864c4f59ae5074ad498b6272b3ec308d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1744478979,
+        "narHash": "sha256-dyN+teG9G82G+m+PX/aSAagkC+vUv0SgUw3XkPhQodQ=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "43975d782b418ebf4969e9ccba82466728c2851b",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1751685974,
+        "narHash": "sha256-NKw96t+BgHIYzHUjkTK95FqYRVKB8DHpVhefWSz/kTw=",
+        "rev": "549f2762aebeff29a2e5ece7a7dc0f955281a1d1",
+        "type": "tarball",
+        "url": "https://git.lix.systems/api/v1/repos/lix-project/flake-compat/archive/549f2762aebeff29a2e5ece7a7dc0f955281a1d1.tar.gz?rev=549f2762aebeff29a2e5ece7a7dc0f955281a1d1"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://git.lix.systems/lix-project/flake-compat/archive/main.tar.gz"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gomod2nix": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nixpkgs": [
+          "tangled",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1754078208,
+        "narHash": "sha256-YVoIFDCDpYuU3riaDEJ3xiGdPOtsx4sR5eTzHTytPV8=",
+        "owner": "nix-community",
+        "repo": "gomod2nix",
+        "rev": "7f963246a71626c7fc70b431a315c4388a0c95cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "gomod2nix",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1745494811,
+        "narHash": "sha256-YZCh2o9Ua1n9uCvrvi5pRxtuVNml8X2a03qIFfRKpFs=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "abfad3d2958c9e6300a883bd443512c55dfeb1be",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "htmx-src": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-nm6avZuEBg67SSyyZUhjpXVNstHHgUxrtBHqJgowU08=",
+        "type": "file",
+        "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://unpkg.com/htmx.org@2.0.4/dist/htmx.min.js"
+      }
+    },
+    "htmx-ws-src": {
+      "flake": false,
+      "locked": {
+        "narHash": "sha256-2fg6KyEJoO24q0fQqbz9RMaYNPQrMwpZh29tkSqdqGY=",
+        "type": "file",
+        "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2"
+      },
+      "original": {
+        "type": "file",
+        "url": "https://cdn.jsdelivr.net/npm/htmx-ext-ws@2.0.2"
+      }
+    },
+    "ibm-plex-mono-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731402384,
+        "narHash": "sha256-OwUmrPfEehLDz0fl2ChYLK8FQM2p0G1+EMrGsYEq+6g=",
+        "type": "tarball",
+        "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/IBM/plex/releases/download/@ibm/plex-mono@1.1.0/ibm-plex-mono.zip"
+      }
+    },
+    "indigo": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1753693716,
+        "narHash": "sha256-DMIKnCJRODQXEHUxA+7mLzRALmnZhkkbHlFT2rCQYrE=",
+        "owner": "oppiliappan",
+        "repo": "indigo",
+        "rev": "5f170569da9360f57add450a278d73538092d8ca",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oppiliappan",
+        "repo": "indigo",
+        "type": "github"
+      }
+    },
+    "inter-fonts-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1731687360,
+        "narHash": "sha256-5vdKKvHAeZi6igrfpbOdhZlDX2/5+UvzlnCQV6DdqoQ=",
+        "type": "tarball",
+        "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/rsms/inter/releases/download/v4.1/Inter-4.1.zip"
+      }
+    },
+    "lucide-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1754044466,
+        "narHash": "sha256-+exBR2OToB1iv7ZQI2S4B0lXA/QRvC9n6U99UxGpJGs=",
+        "type": "tarball",
+        "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://github.com/lucide-icons/lucide/releases/download/0.536.0/lucide-icons-0.536.0.zip"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1760524057,
+        "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "agenix": "agenix",
+        "nixpkgs": "nixpkgs",
+        "tangled": "tangled"
+      }
+    },
+    "sqlite-lib-src": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1706631843,
+        "narHash": "sha256-bJoMjirsBjm2Qk9KPiy3yV3+8b/POlYe76/FQbciHro=",
+        "type": "tarball",
+        "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"
+      },
+      "original": {
+        "type": "tarball",
+        "url": "https://sqlite.org/2024/sqlite-amalgamation-3450100.zip"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "tangled": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gomod2nix": "gomod2nix",
+        "htmx-src": "htmx-src",
+        "htmx-ws-src": "htmx-ws-src",
+        "ibm-plex-mono-src": "ibm-plex-mono-src",
+        "indigo": "indigo",
+        "inter-fonts-src": "inter-fonts-src",
+        "lucide-src": "lucide-src",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "sqlite-lib-src": "sqlite-lib-src"
+      },
+      "locked": {
+        "lastModified": 1760542978,
+        "narHash": "sha256-l7c7RrKNPs7MTIoRJdT98H2uYEJvxhEarswu5PFMA5g=",
+        "ref": "refs/heads/master",
+        "rev": "80d61c06db706d0b207a81e29d50f3fca3ff5fa0",
+        "revCount": 1536,
+        "type": "git",
+        "url": "https://tangled.org/@tangled.org/core"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://tangled.org/@tangled.org/core"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..cb66af4
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,59 @@
+{
+  description = "CommonsComputing Nix";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    tangled = {
+      url = "git+https://tangled.org/@tangled.org/core";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  outputs = {
+    self,
+    nixpkgs,
+    tangled,
+    agenix,
+    ...
+  } @ inputs: let
+    inherit (self) outputs;
+  in {
+    # Available through 'nixos-rebuild --flake .#your-hostname'
+    nixosConfigurations = {
+      asusmini = nixpkgs.lib.nixosSystem {
+        specialArgs = {inherit inputs outputs;};
+        system = "x86_64-linux";
+        modules = [
+          ./hosts/asusmini 
+          tangled.nixosModules.knot
+          tangled.nixosModules.spindle
+          agenix.nixosModules.default
+        ];
+      };
+    };
+
+    devShells = {
+      aarch64-darwin.default = let
+        pkgs = nixpkgs.legacyPackages.aarch64-darwin;
+      in pkgs.mkShell {
+        packages = [ 
+          agenix.packages.aarch64-darwin.default
+          pkgs.dnscontrol
+        ];
+      };
+      
+      x86_64-linux.default = let
+        pkgs = nixpkgs.legacyPackages.x86_64-linux;
+      in pkgs.mkShell {
+        packages = [ 
+          agenix.packages.x86_64-linux.default
+          pkgs.dnscontrol
+        ];
+      };
+    };
+  };
+}
diff --git a/home-manager/home.nix b/home-manager/home.nix
new file mode 100644
index 0000000..5f20559
--- /dev/null
+++ b/home-manager/home.nix
@@ -0,0 +1,60 @@
+# This is your home-manager configuration file
+# Use this to configure your home environment (it replaces ~/.config/nixpkgs/home.nix)
+{
+  inputs,
+  lib,
+  config,
+  pkgs,
+  ...
+}: {
+  # You can import other home-manager modules here
+  imports = [
+    # If you want to use home-manager modules from other flakes (such as nix-colors):
+    # inputs.nix-colors.homeManagerModule
+
+    # You can also split up your configuration and import pieces of it here:
+    # ./nvim.nix
+  ];
+
+  nixpkgs = {
+    # You can add overlays here
+    overlays = [
+      # If you want to use overlays exported from other flakes:
+      # neovim-nightly-overlay.overlays.default
+
+      # Or define it inline, for example:
+      # (final: prev: {
+      #   hi = final.hello.overrideAttrs (oldAttrs: {
+      #     patches = [ ./change-hello-to-hi.patch ];
+      #   });
+      # })
+    ];
+    # Configure your nixpkgs instance
+    config = {
+      # Disable if you don't want unfree packages
+      allowUnfree = true;
+      # Workaround for https://github.com/nix-community/home-manager/issues/2942
+      allowUnfreePredicate = _: true;
+    };
+  };
+
+  # TODO: Set your username
+  home = {
+    username = "your-username";
+    homeDirectory = "/home/your-username";
+  };
+
+  # Add stuff for your user as you see fit:
+  # programs.neovim.enable = true;
+  # home.packages = with pkgs; [ steam ];
+
+  # Enable home-manager and git
+  programs.home-manager.enable = true;
+  programs.git.enable = true;
+
+  # Nicely reload system units when changing configs
+  systemd.user.startServices = "sd-switch";
+
+  # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
+  home.stateVersion = "23.05";
+}
diff --git a/hosts/asusmini/atproto.nix b/hosts/asusmini/atproto.nix
new file mode 100644
index 0000000..62a5228
--- /dev/null
+++ b/hosts/asusmini/atproto.nix
@@ -0,0 +1,75 @@
+{ config, ... }:
+{
+  age.secrets.pds-env = {
+    file = ../../secrets/pds-env.age;
+    mode = "0400";
+    owner = "pds";
+  };
+
+  services.pds = {
+    enable = true;
+    environmentFiles = [ config.age.secrets.pds-env.path ];
+    settings = {
+      PDS_PORT = 5556;
+      PDS_HOSTNAME = "pds.commonscomputer.com";
+      # We can set a bunch of other things too
+      # PDS_BSKY_APP_VIEW_URL
+      # PDS_CRAWLERS
+      # PDS_BLOB_UPLOAD_LIMIT
+      # Full list available here: https://github.com/bluesky-social/atproto/blob/main/packages/pds/src/config/env.ts
+    };
+  };
+
+  services.tangled-spindle = {
+    enable = true;
+    server = {
+      hostname = "spindle.commonscomputer.com";
+      owner = "did:plc:dy6ekftqerqu5bcz76kgy6ux";
+    };
+  };
+
+  # stolen from https://tangled.org/@isuggest.selfce.st/tangled-knot-nix/blob/main/knot.nix
+  services.tangled-knot = {
+    enable = true;
+    server = {
+      hostname = "knot.commonscomputer.com"; # put in the hostname where your knot can be accessed at. e.g. knot.a.tgirl.gay
+      owner = "did:plc:dy6ekftqerqu5bcz76kgy6ux"; # your did, must be did:plc:<whatever> or did:web:<whatever>.
+    };
+    # optional configuration options. the current value is the default provided to the knot server.
+    # appviewEndpoint = "https://tangled.sh"; # appview endpoint.
+    # gitUser = "git"; # user that hosts git repos and performs git operations.
+    # openFirewall = true; # open port 22 in the firewall for ssh.
+    # stateDir = "/home/${cfg.gitUser}"; # tangled knot data directory.
+    # repo = {
+    #   scanPath = cfg.stateDir; # path where repositories are scanned from;
+    #   mainBranch = "main"; # default branch name for repositories;
+    # };
+    # motd = ""; # message of the day. the contents are shown as-is; eg. you will want to add a newline if setting a non-empty message since the knot won't do this for you.
+    # motdFile = null; # "file containing message of the day. the contents are shown as-is; eg. you will want to add a newline if setting a non-empty message since the knot won't do this for you."
+    # server = {
+    #   listenAddr = "0.0.0.0:5555"; # address to listen on.
+    #   internalListenAddr = "127.0.0.1:5444"; # internal address for inter-service communication.
+    #   dbPath = "${cfg.stateDir}/knotserver.db"; # path to the database file.
+    #   dev = false; # enable development mode (disables signature verification)
+    # };
+  };
+
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "knot.commonscomputer.org".extraConfig = ''
+        reverse_proxy http://localhost:5555
+      ''; 
+      "pds.commonscomputer.org".extraConfig = ''
+        reverse_proxy http://localhost:5556
+      '';
+      "spindle.commonscomputer.com".extraConfig = ''
+        reverse_proxy http://localhost:6555
+      '';
+    };
+  };
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
diff --git a/hosts/asusmini/auto-update.nix b/hosts/asusmini/auto-update.nix
new file mode 100644
index 0000000..98b6903
--- /dev/null
+++ b/hosts/asusmini/auto-update.nix
@@ -0,0 +1,60 @@
+{ config, pkgs, ... }:
+
+{
+  systemd.services.auto-update = {
+    description = "Auto-update NixOS configuration";
+    path = with pkgs; [ git nix openssh ];
+    
+    serviceConfig = {
+      Type = "oneshot";
+      User = "root";
+      WorkingDirectory = "/etc/nixos";
+    };
+    
+    script = ''
+      set -e
+      
+      echo "Pulling latest changes..."
+      git pull
+      
+      echo "Updating flake inputs..."
+      nix flake update
+      
+      # Check if there are changes to commit
+      if ! git diff --quiet flake.lock; then
+        echo "Committing flake.lock updates..."
+        git add flake.lock
+        git commit -m "auto-update: flake inputs $(date -Iseconds)"
+        
+        echo "Pushing changes..."
+        git push
+      else
+        echo "No flake.lock changes to commit"
+      fi
+      
+      echo "Rebuilding system..."
+      if ! nixos-rebuild switch --flake .#asusmini; then
+        echo "Build/switch failed, staying on current generation"
+        exit 1
+      fi
+      
+      echo "Auto-update completed successfully"
+    '';
+  };
+
+  systemd.timers.auto-update = {
+    description = "Auto-update timer";
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "weekly";  # Run weekly, adjust as needed
+      Persistent = true;  # Run on boot if missed
+      RandomizedDelaySec = "1h";  # Add some randomness
+    };
+  };
+  
+  # TODO: Set up SSH key for git push access
+  # Options:
+  # 1. Deploy key with write access to the repo
+  # 2. Generate SSH key on server and add to GitHub
+  # Command to generate: ssh-keygen -t ed25519 -f /root/.ssh/commons-nix-deploy -N ""
+}
diff --git a/hosts/asusmini/default.nix b/hosts/asusmini/default.nix
new file mode 100644
index 0000000..d79b294
--- /dev/null
+++ b/hosts/asusmini/default.nix
@@ -0,0 +1,123 @@
+# Edit this configuration file to define what should be installed on
+# your system.  Help is available in the configuration.nix(5) man page
+# and in the NixOS manual (accessible by running ‘nixos-help’).
+{ config, pkgs }:
+
+{
+  imports =
+    [ # Include the results of the hardware scan.
+      ./hardware-configuration.nix
+      # ./atproto.nix
+      ./auto-update.nix
+    ];
+
+  # Bootloader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "asusmininix"; # Define your hostname.
+  
+  # Static IP configuration
+  # TODO(anish): Replace with actual static IP once VLAN is configured
+  # networking.interfaces.eth0 = {
+  #   useDHCP = false;
+  #   ipv4.addresses = [{
+  #     address = ""; # something like "192.168.1.100"
+  #     prefixLength = 24; # e.g., 24 for /24 subnet
+  #   }];
+  # };
+  # networking.defaultGateway = ""; # e.g., "192.168.1.1"
+  # networking.nameservers = [ "" "" ]; # e.g., "1.1.1.1" "8.8.8.8"
+  
+  # Disable NetworkManager when using static IP
+  # networking.networkmanager.enable = true;
+
+  # Tailscale
+  services.tailscale.enable = true;
+  services.tailscale.useRoutingFeatures = "both";
+
+  # flake config
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+
+  # Set your time zone.
+  time.timeZone = "America/Vancouver";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "en_CA.UTF-8";
+
+  # Configure keymap in X11
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.bmann = {
+    isNormalUser = true;
+    description = "Boris Mann";
+    extraGroups = [ "networkmanager" "wheel" ];
+    packages = with pkgs; [];
+  };
+
+  users.users.anish = {
+    isNormalUser = true;
+    description = "som";
+    extraGroups = [ "networkmanager" "wheel" ];
+        openssh.authorizedKeys.keys = [
+      # Curve
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDM0Zvei46x/yZl/IeBCq6+IYQQ0avulzVyBysF9cPigZMCybWRV7IEU+E3k9t6JrbdbdGfJkcZIWmsWDdKS8W8mBnZpVoT0ffLynu8JQ/TKdGm4Qv6bgUeKNrGsNv0ZPs2CDaGSLj0oJfRF7Ko10tcLP0vW+yujrh+y6TH/vVzJioaV4TGvtCUpn+wEQah9ROwPQLUUofsSWdnRsDJ/gp37zXWs4l5wyjSKtP3O9RZUP7kBekbSqEgSXiTk0oUQSVqIWl9NDiP6onk/gSOjXsR/JPqsSN/XI/c/yj6gyY0f51Ru2D7iBxuMJIJcWV+rU6coIj+ULcQWLzt/7TI8jq5AOOzI/ll4zbL24Eo84Rz+TP9tvMMhDZ0VaMN22AJ8qQEjc5P09tWKsX7Jg39XelyV1jHXncE4yvIE9F4RSCHzWCeKeXakizQNuzSaxTxIExRFYHjNW5bR6+3MTGwVrEIXU+qML+0yFTR86MT+tdY5AreAJQLwbog79O1NupeXJE= anish@curve"
+      # Box
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKN8/SH55DBiwVoSnTU8k2Pen+wmovL9QaMyehxGEsJJv/8fzwsswGalD4C/4O51LOvdu4UKkZW5hG02uVSK+58p3UV3pOPyoqsu/aDeIsWsqmTeTzUrBIWOlNzcDKnohLz2oGC5YO+wyTJ9Iteq6aGJDjErsW7sG3h5lXCs551EmJNNGhtBQaaoytMNnWqSdlVjDNCijurH7WUpp40U/RjEp532l4rX6eIIj3jBKEFbhZkFSSjqbj4xM4SyFt+Jmigb1RMjsQjmpfY1vDtM84RcYfpTUte/T5w2dkD5H6kccmWnwKSJpm9wXfx4E7lR9APdUGnau2U1+XxiD3ytGl anish@box"
+      # Nix-on-droid line
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJOiXBPVvZAp1fY0a0Tupxj0Ml6MoA51lvqt/jAQq249 nix-on-droid@localhost"
+      # Work
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC/vvh0i6+uAN0GWlK6ZfyTlc/AW54xe2CroUDsDSoGnFKeIUiSsWexobODlVakNhqwCKfsvUh6g+RdA8ZVcamATcYqxysP4X5fRksmAzRm5281O7ZBDHMB2BdcfHSTgiz7JvMRIQYWDlU8Ck6IL4wlN0b2GMUj9t/GeG37us8280rxpRNoIY7M27AJEZ7XNQhctBIVujxctVBgIMYmZiTwziU7ywJv4rNT5OAWvjRXSo1rkxdvx3VESv4y/mp8m7dEupZpIjIFsLs52+UG5LtadulUqtTWg05sCw8LEcmRhflgZSAvjw60RrKFCuWxc8+/Pmaw+zExeBMenqi0NzuTc3S3k2wCKVIZDh/0tlXzIwZ6WRqxDevUtEKfvbEFMXd8akhTfYs0dyszcFRevBxOBPbcKku+FK/HkdPLmEANvxYty3cv+Eipkz3c8JPJPvXNTXrjepXMm0LUKodO3c15hGogCOxUO38kykkyYnn+MxxHparoMfEr2+oHNpQoS5wA1G43ppqjVoRDgnhleu6ixwRkLZzphY3cnOd5jL9Ie5xIGbFWH1qSlQRdHBkHjuf85z7+QK8nFYAhmG1K3Vt3GNtF8LN1tYQkfwBJ/vsroMNzGPoq4PjVbqb80Eq+96cP89XKfU2/xw1g+p2lJDm/zC1WCjXVzf8NRwC7gqPavQ== anishlakhwara@anishs-mbp.lan"
+    ];
+  };
+
+  # Allow unfree packages
+  nixpkgs.config.allowUnfree = true;
+
+  # List packages installed in system profile. To search, run:
+  # $ nix search wget
+  environment.systemPackages = with pkgs; [
+    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    wget
+  ];
+
+  # Some programs need SUID wrappers, can be configured further or are
+  # started in user sessions.
+  # programs.mtr.enable = true;
+  # programs.gnupg.agent = {
+  #   enable = true;
+  #   enableSSHSupport = true;
+  # };
+
+  # List services that you want to enable:
+
+  # Enable the OpenSSH daemon. 
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "yes";
+    };
+  };
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [ 22 80 443 ];
+  # networking.firewall.allowedUDPPorts = [ ... ];
+  # Or disable the firewall altogether.
+  # networking.firewall.enable = false;
+
+  # This value determines the NixOS release from which the default
+  # settings for stateful data, like file locations and database versions
+  # on your system were taken. It‘s perfectly fine and recommended to leave
+  # this value at the release version of the first install of this system.
+  # Before changing this value read the documentation for this option
+  # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
+  system.stateVersion = "25.05"; # Did you read the comment?
+
+}
diff --git a/hosts/asusmini/hardware-configuration.nix b/hosts/asusmini/hardware-configuration.nix
new file mode 100644
index 0000000..3995797
--- /dev/null
+++ b/hosts/asusmini/hardware-configuration.nix
@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/677df32e-477e-4abe-bf2e-f487a9cea7ef";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/9BE2-2FFF";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/4ca37db4-1819-40fc-a744-58b959da7fa0"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp89s0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/secrets/pds-env.age b/secrets/pds-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..9206454ee36d630e4fa1ca0ac4efa47631cb8424
GIT binary patch
literal 1068
zcmXxi?Tg!V0KjoU@FZ?bWFm|mbSi?Bnzm`0)`8F_O`7x}P11)nqBF@aX_F>tp8Ige
zyxm^tn{yrtGT3CC4D{a2hk=Mg5MRs}8@?IH4xhMz!oBdt-8t0VK;PV7@cq8{$OA2<
zIjTQ%Lu2f`H1-E@oPkoWB!Xa=(m)nPGsOgDOx4ODfhcyX;;<9M6i7a*Pc?@I5*cN=
zAar3>o>D^3^4atl7b;Lms+KE-QO5E3q@c6O2HMq7G#n0Op3~>UUUxhXNKjV!kUOmT
zft+Zu<Fr<SdWA3-XHgIvv`{LF<1pk&I8&FihTLb{J__dL4x42rWx|Tevfu@}N|!S>
z&#-b+0Wt-ZWmq4^RkUT)h(2e=%7DS0UWrs&HOC(}&Ac7SIs!lrH|u=MvBVlSGr|Vy
z&5ii~O#rbYmGlh;qnXkqZ23*N?%7~wTO931ItWFY6EMIiPNq{2hD?{4QMHCM!z_lT
zge;M<ARtN>TqA03QJc;s*;2`LF<p@>gzVR~(CaJtwnX_dHqsaY#|thls?>altF+|w
zMY9T^StA#Sh?mz0tyCn)nN3q|IiDGIF@Wm2$w~;89I}JRCqQV#es$t?qh{M|AT(X0
zHNOM#3{Xn3YS43qbu2BAIt3fX+8!BC4V5M9Nr31z!JslFvf-<=R;Xpr`LLR8PMZ0C
zl+Qu7DtV>8<-mBi+$}0j)78ce83|fSGSl{upzo3zuawLIqfZ-rm_`VT;RKfDv3es-
zmvkr&(-jQH0^hZYmTU`_D2bwC=Ykn9{MNwIBb>yne!7=UiUZ2PTclIa@aYtWJGMSE
z8R(G4A;fSP!O<jvH+!___CaM{iFl;h((J5WS1n9z1H6S!tvU{;^R~ux%>hK@{jn#o
zibyeXuj3?TljSNEIyMD~Hb#Uij6)qX2Q=nRpj0ZA5NZXfsuH?w2brWjphUQt=STCN
zLg$k7FzCA2NT>$Wo|NODgYDCVxV82C!@Yw`xA%{1o=n9TjTeU7Z+&o|Uo*b^{R+1J
z`B&Gk9ACcl_RiWu>bsXu9$n$CZ7lU3zp(Mmg!}o{%FVC$6YM$b?%79!`1Bjc9(m?~
zIzc|Qzj)*3&M9(D^dG)@Y`K^_v+(8<HygY6PhDNE_1R7Mr|jkPJ7-L&;h%l%-|x4+
z-F@wRb?IpQSAG2J%F06j&rg<Cop+-PuYbHax8A$A3qJstZ~VAU-u~M^F#*QL>g*qX
z{fCW<=#k$#{L^1Nc=kyY`Qz^BMR@zO>*S|b>5uO1-C5jgZ~k&C!9BMMqz~_m-ar1%
Hx#j-=v9XF#

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..eef9f81
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,13 @@
+let
+  asusmini = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK+f1Sl4jEmYyBHymiFUe6uX9c0qlARURMPfk81Anc6M root@asusmini";
+  
+  # Generate with: ssh-keyscan or from ~/.ssh/id_ed25519.pub or ~/.ssh/id_rsa.pub
+  anish_curve = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDM0Zvei46x/yZl/IeBCq6+IYQQ0avulzVyBysF9cPigZMCybWRV7IEU+E3k9t6JrbdbdGfJkcZIWmsWDdKS8W8mBnZpVoT0ffLynu8JQ/TKdGm4Qv6bgUeKNrGsNv0ZPs2CDaGSLj0oJfRF7Ko10tcLP0vW+yujrh+y6TH/vVzJioaV4TGvtCUpn+wEQah9ROwPQLUUofsSWdnRsDJ/gp37zXWs4l5wyjSKtP3O9RZUP7kBekbSqEgSXiTk0oUQSVqIWl9NDiP6onk/gSOjXsR/JPqsSN/XI/c/yj6gyY0f51Ru2D7iBxuMJIJcWV+rU6coIj+ULcQWLzt/7TI8jq5AOOzI/ll4zbL24Eo84Rz+TP9tvMMhDZ0VaMN22AJ8qQEjc5P09tWKsX7Jg39XelyV1jHXncE4yvIE9F4RSCHzWCeKeXakizQNuzSaxTxIExRFYHjNW5bR6+3MTGwVrEIXU+qML+0yFTR86MT+tdY5AreAJQLwbog79O1NupeXJE= anish@curve";
+  anish_work = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHOnfDvR2D2nGnC+DZYDUXiokzz+eLfZwkp+O8WjWutp anishlakhwara@Anishs-MacBook-Pro.local";
+  bmann = ""; # TODO(Boris): SSH public key here
+  
+  allKeys = [ asusmini anish_curve anish_work bmann ];
+in
+{
+  "pds-env.age".publicKeys = allKeys;
+}