feat: inital public commit

host/ark/default.nix

@@ -0,0 +1,62 @@
+{ config, lib, pkgs, ... }: {
+  imports = [
+    ./hardware-configuration.nix
+    ./options.nix
+    ../common/core/default.nix
+    ./user.nix
+    ./sops.nix
+
+    ./service/audio.nix
+    ./service/auth.nix
+    ./service/docs.nix
+    ./service/git.nix
+    ./service/home.nix
+    ./service/photos.nix
+    ./service/radicale.nix
+    ./service/wakapi.nix
+  ];
+
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "ark"; # Define your hostname.
+
+  oauth.name = "KoonFamily";
+  oauth.secrets = import ./oauth-secrets.nix;
+
+  security.sudo.wheelNeedsPassword = false;
+
+  services.cloudflared = {
+    enable = true;
+    tunnels = {
+      "91d31395-fbc7-45a1-ae13-148957b32ecd" = {
+        credentialsFile = config.sops.secrets.tunnel-credentials.path;
+        ingress = {
+          "auth.koon.us" = "http://localhost:1411";
+          "photos.koon.us" = "http://localhost:2283";
+          "home.koon.us" = "http://localhost:8123";
+          "docs.koon.us" = "http://localhost:3004";
+          "git.koon.us" = "http://localhost:3000";
+          "ssh.koon.us" = "ssh://localhost:2222";
+          "audio.koon.us" = "http://localhost:8021";
+          "radicale.koon.us" = "http://localhost:5232";
+          "waka.koon.us" = "http://localhost:3006";
+        };
+        default = "http_status:404";
+      };
+    };
+  };
+
+  fileSystems."/mnt/hdd" = {
+    device = "/dev/sdb";
+    fsType = "ext4";
+  };
+
+  services.openssh.enable = true;
+
+  networking.firewall.allowedTCPPorts = [ 8123 22 ];
+
+  system.stateVersion = "25.05"; # Did you read the comment?
+}
+