poweredge config fix and secrets

7 files changed, 97 insertions, 12 deletions

diff --git a/hosts/poweredge/configuration.nix b/hosts/poweredge/configuration.nix
index f62d017..0c51f3c 100644
--- a/hosts/poweredge/configuration.nix
+++ b/hosts/poweredge/configuration.nix
@@ -4,7 +4,7 @@ in {
 	imports = [
 		./ddns-updater.nix
 		./networking.nix
-		./notification-mailer.nix  # TODO move some of this stuff to archetype
+		#./notification-mailer.nix  # TODO move some of this stuff to archetype
 	];
 
 	# Setup bootloader
@@ -26,5 +26,8 @@ in {
 	# Enable user timmy
 	_users.timmy.enable = true;
 
+	# Without this, "ZFS requires networking.hostId to be set" will be raised
+	networking.hostId = "4d9e002f";
+
 	system.stateVersion = "25.11";
 }
diff --git a/hosts/poweredge/ddns-updater.nix b/hosts/poweredge/ddns-updater.nix
index 2f0ce53..30f6e05 100644
--- a/hosts/poweredge/ddns-updater.nix
+++ b/hosts/poweredge/ddns-updater.nix
@@ -1,13 +1,13 @@
 { config, ... }: {
 	# Password file for mail application password
-	sops.secrets.ddnsUpdater.sopsFile = ./resources/secrets/ddns-updater-config.json;
+	sops.secrets.ddns-updater-config.sopsFile = ./resources/secrets/ddns-updater-config.yaml;
 
 	# Enable ddns updater
 	services.ddns-updater = {
 		enable = true;
 		environment = {
 			SERVER_ENABLED="no";
-			CONFIG_FILEPATH = config.sops.secrets.ddnsUpdater.path;
+			CONFIG_FILEPATH = config.sops.secrets.ddns-updater-config.path;
 			PERIOD = "5m";
 		};
 	};
diff --git a/hosts/poweredge/hardware-configuration.nix b/hosts/poweredge/hardware-configuration.nix
new file mode 100644
index 0000000..0fcc098
--- /dev/null
+++ b/hosts/poweredge/hardware-configuration.nix
@@ -0,0 +1,50 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "megaraid_sas" "usbhid" "usb_storage" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "zpool/root";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/nix" =
+    { device = "zpool/nix";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/var" =
+    { device = "zpool/var";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/home" =
+    { device = "zpool/home";
+      fsType = "zfs";
+      options = [ "zfsutil" ];
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/D083-98C0";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
diff --git a/hosts/poweredge/networking.nix b/hosts/poweredge/networking.nix
index 31f3b40..c293831 100644
--- a/hosts/poweredge/networking.nix
+++ b/hosts/poweredge/networking.nix
@@ -4,8 +4,8 @@
 		_interfaceLabels = {
 			enable = true;
 			interfaces = {
-				lan0 = "00:a0:98:7a:ac:0b";
-				wan0 = "00:a0:98:ff:ff:ff";
+				lan0 = "50:9a:4c:5d:c3:7a";
+				wan0 = "50:9a:4c:5d:c3:7b";
 			};
 		};
 		# Set ip addresses
@@ -16,7 +16,7 @@
 			}];
 			wan0.useDHCP = true;
 		};
-		defaultGateway.interface = "wan0";
+		#defaultGateway.interface = "wan0";
 		nameservers = [ "127.0.0.1" ];
 		# Firewall rules
 		firewall = {
@@ -42,8 +42,8 @@
 		dnsDhcpConfig = {
 			localDomain = "wg-router.pls.lan";
 			dhcp = {
-				defaultGateway = ipAddress;
-				localhostIp = ipAddress;
+				defaultGateway = "192.168.1.1";
+				localhostIp = "192.168.1.1";
 				rangeStart = "192.168.1.50";
 				rangeEnd = "192.168.1.250";
 				staticLeases = {
@@ -67,7 +67,7 @@
 						macAddress = "04:33:c2:9d:34:74";
 						staticIp = "192.168.1.11";
 					};
-					Optiplex = {
+					optiplex = {
 						macAddress = "e4:54:e8:bc:ba:05";
 						staticIp = "192.168.1.12";
 					};
diff --git a/hosts/poweredge/notification-mailer.nix b/hosts/poweredge/notification-mailer.nix
index 25e2e2b..d8fddc7 100644
--- a/hosts/poweredge/notification-mailer.nix
+++ b/hosts/poweredge/notification-mailer.nix
@@ -1,8 +1,8 @@
 { config, ... }: let
-	serverEmail = "poweredge@tjkeller.xyz";
+	serverEmail = "server-notifications@tjkeller.xyz";
 in {
 	# Mailer password secret for mail application password
-	sops.secrets.mailerPassword.sopsFile = ./resources/secrets/mailer.yaml;
+	sops.secrets.mailerPassword.sopsFile = ./resources/secrets/mailer-pass.yaml;
 
 	# Enable mta for system event notifications
 	services.mail._mailer = {
@@ -13,7 +13,7 @@ in {
 			passwordFile = config.sops.secrets.mailerPassword.path;
 		};
 		recipient = serverEmail;
-	}
+	};
 
 	# Enable zed mailer module
 	services.zfs._zedMailer.enable = true;
diff --git a/hosts/poweredge/resources/secrets/ddns-updater-config.yaml b/hosts/poweredge/resources/secrets/ddns-updater-config.yaml
new file mode 100644
index 0000000..3be017b
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/ddns-updater-config.yaml
@@ -0,0 +1,16 @@
+ddns-updater-config: ENC[AES256_GCM,data:vJ3z4R6P1gHKfkm6L2mQl68MKDJwpMNmrAOQo+4GkO2NC6EjKTLoSKhFiaGWVjMm7nrVfYRV+U/6b4VJXV4qURWhsm41t3x8zXAtt0viLC6pv+uMtuxadhU2Zxij4U2bSiMn6sSbfHd3uGIym7FnfOIL3LPEanVMuRUk20a0ZgHBdq1BPk6r5V8AoGfsu1XWHTvnO4ggg9oQPtGhurKTXixTD0Rb1Iv43JXLXqK/O3JGD5h4XbDmXB9eTqiBHUgZ0E4F5SE23L5mO0kI0TNNph2lTHXdfB+5,iv:xFry3gzdvvYh127yhYySvp5UHDa8Y+t/bg2+mwJ/HXo=,tag:pH2CE2l2UpNJiLJ+tjVvqQ==,type:str]
+sops:
+    age:
+        - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtWitQcVlaTmFVaHIraHlT
+            VFBDVEtlQUlqckN4eFF3YU95N3ZNU3JQcFNzCnkrR2xmTEtyUHRWQlRnTWZSaGVT
+            U0wvcGt6R0w4L3dSakVDVWVpTUhWbWMKLS0tIGVKSXVTL1B2L2FlSkQwSDVYd3Fk
+            WE8rLy81UEU5ZG9SaHRLOHNqOWUzWnMKBFtzJ9frroYk6hoW+1ww/3LpxCEa1Vtr
+            KNNnHKry8lQQDmalN5ZVYMTVAlTnQQ6QE7DxBukUwWYmizQ+BY8HDg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T01:47:37Z"
+    mac: ENC[AES256_GCM,data:8ozC5JWR/s3nNK+njc7zO32/7ptd//wuWGWZPHXrPV1iVyYndczGgu0ekEyKeRCn/WwGE5pyt32gy0l2Y+k7j7mV6GJguy6qhltani6Mz2Gfy5sRohn5s2rBDTiSYEVAgGTRt56DLxGD36P6xFPm+wHGspjCzNALrPretuN5xFg=,iv:+/mlXEMEO80pDVpFwZmnyywvHR/V9zHkbloF/e/dJ6Q=,tag:O+Ox0xUzERjeB+VftiUNEg==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1
diff --git a/hosts/poweredge/resources/secrets/mailer-pass.yaml b/hosts/poweredge/resources/secrets/mailer-pass.yaml
new file mode 100644
index 0000000..331bd66
--- /dev/null
+++ b/hosts/poweredge/resources/secrets/mailer-pass.yaml
@@ -0,0 +1,16 @@
+pass: ENC[AES256_GCM,data:RHOvLwbDIb8FZ+dG66e5U43qR0aXlLLZGAnlbRjSl8hxCMEtJ4940nggiaIV75jCaiWyLutay7MrKPKZBHDZwBIqcJYQRWm1zWGkoZi0/bX38vUFWOpI4qku9fIB2qll,iv:bqEnTagxlRqlAmMgFCtXXCSSlODE598yoV4fU0jSYL8=,tag:c/ZiGCDSb8quDoYiIKbMeQ==,type:str]
+sops:
+    age:
+        - recipient: age1zfvmt2avdlfz0fvchczplc84u7m8vqausm7zytl9s4x9m9yax4cqy30zpz
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEUXlZaUhSUkNGK2xpVzRp
+            OEhYMTV6bnpPZC9tdHZWbnZxcUp6WWVLMnhFCmZmckVBckdRS1g0MjJQdE80S2Js
+            aGlNek1nSmU2aGI4cWVXR0NmbjJwa00KLS0tIDJ3N3BoenQ5ZW02K3BLNWxkWU5y
+            Ym56YzI5Zk9KeFhzZXJXR3NoOUl0ckEKOLweZrk/Pe6BG48+RrwOxyOy0Zb768aZ
+            YIxTBv/qSzZei6VqZHiIwTUEMyE7z3CS0dBFws6q4fB4LfIpv6fiYg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-03-31T01:37:29Z"
+    mac: ENC[AES256_GCM,data:WIGXvuwB4bcBDfMRrrMQ7faUkxFdreyYiuy6bNPI2pzvvUFTSo/lJTv/DjisSARdYmFHFvdResIXUjg75Sc2I5IrvRxZxnYqx/3z5k/WOFWb8HSKH2H+OUHtLkqWJSCQ9YBuX2tys93mEXgwchPpn4nzVaYBgxZl54F3icX7tsE=,iv:BS9KPGkVaH0G0bAZz6+LR0NDcmqw6khOkih5DyvGyug=,tag:dA9YVL1xEqUqe6hDzOH7XQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1