commit a2247c5b2672ecdcd38758d755b35cb2241fc644
Author: Romain Paquet <rpqt@rpqt.fr>
Date:   Wed Jan 29 21:33:37 2025 +0100

    init

diff --git a/.helix/languages.toml b/.helix/languages.toml
new file mode 100644
index 0000000..de8b9a3
--- /dev/null
+++ b/.helix/languages.toml
@@ -0,0 +1,4 @@
+[[language]]
+name = "nix"
+auto-format = true
+formatter = { command = "nixfmt" }
diff --git a/flake.lock b/flake.lock
new file mode 100644
index 0000000..eb3167c
--- /dev/null
+++ b/flake.lock
@@ -0,0 +1,307 @@
+{
+  "nodes": {
+    "agenix": {
+      "inputs": {
+        "darwin": "darwin",
+        "home-manager": "home-manager",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1736955230,
+        "narHash": "sha256-uenf8fv2eG5bKM8C/UvFaiJMZ4IpUFaQxk9OH5t/1gA=",
+        "owner": "ryantm",
+        "repo": "agenix",
+        "rev": "e600439ec4c273cf11e06fe4d9d906fb98fa097c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "ryantm",
+        "repo": "agenix",
+        "type": "github"
+      }
+    },
+    "darwin": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1700795494,
+        "narHash": "sha256-gzGLZSiOhf155FW7262kdHo2YDeugp3VuIFb4/GGng0=",
+        "owner": "lnl7",
+        "repo": "nix-darwin",
+        "rev": "4b9b83d5a92e8c1fbfd8eb27eda375908c11ec4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "lnl7",
+        "ref": "master",
+        "repo": "nix-darwin",
+        "type": "github"
+      }
+    },
+    "deploy-rs": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "utils": "utils"
+      },
+      "locked": {
+        "lastModified": 1727447169,
+        "narHash": "sha256-3KyjMPUKHkiWhwR91J1YchF6zb6gvckCAY1jOE+ne0U=",
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "rev": "aa07eb05537d4cd025e2310397a6adcedfe72c76",
+        "type": "github"
+      },
+      "original": {
+        "owner": "serokell",
+        "repo": "deploy-rs",
+        "type": "github"
+      }
+    },
+    "disko": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736711425,
+        "narHash": "sha256-8hKhPQuMtXfJi+4lPvw3FBk/zSJVHeb726Zo0uF1PP8=",
+        "owner": "nix-community",
+        "repo": "disko",
+        "rev": "f720e64ec37fa16ebba6354eadf310f81555cc07",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "disko",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "home-manager": {
+      "inputs": {
+        "nixpkgs": [
+          "agenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703113217,
+        "narHash": "sha256-7ulcXOk63TIT2lVDSExj7XzFx09LpdSAPtvgtM7yQPE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "3bfaacf46133c037bb356193bd2f1765d9dc82c1",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1736785676,
+        "narHash": "sha256-TY0jUwR3EW0fnS0X5wXMAVy6h4Z7Y6a3m+Yq++C9AyE=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "fc52a210b60f2f52c74eac41a8647c1573d2071d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
+    "impermanence": {
+      "locked": {
+        "lastModified": 1736688610,
+        "narHash": "sha256-1Zl9xahw399UiZSJ9Vxs1W4WRFjO1SsNdVZQD4nghz0=",
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "rev": "c64bed13b562fc3bb454b48773d4155023ac31b7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "impermanence",
+        "type": "github"
+      }
+    },
+    "nixlib": {
+      "locked": {
+        "lastModified": 1736643958,
+        "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=",
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixpkgs.lib",
+        "type": "github"
+      }
+    },
+    "nixos-generators": {
+      "inputs": {
+        "nixlib": "nixlib",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1737057290,
+        "narHash": "sha256-3Pe0yKlCc7EOeq1X/aJVDH0CtNL+tIBm49vpepwL1MQ=",
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "rev": "d002ce9b6e7eb467cd1c6bb9aef9c35d191b5453",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nixos-generators",
+        "type": "github"
+      }
+    },
+    "nixos-hardware": {
+      "locked": {
+        "lastModified": 1737751639,
+        "narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=",
+        "owner": "NixOS",
+        "repo": "nixos-hardware",
+        "rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixos-hardware",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1736657626,
+        "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1736883708,
+        "narHash": "sha256-uQ+NQ0/xYU0N1CnXsa2zghgNaOPxWpMJXSUJJ9W7140=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "eb62e6aa39ea67e0b8018ba8ea077efe65807dc8",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "agenix": "agenix",
+        "deploy-rs": "deploy-rs",
+        "disko": "disko",
+        "home-manager": "home-manager_2",
+        "impermanence": "impermanence",
+        "nixos-generators": "nixos-generators",
+        "nixos-hardware": "nixos-hardware",
+        "nixpkgs": "nixpkgs_2"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "utils": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/flake.nix b/flake.nix
new file mode 100644
index 0000000..d57b8f4
--- /dev/null
+++ b/flake.nix
@@ -0,0 +1,149 @@
+{
+  description = "rpqt's Nix configs";
+
+  outputs =
+    inputs@{
+      nixpkgs,
+      deploy-rs,
+      home-manager,
+      impermanence,
+      nixos-generators,
+      nixos-hardware,
+      self,
+      ...
+    }:
+    {
+      nixosConfigurations = {
+
+        # Hetzner VPS
+        crocus = nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit inputs;
+            inherit (import ./parts) keys;
+          };
+          system = "x86_64-linux";
+          modules = [
+            ./hosts/crocus
+            ./system
+          ];
+        };
+
+        # Raspberry Pi 4
+        genepi = nixpkgs.lib.nixosSystem {
+          specialArgs = {
+            inherit inputs;
+            inherit (import ./parts) keys;
+          };
+          system = "aarch64-linux";
+          modules = [
+            home-manager.nixosModules.home-manager
+            ./system
+            ./hosts/genepi
+            {
+              home-manager.useGlobalPkgs = true;
+              home-manager.useUserPackages = true;
+              home-manager.users.rpqt = ./hosts/genepi/home.nix;
+            }
+          ];
+        };
+
+      };
+
+      # Raspberry Pi 4 installer ISO.
+      packages.aarch64-linux.installer-sd-image = nixos-generators.nixosGenerate {
+        specialArgs = {
+          inherit inputs;
+          inherit (import ./parts) keys;
+        };
+        system = "aarch64-linux";
+        format = "sd-aarch64-installer";
+        modules = [
+          nixos-hardware.nixosModules.raspberry-pi-4
+          ./system/core
+          ./hosts/genepi/network.nix
+          ./hosts/genepi/hardware.nix
+          {
+            nixpkgs.overlays = [
+              (final: super: {
+                makeModulesClosure = x: super.makeModulesClosure (x // { allowMissing = true; });
+              })
+            ];
+          }
+        ];
+      };
+
+      homeConfigurations = {
+        "rpqt@haze" = home-manager.lib.homeManagerConfiguration {
+          extraSpecialArgs = {
+            inherit inputs;
+          };
+          pkgs = nixpkgs.legacyPackages.x86_64-linux;
+          modules = [
+            ./hosts/haze/home.nix
+          ];
+        };
+      };
+
+      deploy.nodes.crocus = {
+        hostname = "crocus";
+        profiles = {
+          system = {
+            user = "root";
+            sshUser = "rpqt";
+            path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.crocus;
+          };
+        };
+      };
+
+      deploy.nodes.genepi = {
+        hostname = "genepi";
+        profiles = {
+          system = {
+            user = "root";
+            sshUser = "rpqt";
+            path = deploy-rs.lib.aarch64-linux.activate.nixos self.nixosConfigurations.genepi;
+            remoteBuild = true;
+          };
+        };
+      };
+
+      checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
+    };
+
+  inputs = {
+    nixpkgs = {
+      url = "github:nixos/nixpkgs?ref=nixos-unstable";
+    };
+    disko = {
+      url = "github:nix-community/disko";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    deploy-rs = {
+      url = "github:serokell/deploy-rs";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    impermanence = {
+      url = "github:nix-community/impermanence";
+    };
+    nixos-hardware = {
+      url = "github:NixOS/nixos-hardware/master";
+    };
+    nixos-generators = {
+      url = "github:nix-community/nixos-generators";
+    };
+    agenix = {
+      url = "github:ryantm/agenix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  nixConfig = {
+    substituters = [
+      "https://cache.nixos.org"
+    ];
+  };
+}
diff --git a/hosts/crocus/default.nix b/hosts/crocus/default.nix
new file mode 100644
index 0000000..640fcda
--- /dev/null
+++ b/hosts/crocus/default.nix
@@ -0,0 +1,44 @@
+{
+  inputs,
+  modulesPath,
+  config,
+  ...
+}:
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+    inputs.disko.nixosModules.disko
+    ./disk.nix
+  ];
+
+  networking.hostName = "crocus";
+  networking.useDHCP = true;
+
+  boot.loader.grub = {
+    efiSupport = true;
+    efiInstallAsRemovable = true;
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+    };
+
+    scrapeConfigs = [
+      {
+        job_name = "crocus";
+        static_configs = [
+          {
+            targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
+          }
+        ];
+      }
+    ];
+  };
+}
diff --git a/hosts/crocus/disk.nix b/hosts/crocus/disk.nix
new file mode 100644
index 0000000..4dcdd36
--- /dev/null
+++ b/hosts/crocus/disk.nix
@@ -0,0 +1,32 @@
+{
+  disko.devices.disk.os = {
+    device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_48353082";
+    type = "disk";
+    content = {
+      type = "gpt";
+      partitions = {
+        boot = {
+          type = "EF02";
+          size = "1M";
+        };
+        ESP = {
+          type = "EF00";
+          size = "512M";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+          };
+        };
+        root = {
+          size = "100%";
+          content = {
+            type = "filesystem";
+            format = "ext4";
+            mountpoint = "/";
+          };
+        };
+      };
+    };
+  };
+}
diff --git a/hosts/genepi/acme.nix b/hosts/genepi/acme.nix
new file mode 100644
index 0000000..d9c784d
--- /dev/null
+++ b/hosts/genepi/acme.nix
@@ -0,0 +1,21 @@
+{ config, ... }:
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "admin@rpqt.fr";
+  };
+
+  age.secrets.gandi.file = ../../secrets/gandi.age;
+
+  security.acme = {
+    certs."home.rpqt.fr" = {
+      group = config.services.nginx.group;
+
+      domain = "home.rpqt.fr";
+      extraDomainNames = [ "*.home.rpqt.fr" ];
+      dnsProvider = "gandiv5";
+      dnsPropagationCheck = true;
+      environmentFile = config.age.secrets.gandi.path;
+    };
+  };
+}
diff --git a/hosts/genepi/boot.nix b/hosts/genepi/boot.nix
new file mode 100644
index 0000000..a93d860
--- /dev/null
+++ b/hosts/genepi/boot.nix
@@ -0,0 +1,19 @@
+{ config, ... }:
+{
+
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+  ];
+
+  boot.loader = {
+    grub.enable = false;
+    generic-extlinux-compatible.enable = true;
+  };
+
+  boot.supportedFilesystems = [
+    "btrfs"
+    "vfat"
+  ];
+}
diff --git a/hosts/genepi/default.nix b/hosts/genepi/default.nix
new file mode 100644
index 0000000..d4a7af8
--- /dev/null
+++ b/hosts/genepi/default.nix
@@ -0,0 +1,21 @@
+{
+  inputs,
+  ...
+}:
+{
+  imports = [
+    inputs.disko.nixosModules.disko
+    inputs.nixos-hardware.nixosModules.raspberry-pi-4
+    inputs.agenix.nixosModules.default
+    inputs.impermanence.nixosModules.impermanence
+    ./acme.nix
+    ./boot.nix
+    ./disk.nix
+    ./dns.nix
+    ./hardware.nix
+    ./monitoring.nix
+    ./network.nix
+    ./nginx.nix
+    ./persistence.nix
+  ];
+}
diff --git a/hosts/genepi/disk.nix b/hosts/genepi/disk.nix
new file mode 100644
index 0000000..3fd4480
--- /dev/null
+++ b/hosts/genepi/disk.nix
@@ -0,0 +1,86 @@
+{
+  disko.devices.disk.main = {
+    type = "disk";
+    device = "/dev/disk/by-id/ata-WD_Green_M.2_2280_480GB_2251E6411147";
+    content = {
+      type = "gpt";
+      partitions = {
+        ESP = {
+          priority = 1;
+          name = "ESP";
+          start = "1M";
+          end = "512M";
+          type = "EF00";
+          content = {
+            type = "filesystem";
+            format = "vfat";
+            mountpoint = "/boot";
+            mountOptions = [ "umask=0077" ];
+          };
+        };
+        root = {
+          end = "-4G";
+          content = {
+            type = "btrfs";
+            extraArgs = [
+              "-L"
+              "nixos"
+              "-f" # Override existing partition
+            ];
+            subvolumes = {
+              "/root" = {
+                mountpoint = "/";
+                mountOptions = [
+                  "subvol=root"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "/home" = {
+                mountpoint = "/home";
+                mountOptions = [
+                  "subvol=home"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "/nix" = {
+                mountpoint = "/nix";
+                mountOptions = [
+                  "subvol=nix"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "/persist" = {
+                mountpoint = "/persist";
+                mountOptions = [
+                  "subvol=persist"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+              "/log" = {
+                mountpoint = "/var/log";
+                mountOptions = [
+                  "subvol=log"
+                  "compress=zstd"
+                  "noatime"
+                ];
+              };
+            };
+          };
+        };
+        swap = {
+          size = "100%";
+          content = {
+            type = "swap";
+          };
+        };
+      };
+    };
+  };
+
+  fileSystems."/persist".neededForBoot = true;
+  fileSystems."/var/log".neededForBoot = true;
+}
diff --git a/hosts/genepi/dns.nix b/hosts/genepi/dns.nix
new file mode 100644
index 0000000..5779bcf
--- /dev/null
+++ b/hosts/genepi/dns.nix
@@ -0,0 +1,22 @@
+{ config, ... }:
+{
+  # networking.firewall.interfaces."${config.services.tailscale.interfaceName}" = {
+  #   allowedTCPPorts = [ 53 ];
+  #   allowedUDPPorts = [ 53 ];
+  # };
+
+  services.unbound = {
+    enable = true;
+    resolveLocalQueries = false;
+
+    settings = {
+      server = {
+        interface = [ "${config.services.tailscale.interfaceName}" ];
+        access-control = [ "100.0.0.0/8 allow" ];
+
+        local-zone = [ ''"grafana.home.rpqt.fr." redirect'' ];
+        local-data = [ ''"grafana.home.rpqt.fr. IN A 100.83.123.79"'' ];
+      };
+    };
+  };
+}
diff --git a/hosts/genepi/hardware.nix b/hosts/genepi/hardware.nix
new file mode 100644
index 0000000..a341e1a
--- /dev/null
+++ b/hosts/genepi/hardware.nix
@@ -0,0 +1,19 @@
+{ pkgs, ... }:
+{
+  nixpkgs.hostPlatform = "aarch64-linux";
+
+  hardware.enableRedistributableFirmware = true;
+
+  hardware = {
+    raspberry-pi."4".apply-overlays-dtmerge.enable = true;
+    deviceTree = {
+      enable = true;
+      filter = "*rpi-4-*.dtb";
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi
+    raspberrypi-eeprom
+  ];
+}
diff --git a/hosts/genepi/home.nix b/hosts/genepi/home.nix
new file mode 100644
index 0000000..0bdae38
--- /dev/null
+++ b/hosts/genepi/home.nix
@@ -0,0 +1,22 @@
+{ pkgs, inputs, ... }:
+{
+  home.username = "rpqt";
+  home.homeDirectory = "/home/rpqt";
+
+  home.packages = [
+    pkgs.helix
+    pkgs.ripgrep
+  ];
+
+  # This value determines the Home Manager release that your configuration is
+  # compatible with. This helps avoid breakage when a new Home Manager release
+  # introduces backwards incompatible changes.
+  #
+  # You should not change this value, even if you update Home Manager. If you do
+  # want to update the value, then make sure to first check the Home Manager
+  # release notes.
+  home.stateVersion = "24.11";
+
+  # Let Home Manager install and manage itself
+  programs.home-manager.enable = true;
+}
diff --git a/hosts/genepi/monitoring.nix b/hosts/genepi/monitoring.nix
new file mode 100644
index 0000000..07c3dca
--- /dev/null
+++ b/hosts/genepi/monitoring.nix
@@ -0,0 +1,53 @@
+{ config, ... }:
+{
+  services.grafana = {
+    enable = true;
+    settings = {
+      server = {
+        http_port = 3000;
+        domain = "grafana.home.rpqt.fr";
+      };
+    };
+  };
+
+  services.nginx.virtualHosts.${config.services.grafana.settings.server.domain} = {
+    forceSSL = true;
+    useACMEHost = "home.rpqt.fr";
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+      proxyWebsockets = true;
+    };
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+
+    scrapeConfigs = [
+      {
+        job_name = "genepi";
+        static_configs = [
+          {
+            targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
+          }
+        ];
+      }
+      {
+        job_name = "crocus";
+        static_configs = [
+          {
+            targets = [ "crocus:9002" ];
+          }
+        ];
+      }
+    ];
+
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = [ "systemd" ];
+        port = 9002;
+      };
+    };
+  };
+}
diff --git a/hosts/genepi/network.nix b/hosts/genepi/network.nix
new file mode 100644
index 0000000..8de1677
--- /dev/null
+++ b/hosts/genepi/network.nix
@@ -0,0 +1,4 @@
+{
+  networking.hostName = "genepi";
+  networking.useDHCP = true;
+}
diff --git a/hosts/genepi/nginx.nix b/hosts/genepi/nginx.nix
new file mode 100644
index 0000000..410d7db
--- /dev/null
+++ b/hosts/genepi/nginx.nix
@@ -0,0 +1,7 @@
+{
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+  };
+}
diff --git a/hosts/genepi/persistence.nix b/hosts/genepi/persistence.nix
new file mode 100644
index 0000000..402dcb0
--- /dev/null
+++ b/hosts/genepi/persistence.nix
@@ -0,0 +1,51 @@
+{ lib, ... }:
+{
+  environment.persistence."/persist" = {
+    enable = true;
+    directories = [
+      "/var/lib/nixos"
+    ];
+    files = [
+      # so that systemd doesn't think each boot is the first
+      "/etc/machine-id"
+      # ssh host keys
+      "/etc/ssh/ssh_host_rsa_key"
+      "/etc/ssh/ssh_host_rsa_key.pub"
+      "/etc/ssh/ssh_host_ed25519_key"
+      "/etc/ssh/ssh_host_ed25519_key.pub"
+
+      "/var/lib/tailscaled.state"
+    ];
+    users.rpqt = {
+      directories = [ ];
+      files = [ ];
+    };
+  };
+
+  # Empty root and remove snapshots older than 30 days
+  boot.initrd.postDeviceCommands = lib.mkAfter ''
+    mkdir /btrfs_tmp
+    mount /dev/disk/by-label/nixos /btrfs_tmp
+    if [[ -e /btrfs_tmp/root ]]; then
+        mkdir -p /btrfs_tmp/old_roots
+        timestamp=$(date --date="@$(stat -c %Y /btrfs_tmp/root)" "+%Y-%m-%-d_%H:%M:%S")
+        mv /btrfs_tmp/root "/btrfs_tmp/old_roots/$timestamp"
+    fi
+
+    delete_subvolume_recursively() {
+        IFS=$'\n'
+        for i in $(btrfs subvolume list -o "$1" | cut -f 9- -d ' '); do
+            delete_subvolume_recursively "/btrfs_tmp/$i"
+        done
+        btrfs subvolume delete "$1"
+    }
+
+    for i in $(find /btrfs_tmp/old_roots/ -maxdepth 1 -mtime +30); do
+        delete_subvolume_recursively "$i"
+    done
+
+    btrfs subvolume create /btrfs_tmp/root
+    umount /btrfs_tmp
+    rmdir /btrfs_tmp
+  '';
+}
diff --git a/hosts/haze/home.nix b/hosts/haze/home.nix
new file mode 100644
index 0000000..0c9e95b
--- /dev/null
+++ b/hosts/haze/home.nix
@@ -0,0 +1,29 @@
+{ pkgs, inputs, ... }:
+{
+  home.username = "rpqt";
+  home.homeDirectory = "/home/rpqt";
+
+  home.packages = [
+    inputs.agenix.packages.x86_64-linux.default
+
+    pkgs.devenv
+    pkgs.direnv
+
+    pkgs.deploy-rs
+
+    pkgs.nil # Nix language server
+    pkgs.nixfmt-rfc-style
+  ];
+
+  # This value determines the Home Manager release that your configuration is
+  # compatible with. This helps avoid breakage when a new Home Manager release
+  # introduces backwards incompatible changes.
+  #
+  # You should not change this value, even if you update Home Manager. If you do
+  # want to update the value, then make sure to first check the Home Manager
+  # release notes.
+  home.stateVersion = "24.11";
+
+  # Let Home Manager install and manage itself
+  programs.home-manager.enable = true;
+}
diff --git a/parts/default.nix b/parts/default.nix
new file mode 100644
index 0000000..2948de5
--- /dev/null
+++ b/parts/default.nix
@@ -0,0 +1,3 @@
+{
+  keys = import ./keys.nix;
+}
diff --git a/parts/keys.nix b/parts/keys.nix
new file mode 100644
index 0000000..dc7fe17
--- /dev/null
+++ b/parts/keys.nix
@@ -0,0 +1,7 @@
+{
+  rpqt.haze = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGa8R8obgptefcp27Cdp9bc2fiyc9x0oTfMsTPFp2ktE rpqt@haze";
+
+  hosts = {
+    genepi = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQUzjid5mfMYginIUCVWTF7rWvWz0mUZBZsl5EhDIDl root@genepi";
+  };
+}
diff --git a/secrets/gandi.age b/secrets/gandi.age
new file mode 100644
index 0000000..4a193b0
Binary files /dev/null and b/secrets/gandi.age differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
new file mode 100644
index 0000000..494d541
--- /dev/null
+++ b/secrets/secrets.nix
@@ -0,0 +1,9 @@
+let
+  keys = import ../parts/keys.nix;
+in
+{
+  "gandi.age".publicKeys = [
+    keys.hosts.genepi
+    keys.rpqt.haze
+  ];
+}
diff --git a/system/core/default.nix b/system/core/default.nix
new file mode 100644
index 0000000..7412c6c
--- /dev/null
+++ b/system/core/default.nix
@@ -0,0 +1,25 @@
+{ lib, ... }:
+
+{
+  imports = [
+    ./users.nix
+    ./ssh-server.nix
+  ];
+
+  i18n = {
+    defaultLocale = "en_US.UTF-8";
+    supportedLocales = [
+      "en_US.UTF-8/UTF-8"
+      "fr_FR.UTF-8/UTF-8"
+    ];
+  };
+
+  security.sudo = {
+    enable = true;
+    wheelNeedsPassword = false;
+  };
+
+  system.stateVersion = lib.mkDefault "24.11";
+
+  time.timeZone = lib.mkDefault "Europe/Paris";
+}
diff --git a/system/core/ssh-server.nix b/system/core/ssh-server.nix
new file mode 100644
index 0000000..f218810
--- /dev/null
+++ b/system/core/ssh-server.nix
@@ -0,0 +1,15 @@
+{
+  services.openssh = {
+    enable = true;
+    settings = {
+      PermitRootLogin = "no";
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      AuthenticationMethods = "publickey";
+      PubkeyAuthentication = "yes";
+      ChallengeResponseAuthentication = "no";
+      UsePAM = false;
+      X11Forwarding = false;
+    };
+  };
+}
diff --git a/system/core/users.nix b/system/core/users.nix
new file mode 100644
index 0000000..1db5cfc
--- /dev/null
+++ b/system/core/users.nix
@@ -0,0 +1,30 @@
+{
+  keys,
+  lib,
+  pkgs,
+  ...
+}:
+{
+  users.mutableUsers = lib.mkDefault false;
+
+  users.users.rpqt = {
+    isNormalUser = true;
+
+    createHome = true;
+    home = "/home/rpqt";
+
+    description = "Romain Paquet";
+
+    shell = pkgs.zsh;
+
+    openssh.authorizedKeys.keys = [ keys.rpqt.haze ];
+
+    initialHashedPassword = "$y$j9T$.y7GZIaYYgEHt1spMsOqi/$k4O3AAKBhJF0gI.G9/Ja8ssGsVTv3VPD5WC.7ErAUD1";
+
+    extraGroups = [
+      "wheel"
+    ];
+  };
+
+  programs.zsh.enable = true;
+}
diff --git a/system/default.nix b/system/default.nix
new file mode 100644
index 0000000..763d619
--- /dev/null
+++ b/system/default.nix
@@ -0,0 +1,7 @@
+{
+  imports = [
+    ./core
+    ./network
+    ./nix
+  ];
+}
diff --git a/system/network/default.nix b/system/network/default.nix
new file mode 100644
index 0000000..1f59251
--- /dev/null
+++ b/system/network/default.nix
@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./tailscale.nix
+  ];
+}
diff --git a/system/network/tailscale.nix b/system/network/tailscale.nix
new file mode 100644
index 0000000..6cb8426
--- /dev/null
+++ b/system/network/tailscale.nix
@@ -0,0 +1,11 @@
+{ config, ... }:
+{
+  networking.firewall = {
+    trustedInterfaces = [ config.services.tailscale.interfaceName ];
+  };
+
+  services.tailscale = {
+    enable = true;
+    openFirewall = true;
+  };
+}
diff --git a/system/nix/default.nix b/system/nix/default.nix
new file mode 100644
index 0000000..10d84fc
--- /dev/null
+++ b/system/nix/default.nix
@@ -0,0 +1,18 @@
+{ pkgs, ... }:
+{
+  imports = [
+    ./nixpkgs.nix
+    ./substituters.nix
+  ];
+
+  # for flakes
+  environment.systemPackages = [ pkgs.git ];
+
+  nix.settings = {
+    auto-optimise-store = true;
+    builders-use-substitutes = true;
+    experimental-features = ["nix-command" "flakes"];
+
+    trusted-users = ["root" "@wheel"];
+  };
+}
diff --git a/system/nix/nixpkgs.nix b/system/nix/nixpkgs.nix
new file mode 100644
index 0000000..d793f95
--- /dev/null
+++ b/system/nix/nixpkgs.nix
@@ -0,0 +1,5 @@
+{
+  nixpkgs = {
+    config.allowUnfree = true;
+  };
+}
diff --git a/system/nix/substituters.nix b/system/nix/substituters.nix
new file mode 100644
index 0000000..04660af
--- /dev/null
+++ b/system/nix/substituters.nix
@@ -0,0 +1,11 @@
+{
+  nix.settings = {
+    substituters = [
+      "https://cache.nixos.org?priority=10"
+    ];
+
+    trusted-public-keys = [
+      "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
+    ];
+  };
+}