{ config, inputs, pkgs, lib, ... }: let pubkeys = import ../../data/pubkeys.nix; caddy-with-plugins = import ./custom-caddy.nix { inherit pkgs; }; in { imports = [ ./hardware-configuration.nix ./containers.nix ./backup.nix # ./plex.nix ./samba.nix ../../nixos-modules/networking/tailscale.nix ../../nixos-modules/services/docker.nix ../../nixos-modules/services/libvirt.nix ../../nixos-modules/services/msmtp.nix # ../../nixos-modules/services/paperless.nix # ../../nixos-modules/services/photoprism.nix ../../nixos-modules/services/samba.nix ../../nixos-modules/services/ssh.nix ../../nixos-modules/services/caddy ../../nixos-modules/system/agenix.nix ../../nixos-modules/system/fs.nix ../../nixos-modules/system/persist.nix ../../nixos-modules/system/security.nix ../../nixos-modules/user ]; # Don't Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; # power save stuffzies services.udev.path = [ pkgs.hdparm ]; services.udev.extraRules = '' ACTION=="add|change", KERNEL=="sd[a-z]", ATTRS{queue/rotational}=="1", RUN+="${pkgs.hdparm}/bin/hdparm -S 60 -B 100 /dev/%k" ''; services.syncthing.enable = true; services.syncthing.user = "ragon"; programs.mosh.enable = true; security.sudo.wheelNeedsPassword = false; networking.useDHCP = true; networking.bridges."br0".interfaces = [ ]; networking.hostId = "7b4c2932"; networking.firewall.allowedTCPPorts = [ 9000 25565 80 443 ]; boot.initrd.network = { enable = true; postCommands = '' zpool import rpool zpool import spool echo "zfs load-key -a; killall zfs" >> /root/.profile ''; ssh = { enable = true; port = 2222; hostKeys = [ "/persistent/etc/nixos/secrets/initrd/ssh_host_rsa_key" "/persistent/etc/nixos/secrets/initrd/ssh_host_ed25519_key" ]; authorizedKeys = pubkeys.ragon.computers; }; }; boot.kernel.sysctl."fs.inotify.max_user_instances" = 512; # Immutable users due to tmpfs users.mutableUsers = false; users.users.nia = { createHome = true; isNormalUser = true; extraGroups = [ "docker" "podman" "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDq+jk1Bi8/x0lYDiVi/iVnp9nEleocoQ+xHmlpDt9Qs" ]; }; users.users.bzzt = { description = "bzzt server service user"; home = "/var/lib/bzzt"; createHome = true; isSystemUser = true; group = "bzzt"; }; users.groups.bzzt = { }; users.users.minecraft = { description = "Minecraft server service user"; home = "/var/lib/minecraft"; createHome = true; isSystemUser = true; group = "minecraft"; }; users.groups.minecraft = { }; environment.systemPackages = [ pkgs.jdk17 pkgs.borgbackup ]; services.smartd = { enable = true; extraOptions = [ "--interval=7200" ]; notifications.test = true; }; nixpkgs.overlays = [ (self: super: { zfs = super.zfs.override { enableMail = true; }; }) ]; services.zfs.zed.settings = { ZED_EMAIL_ADDR = [ "root" ]; ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp"; ZED_EMAIL_OPTS = "@ADDRESS@"; ZED_NOTIFY_INTERVAL_SECS = 7200; ZED_NOTIFY_VERBOSE = true; ZED_USE_ENCLOSURE_LEDS = false; ZED_SCRUB_AFTER_RESILVER = true; }; systemd.services.caddy.serviceConfig.EnvironmentFile = config.age.secrets.desec.path; services.caddy = { # ragon.services.caddy is enabled globalConfig = '' acme_dns desec { token "{$TOKEN}" } ''; virtualHosts."http://*.hailsatan.eu".extraConfig = '' @bzzt-api host bzzt-api.hailsatan.eu handle @bzzt-api { reverse_proxy http://127.0.0.1:5001 } @bzzt-lcg host bzzt-lcg.hailsatan.eu handle @bzzt-lcg { reverse_proxy http://127.0.0.1:5003 } @bzzt host bzzt.hailsatan.eu handle @bzzt { reverse_proxy http://127.0.0.1:5002 } handle { abort } ''; virtualHosts."*.hailsatan.eu".extraConfig = '' @immich host immich.hailsatan.eu handle @immich { reverse_proxy http://immich-server:3001 { transport http { resolvers 10.88.0.1 # podman dns } } } @nd host nd.hailsatan.eu handle @nd { reverse_proxy http://navidrome:4533 { transport http { resolvers 10.88.0.1 # podman dns } } } @cd host cd.hailsatan.eu handle @cd { reverse_proxy http://changedetection:5000 { transport http { resolvers 10.88.0.1 # podman dns } } } @grafana host grafana.hailsatan.eu handle @grafana { reverse_proxy http://grafana:3000 { transport http { resolvers 10.88.0.1 # podman dns } } } @node-red host node-red.hailsatan.eu handle @node-red { reverse_proxy http://node-red:1880 { transport http { resolvers 10.88.0.1 # podman dns } } } @bzzt-api host bzzt-api.hailsatan.eu handle @bzzt-api { reverse_proxy http://127.0.0.1:5001 } @bzzt-lcg host bzzt-lcg.hailsatan.eu handle @bzzt-lcg { reverse_proxy http://127.0.0.1:5003 } @bzzt host bzzt.hailsatan.eu handle @bzzt { reverse_proxy http://127.0.0.1:5002 } handle { abort } ''; }; home-manager.users.ragon = { pkgs, lib, inputs, config, ... }: { imports = [ # ../../hm-modules/nvim ../../hm-modules/helix # ../../hm-modules/zsh ../../hm-modules/tmux # ../../hm-modules/xonsh ../../hm-modules/cli.nix ../../hm-modules/files.nix ]; # ragon.xonsh.enable = true; programs.home-manager.enable = true; home.stateVersion = "23.11"; }; # begin kube # services.k3s = { # enable = true; # extraFlags = "--disable=traefik --cluster-cidr 10.42.0.0/16,2001:cafe:42::/56 --service-cidr=10.43.0.0/16,2001:cafe:43::/112 --vpn-auth-file=/persistent/tailscale-auth-file"; #}; # systemd.services.k3s.path = [pkgs.tailscale pkgs.coreutils pkgs.bash]; # end kube ragon = { agenix.secrets."desec" = { }; user.enable = true; persist.enable = true; persist.extraDirectories = [ "/home/nia" "/var/lib/syncthing" "/var/lib/minecraft" "/var/lib/bzzt" "/var/lib/rancher" "/etc/rancher" "/root/.cache" ]; services = { caddy.enable = true; docker.enable = true; ssh.enable = true; msmtp.enable = true; # photoprism.enable = true; tailscale.enable = true; tailscale.exitNode = true; tailscale.extraUpCommands = "--advertise-routes=10.0.0.0/16"; libvirt.enable = true; # paperless.enable = true; }; }; }