{ config, lib, pkgs, ... }: { imports = [ ./hardware-configuration.nix ./disko-config.nix ]; boot = { # Lanzaboote currently replaces the systemd-boot module. loader.systemd-boot.enable = lib.mkForce false; loader.efi.canTouchEfiVariables = true; bootspec.enable = true; lanzaboote = { enable = true; pkiBundle = "/etc/secureboot"; # This will be the new location in unstable # pkiBundle = "/var/lib/sbctl"; }; initrd.systemd.enable = true; # Name "crypted" corresponds to the luks name in disko config initrd.luks.devices.crypted = { device = lib.mkForce "/dev/disk/by-uuid/26973b85-9c65-488b-93fb-8992ea0f8d50"; crypttabExtraOpts = [ "tpm2-device=auto" ]; }; # Required for subnet route advertising in Tailscale kernel.sysctl."net.ipv4.ip_forward" = 1; # Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html supportedFilesystems = [ "zfs" ]; zfs = { extraPools = ["storage"]; forceImportRoot = false; }; }; nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; networking = { hostName = "dalinar"; nftables.enable = true; firewall = { enable = true; allowedUDPPorts = [ 53 ]; allowedTCPPorts = [ 80 443 ]; trustedInterfaces = [ "tailscale0" ]; }; # head -c4 /dev/urandom | od -A none -t x4 # Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html hostId = "0c2ce418"; useNetworkd = true; }; services.resolved = { enable = true; # Unbound is running extraConfig = '' DNSStubListener=no ''; }; time.timeZone = "Europe/Berlin"; sops.defaultSopsFile = ./secrets.yaml; sops.age.sshKeyPaths = []; sops.age.keyFile = "/etc/age/keys.txt"; sops.secrets."miniflux/ADMIN_USERNAME" = { }; sops.secrets."miniflux/ADMIN_PASSWORD" = { }; sops.templates."miniflux-admin-credentials".content = '' ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"} ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"} ''; sops.secrets."caddy/ionos_dns_api_key" = { }; sops.templates."caddy-global-conf".content = '' IONOS_API_KEY=${config.sops.placeholder."caddy/ionos_dns_api_key"} ''; sops.secrets."searx/secret_key" = { }; sops.templates."searx-env".content = '' SEARX_SECRET_KEY=${config.sops.placeholder."searx/secret_key"} ''; i18n.defaultLocale = "en_US.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "de"; }; users.mutableUsers = false; # mkpasswd -m sha512crypt users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0"; users.users.sambauser = { isNormalUser = true; createHome = false; }; environment.systemPackages = with pkgs; [ ethtool htop sbctl tmux vim wget zfs ]; powerManagement.powertop.enable = true; programs.neovim.enable = true; services.tailscale.enable = true; services.networkd-dispatcher = { enable = true; rules."50-tailscale" = { onState = ["routable"]; script = '' ${pkgs.ethtool}/bin/ethtool -K eno1 rx-udp-gro-forwarding on rx-gro-list off ''; }; }; services.zfs.autoScrub.enable = true; services.samba = { enable = true; openFirewall = true; settings = { global = { security = "user"; workgroup = "WORKGROUP"; "server string" = "smbnix"; "netbios name" = "smbnix"; "hosts allow" = "100. 172.16.0. 127.0.0.1 localhost"; "hosts deny" = "0.0.0.0/0"; "guest account" = "nobody"; "map to guest" = "bad user"; }; media = { path = "/storage/encrypted/media/"; browseable = "yes"; writeable = "yes"; "read only" = "no"; "guest ok" = "no"; "create mask" = "0644"; "directory mask" = "0755"; "force user" = config.services.jellyfin.user; "force group" = config.services.jellyfin.group; }; }; }; services.unbound = { enable = true; settings = { server = { interface = [ "127.0.0.1" ]; port = 5335; access-control = [ "127.0.0.1 allow" ]; harden-glue = true; num-threads = 4; harden-dnssec-stripped = true; use-caps-for-id = false; prefetch = true; edns-buffer-size = 1232; hide-identity = true; hide-version = true; private-address = [ "172.16.0.0/12" ]; }; forward-zone = [ { name = "."; forward-addr = [ "9.9.9.9#dns.quad9.net" "149.112.112.112#dns.quad9.net" ]; forward-tls-upstream = true; } ]; }; }; services.blocky = { enable = true; settings = { upstreams.groups.default = [ "127.0.0.1:${toString config.services.unbound.settings.server.port}" ]; blocking = { denylists.ads = [ "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" ]; clientGroupsBlock.default = [ "ads" ]; }; customDNS = { mapping = { # This mapping is recursive so foo.dalinar.home.johannes-rothe.de also resolves "dalinar.home.johannes-rothe.de" = "172.16.0.2"; "base.home.johannes-rothe.de" = "172.16.0.3"; }; }; ports = { dns = 53; http = 4000; # port for prometheus metrics }; prometheus = { enable = true; path = "/metrics"; }; queryLog.type = "none"; }; }; services.immich = { enable = true; machine-learning.enable = false; mediaLocation = "/storage/encrypted/photos/"; }; services.prometheus = { enable = true; retentionTime = "60d"; globalConfig.scrape_interval = "15s"; scrapeConfigs = [ { job_name = "node"; static_configs = [{ targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ]; }]; } { job_name = "blocky"; static_configs = [{ targets = [ "localhost:${toString config.services.blocky.settings.ports.http}" ]; }]; } ]; exporters.node = { enable = true; enabledCollectors = [ "systemd" ]; disabledCollectors = [ "textfile" ]; port = 9100; }; }; services.grafana = { enable = true; settings = { server = { http_addr = "0.0.0.0"; http_port = 3000; domain = "dalinar"; }; }; }; services.miniflux = { enable = true; adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path; }; services.jellyfin = { enable = true; }; services.caddy = { enable = true; environmentFile = config.sops.templates."caddy-global-conf".path; globalConfig = '' acme_dns ionos {$IONOS_API_KEY} ''; logFormat = lib.mkForce "level INFO"; # Use my custom build to integrate the ionos DNS challenge plugin package = pkgs.callPackage ../../packages/caddy {}; virtualHosts = { "https://grafana.dalinar.home.johannes-rothe.de" = { extraConfig = '' reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port} ''; }; "https://prometheus.dalinar.home.johannes-rothe.de" = { extraConfig = '' reverse_proxy localhost:${builtins.toString config.services.prometheus.port} ''; }; "https://feeds.dalinar.home.johannes-rothe.de" = { extraConfig = '' reverse_proxy localhost:8080 ''; }; "https://search.dalinar.home.johannes-rothe.de" = { extraConfig = '' reverse_proxy ${config.containers.searx.localAddress}:${builtins.toString config.containers.searx.config.services.searx.settings.server.port} ''; }; "https://jellyfin.dalinar.home.johannes-rothe.de" = { extraConfig = '' reverse_proxy localhost:8096 ''; }; "https://immich.dalinar.home.johannes-rothe.de" = { extraConfig = '' reverse_proxy localhost:${toString config.services.immich.port} ''; }; }; }; networking.nat = { enable = true; internalInterfaces = [ "ve-*" ]; externalInterface = "eno1"; }; containers.searx = { autoStart = true; ephemeral = true; privateNetwork = true; hostAddress = "192.168.100.2"; localAddress = "192.168.100.3"; bindMounts."/run/secrets/searx-env" = { isReadOnly = true; hostPath = config.sops.templates."searx-env".path; }; config = { config, ... }: { networking.firewall.allowedTCPPorts = [ config.services.searx.settings.server.port ]; system.stateVersion = "24.11"; services.searx = { enable = true; environmentFile = /run/secrets/searx-env; settings.server = { port = 8181; bind_address = "192.168.100.3"; secret_key = "@SEARX_SECRET_KEY@"; }; }; }; }; containers.lidarr = { autoStart = true; privateNetwork = true; enableTun = true; hostAddress = "192.168.100.4"; localAddress = "192.168.100.5"; config = { ... }: { system.stateVersion = "24.11"; networking.useHostResolvConf = lib.mkForce false; # Required workaround for tailscale exit nodes, see https://nixos.wiki/wiki/Tailscale networking.firewall.checkReversePath = "loose"; services.resolved.enable = true; services.tailscale.enable = true; }; }; system.stateVersion = "24.11"; # Don't change }