onjen/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-config/hosts/dalinar/default.nix

317 lines
8.2 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
{
imports =
[
./hardware-configuration.nix
./disko-config.nix
];
boot = {
# Lanzaboote currently replaces the systemd-boot module.
loader.systemd-boot.enable = lib.mkForce false;
loader.efi.canTouchEfiVariables = true;
bootspec.enable = true;
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
# This will be the new location in unstable
# pkiBundle = "/var/lib/sbctl";
};
initrd.systemd.enable = true;
# Name "crypted" corresponds to the luks name in disko config
initrd.luks.devices.crypted = {
device = lib.mkForce "/dev/disk/by-uuid/26973b85-9c65-488b-93fb-8992ea0f8d50";
crypttabExtraOpts = [ "tpm2-device=auto" ];
};
# Required for subnet route advertising in Tailscale
kernel.sysctl."net.ipv4.ip_forward" = 1;
# Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
supportedFilesystems = [ "zfs" ];
zfs = {
extraPools = ["storage"];
forceImportRoot = false;
};
};
nix.gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 30d";
};
networking = {
hostName = "dalinar";
nftables.enable = true;
firewall = {
enable = true;
allowedUDPPorts = [ 53 ];
allowedTCPPorts = [ 80 443 ];
trustedInterfaces = [ "tailscale0" ];
};
# head -c4 /dev/urandom | od -A none -t x4
# Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
hostId = "0c2ce418";
useNetworkd = true;
};
services.resolved = {
enable = true;
# Unbound is running
extraConfig = ''
DNSStubListener=no
'';
};
time.timeZone = "Europe/Berlin";
sops.defaultSopsFile = ./secrets.yaml;
sops.age.sshKeyPaths = [];
sops.age.keyFile = "/etc/age/keys.txt";
sops.secrets."miniflux/ADMIN_USERNAME" = { };
sops.secrets."miniflux/ADMIN_PASSWORD" = { };
sops.templates."miniflux-admin-credentials".content = ''
ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"}
ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"}
'';
sops.secrets."caddy/ionos_dns_api_key" = { };
sops.templates."caddy-global-conf".content = ''
IONOS_API_KEY=${config.sops.placeholder."caddy/ionos_dns_api_key"}
'';
sops.secrets."searx/secret_key" = { };
sops.templates."searx-env".content = ''
SEARX_SECRET_KEY=${config.sops.placeholder."searx/secret_key"}
'';
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "de";
};
users.mutableUsers = false;
# mkpasswd -m sha512crypt <password>
users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0";
environment.systemPackages = with pkgs; [
ethtool
htop
sbctl
tmux
vim
wget
zfs
];
powerManagement.powertop.enable = true;
programs.neovim.enable = true;
services.tailscale.enable = true;
services.networkd-dispatcher = {
enable = true;
rules."50-tailscale" = {
onState = ["routable"];
script = ''
${pkgs.ethtool}/bin/ethtool -K eno1 rx-udp-gro-forwarding on rx-gro-list off
'';
};
};
services.zfs.autoScrub.enable = true;
services.unbound = {
enable = true;
settings = {
server = {
interface = [ "127.0.0.1" ];
port = 5335;
access-control = [ "127.0.0.1 allow" ];
harden-glue = true;
num-threads = 4;
harden-dnssec-stripped = true;
use-caps-for-id = false;
prefetch = true;
edns-buffer-size = 1232;
hide-identity = true;
hide-version = true;
private-address = [
"172.16.0.0/12"
];
};
forward-zone = [
{
name = ".";
forward-addr = [
"9.9.9.9#dns.quad9.net"
"149.112.112.112#dns.quad9.net"
];
forward-tls-upstream = true;
}
];
};
};
services.blocky = {
enable = true;
settings = {
upstreams.groups.default = [
"127.0.0.1:${toString config.services.unbound.settings.server.port}"
];
blocking = {
denylists.ads = [
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
];
clientGroupsBlock.default = [ "ads" ];
};
customDNS = {
mapping = {
# This mapping is recursive so foo.dalinar.home.johannes-rothe.de also resolves
"dalinar.home.johannes-rothe.de" = "172.16.0.2";
"base.home.johannes-rothe.de" = "172.16.0.3";
};
};
ports = {
dns = 53;
http = 4000; # port for prometheus metrics
};
prometheus = {
enable = true;
path = "/metrics";
};
queryLog.type = "none";
};
};
services.immich = {
enable = true;
host = "0.0.0.0";
openFirewall = true;
machine-learning.enable = false;
# TODO set data dir
};
services.prometheus = {
enable = true;
retentionTime = "60d";
globalConfig.scrape_interval = "15s";
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "blocky";
static_configs = [{
targets = [ "localhost:${toString config.services.blocky.settings.ports.http}" ];
}];
}
];
exporters.node = {
enable = true;
enabledCollectors = [
"systemd"
];
disabledCollectors = [
"textfile"
];
port = 9100;
};
};
services.grafana = {
enable = true;
settings = {
server = {
http_addr = "0.0.0.0";
http_port = 3000;
domain = "dalinar";
};
};
};
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path;
};
services.jellyfin = {
enable = true;
};
services.caddy = {
enable = true;
environmentFile = config.sops.templates."caddy-global-conf".path;
globalConfig = ''
acme_dns ionos {$IONOS_API_KEY}
'';
logFormat = lib.mkForce "level INFO";
# Use my custom build to integrate the ionos DNS challenge plugin
package = pkgs.callPackage ../../packages/caddy {};
virtualHosts = {
"https://grafana.dalinar.home.johannes-rothe.de" = {
extraConfig = ''
reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port}
'';
};
"https://prometheus.dalinar.home.johannes-rothe.de" = {
extraConfig = ''
reverse_proxy localhost:${builtins.toString config.services.prometheus.port}
'';
};
"https://feeds.dalinar.home.johannes-rothe.de" = {
extraConfig = ''
reverse_proxy localhost:8080
'';
};
"https://search.dalinar.home.johannes-rothe.de" = {
extraConfig = ''
reverse_proxy ${config.containers.searx.localAddress}:${builtins.toString config.containers.searx.config.services.searx.settings.server.port}
'';
};
"https://jellyfin.dalinar.home.johannes-rothe.de" = {
extraConfig = ''
reverse_proxy localhost:8096
'';
};
};
};
networking.nat = {
enable = true;
internalInterfaces = [ "ve-*" ];
externalInterface = "eno1";
};
containers.searx = {
autoStart = true;
ephemeral = true;
privateNetwork = true;
hostAddress = "192.168.100.2";
localAddress = "192.168.100.3";
bindMounts."/run/secrets/searx-env" = {
isReadOnly = true;
hostPath = config.sops.templates."searx-env".path;
};
config = { config, ... }: {
networking.firewall.allowedTCPPorts = [ config.services.searx.settings.server.port ];
system.stateVersion = "24.11";
services.searx = {
enable = true;
environmentFile = /run/secrets/searx-env;
settings.server = {
port = 8181;
bind_address = "192.168.100.3";
secret_key = "@SEARX_SECRET_KEY@";
};
};
};
};
system.stateVersion = "24.11"; # Don't change
}
Reference in New Issue View Git Blame Copy Permalink