277 lines
7.6 KiB
Nix
277 lines
7.6 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
imports =
|
|
[
|
|
./hardware-configuration.nix
|
|
./disko-config.nix
|
|
];
|
|
|
|
boot = {
|
|
# Lanzaboote currently replaces the systemd-boot module.
|
|
loader.systemd-boot.enable = lib.mkForce false;
|
|
loader.efi.canTouchEfiVariables = true;
|
|
bootspec.enable = true;
|
|
lanzaboote = {
|
|
enable = true;
|
|
pkiBundle = "/etc/secureboot";
|
|
# This will be the new location in unstable
|
|
# pkiBundle = "/var/lib/sbctl";
|
|
};
|
|
initrd.systemd.enable = true;
|
|
# Name "crypted" corresponds to the luks name in disko config
|
|
initrd.luks.devices.crypted = {
|
|
device = lib.mkForce "/dev/disk/by-uuid/26973b85-9c65-488b-93fb-8992ea0f8d50";
|
|
crypttabExtraOpts = [ "tpm2-device=auto" ];
|
|
};
|
|
# Required for subnet route advertising in Tailscale
|
|
kernel.sysctl."net.ipv4.ip_forward" = 1;
|
|
# Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
|
|
supportedFilesystems = [ "zfs" ];
|
|
zfs = {
|
|
extraPools = ["storage"];
|
|
forceImportRoot = false;
|
|
};
|
|
};
|
|
|
|
networking = {
|
|
hostName = "dalinar";
|
|
nftables.enable = true;
|
|
firewall = {
|
|
enable = true;
|
|
allowedUDPPorts = [ 53 ];
|
|
allowedTCPPorts = [ 80 443];
|
|
};
|
|
# head -c4 /dev/urandom | od -A none -t x4
|
|
# Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
|
|
hostId = "0c2ce418";
|
|
useNetworkd = true;
|
|
};
|
|
|
|
services.resolved = {
|
|
enable = true;
|
|
# Unbound is running
|
|
extraConfig = ''
|
|
DNSStubListener=no
|
|
'';
|
|
};
|
|
|
|
time.timeZone = "Europe/Berlin";
|
|
|
|
sops.defaultSopsFile = ./secrets.yaml;
|
|
sops.age.sshKeyPaths = [];
|
|
sops.age.keyFile = "/etc/age/keys.txt";
|
|
sops.secrets."miniflux/ADMIN_USERNAME" = { };
|
|
sops.secrets."miniflux/ADMIN_PASSWORD" = { };
|
|
sops.templates."miniflux-admin-credentials".content = ''
|
|
ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"}
|
|
ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"}
|
|
'';
|
|
sops.secrets."caddy/ionos_dns_api_key" = { };
|
|
sops.templates."caddy-global-conf".content = ''
|
|
IONOS_API_KEY=${config.sops.placeholder."caddy/ionos_dns_api_key"}
|
|
'';
|
|
|
|
|
|
i18n.defaultLocale = "en_US.UTF-8";
|
|
console = {
|
|
font = "Lat2-Terminus16";
|
|
keyMap = "de";
|
|
};
|
|
|
|
users.mutableUsers = false;
|
|
# mkpasswd -m sha512crypt <password>
|
|
users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0";
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
ethtool
|
|
htop
|
|
sbctl
|
|
tmux
|
|
vim
|
|
wget
|
|
zfs
|
|
];
|
|
|
|
powerManagement.powertop.enable = true;
|
|
programs.neovim.enable = true;
|
|
|
|
services.tailscale.enable = true;
|
|
services.networkd-dispatcher = {
|
|
enable = true;
|
|
rules."50-tailscale" = {
|
|
onState = ["routable"];
|
|
script = ''
|
|
${pkgs.ethtool}/bin/ethtool -K eno1 rx-udp-gro-forwarding on rx-gro-list off
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.zfs.autoScrub.enable = true;
|
|
|
|
services.unbound = {
|
|
enable = true;
|
|
settings = {
|
|
server = {
|
|
interface = [ "127.0.0.1" ];
|
|
port = 5335;
|
|
access-control = [ "127.0.0.1 allow" ];
|
|
harden-glue = true;
|
|
num-threads = 4;
|
|
harden-dnssec-stripped = true;
|
|
use-caps-for-id = false;
|
|
prefetch = true;
|
|
edns-buffer-size = 1232;
|
|
hide-identity = true;
|
|
hide-version = true;
|
|
private-address = [
|
|
"172.16.0.0/12"
|
|
];
|
|
};
|
|
forward-zone = [
|
|
{
|
|
name = ".";
|
|
forward-addr = [
|
|
"9.9.9.9#dns.quad9.net"
|
|
"149.112.112.112#dns.quad9.net"
|
|
];
|
|
forward-tls-upstream = true;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
|
|
services.blocky = {
|
|
enable = true;
|
|
settings = {
|
|
upstreams.groups.default = [
|
|
"127.0.0.1:${toString config.services.unbound.settings.server.port}"
|
|
];
|
|
blocking = {
|
|
denylists.ads = [
|
|
"https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
|
|
];
|
|
clientGroupsBlock.default = [ "ads" ];
|
|
};
|
|
customDNS = {
|
|
mapping = {
|
|
# This mapping is recursive so foo.dalinar.home.johannes-rothe.de also resolves
|
|
"dalinar.home.johannes-rothe.de" = "172.16.0.2";
|
|
"base.home.johannes-rothe.de" = "172.16.0.3";
|
|
};
|
|
};
|
|
ports = {
|
|
dns = 53;
|
|
http = 4000; # port for prometheus metrics
|
|
};
|
|
prometheus = {
|
|
enable = true;
|
|
path = "/metrics";
|
|
};
|
|
queryLog.type = "none";
|
|
};
|
|
};
|
|
|
|
services.immich = {
|
|
enable = true;
|
|
host = "0.0.0.0";
|
|
openFirewall = true;
|
|
machine-learning.enable = false;
|
|
# TODO set data dir
|
|
};
|
|
|
|
services.prometheus = {
|
|
enable = true;
|
|
retentionTime = "60d";
|
|
globalConfig.scrape_interval = "15s";
|
|
scrapeConfigs = [
|
|
{
|
|
job_name = "node";
|
|
static_configs = [{
|
|
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
|
|
}];
|
|
}
|
|
{
|
|
job_name = "blocky";
|
|
static_configs = [{
|
|
targets = [ "localhost:${toString config.services.blocky.settings.ports.http}" ];
|
|
}];
|
|
}
|
|
];
|
|
exporters.node = {
|
|
enable = true;
|
|
enabledCollectors = [
|
|
"systemd"
|
|
];
|
|
disabledCollectors = [
|
|
"textfile"
|
|
];
|
|
port = 9100;
|
|
};
|
|
};
|
|
|
|
services.grafana = {
|
|
enable = true;
|
|
settings = {
|
|
server = {
|
|
http_addr = "0.0.0.0";
|
|
http_port = 3000;
|
|
domain = "dalinar";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.miniflux = {
|
|
enable = true;
|
|
adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path;
|
|
};
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
environmentFile = config.sops.templates."caddy-global-conf".path;
|
|
globalConfig = ''
|
|
acme_dns ionos {$IONOS_API_KEY}
|
|
'';
|
|
logFormat = lib.mkForce "level INFO";
|
|
package = pkgs.callPackage ../../packages/caddy {};
|
|
virtualHosts = {
|
|
"https://grafana.dalinar.home.johannes-rothe.de" = {
|
|
extraConfig = ''
|
|
reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port}
|
|
'';
|
|
};
|
|
"https://prometheus.dalinar.home.johannes-rothe.de" = {
|
|
extraConfig = ''
|
|
reverse_proxy localhost:${builtins.toString config.services.prometheus.port}
|
|
'';
|
|
};
|
|
"https://feeds.dalinar.home.johannes-rothe.de" = {
|
|
extraConfig = ''
|
|
reverse_proxy localhost:8080
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
# This option defines the first version of NixOS you have installed on this particular machine,
|
|
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
|
|
#
|
|
# Most users should NEVER change this value after the initial install, for any reason,
|
|
# even if you've upgraded your system to a new NixOS release.
|
|
#
|
|
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
|
|
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
|
|
# to actually do that.
|
|
#
|
|
# This value being lower than the current NixOS release does NOT mean your system is
|
|
# out of date, out of support, or vulnerable.
|
|
#
|
|
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
|
|
# and migrated your data accordingly.
|
|
#
|
|
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
|
|
system.stateVersion = "24.11"; # Did you read the comment?
|
|
|
|
}
|
|
|