nixos-config/hosts/dalinar/default.nix

{ config, lib, pkgs, ... }:

{
  imports =
    [
      ./hardware-configuration.nix
      ./disko-config.nix
    ];

  boot = {
    # Lanzaboote currently replaces the systemd-boot module.
    loader.systemd-boot.enable = lib.mkForce false;
    loader.efi.canTouchEfiVariables = true;
    bootspec.enable = true;
    lanzaboote = {
      enable = true;
      pkiBundle = "/etc/secureboot";
      # This will be the new location in unstable
      # pkiBundle = "/var/lib/sbctl";
    };
    initrd.systemd.enable = true;
    # Name "crypted" corresponds to the luks name in disko config
    initrd.luks.devices.crypted = {
      device = lib.mkForce "/dev/disk/by-uuid/26973b85-9c65-488b-93fb-8992ea0f8d50";
      crypttabExtraOpts = [ "tpm2-device=auto" ];
    };
    # Required for subnet route advertising in Tailscale
    kernel.sysctl."net.ipv4.ip_forward" = 1;
    # Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
    supportedFilesystems = [ "zfs" ];
    zfs = {
      extraPools = ["storage"];
      forceImportRoot = false;
    };
  };

  nix.gc = {
    automatic = true;
    dates = "weekly";
    options = "--delete-older-than 30d";
  };

  networking = {
    hostName = "dalinar";
    nftables.enable = true;
    firewall = {
      enable = true;
      allowedUDPPorts = [ 53 ];
      allowedTCPPorts = [ 80 443 ];
      trustedInterfaces = [ "tailscale0" ];
    };
    # head -c4 /dev/urandom | od -A none -t x4
    # Required for ZFS, see https://openzfs.github.io/openzfs-docs/Getting%20Started/NixOS/index.html
    hostId = "0c2ce418";
    useNetworkd = true;
  };

  services.resolved = {
    enable = true;
    # Unbound is running
    extraConfig = ''
      DNSStubListener=no
    '';
  };

  time.timeZone = "Europe/Berlin";

  sops.defaultSopsFile = ./secrets.yaml;
  sops.age.sshKeyPaths = [];
  sops.age.keyFile = "/etc/age/keys.txt";
  sops.secrets."miniflux/ADMIN_USERNAME" = { };
  sops.secrets."miniflux/ADMIN_PASSWORD" = { };
  sops.templates."miniflux-admin-credentials".content = ''
    ADMIN_USERNAME=${config.sops.placeholder."miniflux/ADMIN_USERNAME"}
    ADMIN_PASSWORD=${config.sops.placeholder."miniflux/ADMIN_PASSWORD"}
  '';
  sops.secrets."caddy/ionos_dns_api_key" = { };
  sops.templates."caddy-global-conf".content = ''
    IONOS_API_KEY=${config.sops.placeholder."caddy/ionos_dns_api_key"}
  '';
  sops.secrets."searx/secret_key" = { };
  sops.templates."searx-env".content = ''
    SEARX_SECRET_KEY=${config.sops.placeholder."searx/secret_key"}
  '';


  i18n.defaultLocale = "en_US.UTF-8";
   console = {
     font = "Lat2-Terminus16";
     keyMap = "de";
  };

  users.mutableUsers = false;
  # mkpasswd -m sha512crypt <password>
  users.users.root.hashedPassword = "$6$JdgM.TQt0/0988od$yPVgGZ5zu6HjG.sVjzEWJBm4L7XEReuplrqLRekPq/GrAyk5GrFmPM9hdzrmD28PDX9AtxaClYM5emsJ75YfJ0";
  users.users.sambauser = {
    isNormalUser = true;
    createHome = false;
  };

  environment.systemPackages = with pkgs; [
    ethtool
    htop
    sbctl
    tmux
    vim
    wget
    zfs
  ];

  powerManagement.powertop.enable = true;
  programs.neovim.enable = true;

  services.tailscale.enable = true;
  services.networkd-dispatcher = {
    enable = true;
    rules."50-tailscale" = {
      onState = ["routable"];
      script = ''
        ${pkgs.ethtool}/bin/ethtool -K eno1 rx-udp-gro-forwarding on rx-gro-list off
      '';
    };
  };

  services.zfs.autoScrub.enable = true;

  services.samba = {
    enable = true;
    openFirewall = true;
    settings = {
      global = {
        security = "user";
        workgroup = "WORKGROUP";
        "server string" = "smbnix";
        "netbios name" = "smbnix";
        "hosts allow" = "100. 172.16.0. 127.0.0.1 localhost";
        "hosts deny" = "0.0.0.0/0";
        "guest account" = "nobody";
        "map to guest" = "bad user";
      };
      media = {
        path = "/storage/encrypted/media/";
        browseable = "yes";
        writeable = "yes";
        "read only" = "no";
        "guest ok" = "no";
        "create mask" = "0644";
        "directory mask" = "0755";
        "force user" = config.services.jellyfin.user;
        "force group" = config.services.jellyfin.group;
      };
    };
  };

  services.unbound = {
    enable = true;
    settings = {
      server = {
        interface = [ "127.0.0.1" ];
        port = 5335;
        access-control = [ "127.0.0.1 allow" ];
        harden-glue = true;
        num-threads = 4;
        harden-dnssec-stripped = true;
        use-caps-for-id = false;
        prefetch = true;
        edns-buffer-size = 1232;
        hide-identity = true;
        hide-version = true;
        private-address = [
          "172.16.0.0/12"
        ];
      };
      forward-zone = [
        {
          name = ".";
          forward-addr = [
            "9.9.9.9#dns.quad9.net"
            "149.112.112.112#dns.quad9.net"
          ];
          forward-tls-upstream = true;
        }
      ];
    };
  };

  services.blocky = {
    enable = true;
    settings = {
      upstreams.groups.default = [
        "127.0.0.1:${toString config.services.unbound.settings.server.port}"
      ];
      blocking = {
        denylists.ads = [
            "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
        ];
        clientGroupsBlock.default = [ "ads" ];
      };
      customDNS = {
        mapping = {
          # This mapping is recursive so foo.dalinar.home.johannes-rothe.de also resolves
          "dalinar.home.johannes-rothe.de" = "172.16.0.2";
          "base.home.johannes-rothe.de" = "172.16.0.3";
        };
      };
      ports = {
        dns = 53;
        http = 4000; # port for prometheus metrics
      };
      prometheus = {
        enable = true;
        path = "/metrics";
      };
      queryLog.type = "none";
    };
  };

  services.immich = {
    enable = true;
    machine-learning.enable = false;
    mediaLocation = "/storage/encrypted/photos/";
  };

  services.prometheus = {
    enable = true;
    retentionTime = "60d";
    globalConfig.scrape_interval = "15s";
    scrapeConfigs = [
      {
        job_name = "node";
        static_configs = [{
          targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
        }];
      }
      {
        job_name = "blocky";
        static_configs = [{
          targets = [ "localhost:${toString config.services.blocky.settings.ports.http}" ];
        }];
      }
    ];
    exporters.node = {
      enable = true;
      enabledCollectors = [
        "systemd"
      ];
      disabledCollectors = [
        "textfile"
      ];
      port = 9100;
    };
  };

  services.grafana = {
    enable = true;
    settings = {
      server = {
        http_addr = "0.0.0.0";
        http_port = 3000;
        domain = "dalinar";
      };
    };
  };

  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.templates."miniflux-admin-credentials".path;
  };

  services.jellyfin = {
    enable = true;
  };

  services.caddy = {
    enable = true;
    environmentFile = config.sops.templates."caddy-global-conf".path;
    globalConfig = ''
    acme_dns ionos {$IONOS_API_KEY}
    '';
    logFormat = lib.mkForce "level INFO";
    # Use my custom build to integrate the ionos DNS challenge plugin
    package = pkgs.callPackage ../../packages/caddy {};
    virtualHosts = {
      "https://grafana.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy localhost:${builtins.toString config.services.grafana.settings.server.http_port}
        '';
      };
      "https://prometheus.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy localhost:${builtins.toString config.services.prometheus.port}
        '';
      };
      "https://feeds.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy localhost:8080
        '';
      };
      "https://search.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy ${config.containers.searx.localAddress}:${builtins.toString config.containers.searx.config.services.searx.settings.server.port}
        '';
      };
      "https://jellyfin.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy localhost:8096
        '';
      };
      "https://immich.dalinar.home.johannes-rothe.de" = {
        extraConfig = ''
          reverse_proxy localhost:${toString config.services.immich.port}
        '';
      };
    };
  };

  networking.nat = {
    enable = true;
    internalInterfaces = [ "ve-*" ];
    externalInterface = "eno1";
  };

  containers.searx = {
    autoStart = true;
    ephemeral = true;
    privateNetwork = true;
    hostAddress = "192.168.100.2";
    localAddress = "192.168.100.3";
    bindMounts."/run/secrets/searx-env" = {
      isReadOnly = true;
      hostPath = config.sops.templates."searx-env".path;
    };
    config = { config, ... }: {
      networking.firewall.allowedTCPPorts = [ config.services.searx.settings.server.port ];
      system.stateVersion = "24.11";
      services.searx = {
        enable = true;
        environmentFile = /run/secrets/searx-env;
        settings.server = {
          port = 8181;
          bind_address = "192.168.100.3";
          secret_key = "@SEARX_SECRET_KEY@";
        };
      };
    };
  };

  containers.lidarr = {
    autoStart = true;
    privateNetwork = true;
    enableTun = true;
    hostAddress = "192.168.100.4";
    localAddress = "192.168.100.5";
    config = { ... }: {
      system.stateVersion = "24.11";
      networking.useHostResolvConf = lib.mkForce false;
      # Required workaround for tailscale exit nodes, see https://nixos.wiki/wiki/Tailscale
      networking.firewall.checkReversePath = "loose";
      services.resolved.enable = true;
      services.tailscale.enable = true;
    };
  };

  system.stateVersion = "24.11"; # Don't change

}