mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

desktop is building I guess, idk, need to start commiting stuff eventually lmao

Browse Source
This commit is contained in:
mjallen18
2025-07-17 20:57:18 -05:00
parent 6c7c76887b
commit 442c24997d
219 changed files with 3166 additions and 3583 deletions
Download Patch File Download Diff File Expand all files Collapse all files

76
systems/x86_64-linux/deck/boot.nix Executable file
View File

@@ -0,0 +1,76 @@
{ pkgs, ... }:
let
kernel = pkgs.linuxPackages_cachyos;
in
{
# Configure bootloader with lanzaboot and secureboot
boot = {
consoleLogLevel = 0;
initrd.verbose = false;
kernelModules = [ "nct6775" ];
loader = {
systemd-boot = {
enable = false;
configurationLimit = 5;
extraInstallCommands = ''
${pkgs.uutils-coreutils}/bin/uutils-echo "timeout 0
console-mode 1
default nixos-*" > /boot/loader/loader.conf
'';
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
settings = {
console-mode = "max";
timeout = "0";
};
configurationLimit = 5;
# extraInstallCommands = ''
# ${pkgs.uutils-coreutils}/bin/uutils-echo "timeout 0
# console-mode 1
# default nixos-*" > /boot/loader/loader.conf
# '';
};
plymouth = {
enable = true;
};
kernelPackages = kernel;
kernelParams = [
"quiet"
"amdgpu.ppfeaturemask=0xffffffff"
"splash"
"rd.systemd.show_status=false"
"rd.udev.log_level=3"
"udev.log_priority=3"
"loglevel=0"
"vt.global_cursor_default=0"
"rd.shell=0"
# Disable audit messages
"audit=0"
# Disable CPU mitigations messages
"mitigations=off"
];
bootspec.enable = true;
};
# Further reduce systemd output
systemd = {
services.systemd-udev-settle.enable = false;
extraConfig = ''
ShowStatus=no
DefaultTimeoutStartSec=15s
'';
};
}

100
systems/x86_64-linux/deck/configuration.nix Executable file
View File

@@ -0,0 +1,100 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }:
{
imports =
[
./boot.nix
./jovian.nix
./networking.nix
./sops.nix
];
nix = {
settings = {
substituters = [
"https://cache.mjallen.dev"
];
trusted-public-keys = [
"cache.mjallen.dev-1:IzFmKCd8/gggI6lcCXsW65qQwiCLGFFN9t9s2iw7Lvc="
];
builders-use-substitutes = true;
};
distributedBuilds = true;
buildMachines = [
{
hostName = "jalle-nas.local";
system = "x86_64-linux";
maxJobs = 10;
sshUser = "admin";
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];
};
# Define a user account. Don't forget to set a password with passwd.
users.users = {
deck = {
hashedPasswordFile = config.sops.secrets."steamdeck/deck-password".path;
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
openssh.authorizedKeys.keys = [
# macBook
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
# desktop windows
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
# desktop nixos
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
];
packages = with pkgs; [
firefox
tree
];
shell = pkgs.zsh;
};
root.shell = pkgs.zsh;
};
programs.coolercontrol.enable = true;
services = {
btrfs = {
autoScrub.enable = lib.mkDefault true;
autoScrub.fileSystems = lib.mkDefault [
"/nix"
"/root"
"/etc"
"/var/log"
"/home"
];
};
};
chaotic.mesa-git.enable = false;
services.displayManager.gdm.enable = lib.mkForce false;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment = {
systemPackages = with pkgs; [
fuse
jq
newt
sbctl
steam-run
udisks2
zenity
];
variables = {
STEAM_FORCE_DESKTOPUI_SCALING = "1.0";
GDK_SCALE = "1";
};
};
}

73
systems/x86_64-linux/deck/home.nix Executable file
View File

@@ -0,0 +1,73 @@
{ pkgs, ... }:
let
shellAliases = {
update-boot = "sudo nixos-rebuild boot --max-jobs 10 --build-host admin@10.0.1.3";
update-switch = "sudo nixos-rebuild switch --max-jobs 10";
update-flake = "nix flake update steamdeck-nixpkgs steamdeck-chaotic steamdeck-home-manager steamdeck-impermanence steamdeck-jovian steamdeck-lanzaboote steamdeck-nixos-hardware steamdeck-sops-nix steamdeck-steam-rom-manager --flake /etc/nixos";
nas-ssh = "ssh admin@10.0.1.3";
};
in
{
home.username = "deck";
sops = {
age.keyFile = "/home/deck/.config/sops/age/keys.txt";
defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
validateSopsFiles = false;
secrets = {
"ssh-keys-public/deck" = {
path = "/home/deck/.ssh/id_ed25519.pub";
mode = "0644";
};
"ssh-keys-private/deck" = {
path = "/home/deck/.ssh/id_ed25519";
mode = "0600";
};
};
};
programs = {
steam-rom-manager = {
enable = true;
steamUsername = "mjallen18";
# Optional: override default paths if needed
environmentVariables = {
romsDirectory = "/home/deck/Emulation/roms";
steamDirectory = "/home/deck/.local/share/Steam";
};
emulators = {
ryujinx.enable = true;
dolphin-gamecube = {
enable = true;
package = pkgs.dolphin-emu;
romFolder = "gc";
fileTypes = [ ".iso" ".ISO" ".gcm" ".GCM" ".ciso" ".CISO" "rvz" ];
extraArgs = "-b -e \"\${filePath}\"";
};
pcsx2.enable = true;
mgba.enable = true;
"Non-SRM Shortcuts" = {
enable = true;
parserType = "Non-SRM Shortcuts";
extraArgs = "";
};
};
};
zsh.shellAliases = shellAliases;
};
home.packages = with pkgs; [
dolphin-emu
heroic
mgba
prismlauncher
ryujinx-greemdev
vmware-horizon-client
];
}

24
systems/x86_64-linux/deck/jovian.nix Executable file
View File

@@ -0,0 +1,24 @@
{ ... }:
{
jovian = {
steam = {
enable = true;
autoStart = true;
user = "deck";
desktopSession = "gnome";
};
steamos = {
useSteamOSConfig = true;
};
devices = {
steamdeck = {
enable = true;
enableGyroDsuService = true; # If enabled, motion data from the gyroscope can be used in Cemu with Cemuhoo
};
};
hardware.has.amd.gpu = true;
};
}

44
systems/x86_64-linux/deck/networking.nix Normal file
View File

@@ -0,0 +1,44 @@
{ config, lib, ... }:
let
hostname = "steamdeck";
wifiSsid = "Joey's Jungle 5G";
in
{
networking = {
hostName = hostname;
networkmanager = {
enable = true;
wifi.powersave = lib.mkDefault false;
settings.connectivity.uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt";
ensureProfiles = {
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = {
wifiSsid = {
connection = {
id = wifiSsid;
type = "wifi";
};
ipv4 = {
method = "auto";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = wifiSsid;
};
wifi-security = {
key-mgmt = "sae";
psk = "$PSK";
};
};
};
};
};
};
}

111
systems/x86_64-linux/deck/sops.nix Executable file
View File

@@ -0,0 +1,111 @@
{ config, ... }:
let
user = "deck";
in
{
# Permission modes are in octal representation (same as chmod),
# the digits represent: user|group|others
# 7 - full (rwx)
# 6 - read and write (rw-)
# 5 - read and execute (r-x)
# 4 - read only (r--)
# 3 - write and execute (-wx)
# 2 - write only (-w-)
# 1 - execute only (--x)
# 0 - none (---)
# Either a user id or group name representation of the secret owner
# It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
defaultSopsFile = ../../secrets/steamdeck-secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
# Secrets
# ------------------------------
secrets = {
"steamdeck/deck-password" = {
neededForUsers = true;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
};
"wifi" = {
sopsFile = ../../secrets/secrets.yaml;
};
# ------------------------------
# SSH keys
# ------------------------------
# "ssh-keys-public/desktop-nixos" = {
# mode = "0644";
# owner = config.users.users."${user}".name;
# group = config.users.users."${user}".group;
# restartUnits = [ "sshd.service" ];
# };
# "ssh-keys-private/desktop-nixos" = {
# mode = "0600";
# owner = config.users.users."${user}".name;
# group = config.users.users."${user}".group;
# restartUnits = [ "sshd.service" ];
# };
# "ssh-keys-public/desktop-nixos-root" = {
# path = "/root/.ssh/id_ed25519.pub";
# mode = "0600";
# restartUnits = [ "sshd.service" ];
# };
# "ssh-keys-private/desktop-nixos-root" = {
# path = "/root/.ssh/id_ed25519";
# mode = "0600";
# restartUnits = [ "sshd.service" ];
# };
# ------------------------------
# Secureboot keys
# ------------------------------
"secureboot/GUID" = {
sopsFile = ../../secrets/secrets.yaml;
# path = "/etc/secureboot/GUID";
mode = "0600";
};
"secureboot/keys/db-key" = {
sopsFile = ../../secrets/secrets.yaml;
# path = "/etc/secureboot/keys/db/db.key";
mode = "0600";
};
"secureboot/keys/db-pem" = {
sopsFile = ../../secrets/secrets.yaml;
# path = "/etc/secureboot/keys/db/db.pem";
mode = "0600";
};
"secureboot/keys/KEK-key" = {
sopsFile = ../../secrets/secrets.yaml;
# path = "/etc/secureboot/keys/KEK/KEK.key";
mode = "0600";
};
"secureboot/keys/KEK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
# path = "/etc/secureboot/keys/KEK/KEK.pem";
mode = "0600";
};
"secureboot/keys/PK-key" = {
sopsFile = ../../secrets/secrets.yaml;
# path = "/etc/secureboot/keys/PK/PK.key";
mode = "0600";
};
"secureboot/keys/PK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
# path = "/etc/secureboot/keys/PK/PK.pem";
mode = "0600";
};
};
# ------------------------------
# Templates
# ------------------------------
templates = {
};
};
}

12
systems/x86_64-linux/desktop/boot.nix
View File

@@ -1,4 +1,4 @@
{ config, pkgs, ... }:
{ config, pkgs, namespace, ... }:
let
configLimit = 5;
# default = "@saved";
@@ -40,16 +40,6 @@ in
enable = true;
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
settings = {
# default = default;
console-mode = "max";
};
configurationLimit = configLimit;
};
kernelPackages = kernel;
kernelParams = [

8
systems/x86_64-linux/desktop/configuration.nix
View File

@@ -28,15 +28,15 @@ let
# brscan5
ddcui
ddcutil
ddccontrol
ddccontrol-db
# ddccontrol
# ddccontrol-db
efibootmgr
kdePackages.ksvg
memtest86-efi
memtest86plus
os-prober
nil
qemu_full
qemu
rclone
rclone-browser
restic
@@ -49,8 +49,6 @@ let
udisks2
unzip
winetricks
inputs.desktop-lsfg.packages."x86_64-linux".default
];
in
{

11
systems/x86_64-linux/desktop/default.nix
View File

@@ -21,16 +21,17 @@
{
imports = [
./boot.nix
./configuration.nix
./filesystems.nix
./hardware-configuration.nix
./networking.nix
./nix.nix
./services.nix
./sops.nix
./users.nix
({ ... }: {
_module.args.hyprlandSettings = import ./hyprland-settings.nix;
})
];
${namespace} = {
bootloader.lanzaboote.enable = true;
desktop.gnome.enable = true;
};
}

155
systems/x86_64-linux/desktop/services.nix
View File

@@ -1,155 +0,0 @@
{ config, lib, pkgs, ... }:
let
pkgsVersion = pkgs; #.unstable;
in
{
services = {
# Enable Flatpak
flatpak.enable = lib.mkDefault false;
# enable auto discovery of printers
avahi = {
enable = lib.mkDefault true;
nssmdns4 = lib.mkDefault true;
openFirewall = lib.mkDefault true;
};
restic.backups = {
jallen-nas = {
initialize = true;
createWrapper = true;
inhibitsSleep = true;
environmentFile = config.sops.templates."restic.env".path;
passwordFile = config.sops.secrets."desktop/restic/password".path;
repositoryFile = config.sops.secrets."desktop/restic/repo".path;
paths = [
"/home/matt"
];
exclude = [
"/home/matt/Steam"
"/home/matt/Heroic"
"/home/matt/1TB"
"/home/matt/Downloads"
"/home/matt/Nextcloud"
"/home/matt/.cache"
"/home/matt/.local/share/Steam"
"/home/matt/.var/app/com.valvesoftware.Steam"
"/home/matt/.tmp"
"/home/matt/.thumbnails"
"/home/matt/.compose-cache"
];
};
proton-drive = {
initialize = true;
createWrapper = true;
inhibitsSleep = true;
passwordFile = config.sops.secrets."desktop/restic/password".path;
rcloneConfigFile = "/home/matt/.config/rclone/rclone.conf";
repository = "rclone:proton-drive:backup-nix";
paths = [
"/home/matt"
];
exclude = [
"/home/matt/Steam"
"/home/matt/Heroic"
"/home/matt/1TB"
"/home/matt/Downloads"
"/home/matt/Nextcloud"
"/home/matt/.cache"
"/home/matt/.local/share/Steam"
"/home/matt/.var/app/com.valvesoftware.Steam"
"/home/matt/.tmp"
"/home/matt/.thumbnails"
"/home/matt/.compose-cache"
];
};
};
btrfs = {
autoScrub.enable = lib.mkDefault true;
autoScrub.fileSystems = lib.mkDefault [
"/nix"
"/root"
"/etc"
"/var/log"
"/home"
];
};
ratbagd.enable = lib.mkDefault true;
keyd = {
enable = false;
keyboards = {
default = {
ids = [ "*" ];
settings = {
main = {
# Use ⌘ key (leftmeta) to activate macOS-like layer
leftmeta = "layer(meta_mac)";
};
meta_mac = {
# Tab switching
tab = "swapm(app_switch_state, M-tab)";
"`" = "A-f6";
# App shortcuts
c = "C-insert"; # Copy
v = "S-insert"; # Paste
x = "S-delete"; # Cut
"1" = "A-1";
"2" = "A-2";
"3" = "A-3";
"4" = "A-4";
"5" = "A-5";
"6" = "A-6";
"7" = "A-7";
"8" = "A-8";
"9" = "A-9";
# Move to line start/end
left = "home";
right = "end";
};
app_switch_state = {
tab = "M-tab";
right = "M-tab";
"`" = "M-S-tab";
left = "M-S-tab";
};
};
};
};
};
};
systemd = {
user.services = {
rclone-home-proton = {
enable = lib.mkDefault false;
path = with pkgsVersion; [
bash
pkgs.rclone
];
script = ''
rclone sync /home/matt proton-drive:backup-nix --exclude '/home/matt/Games/**' --exclude '/home/matt/1TB/**' --exclude '/home/matt/Downloads/**'
'';
};
rsync-home = {
enable = lib.mkDefault false;
path = with pkgsVersion; [
bash
rsync
openssh
];
script = ''
rsync -rtpogvPlHzs --ignore-existing --exclude={'/home/matt/Games', '/home/matt/1TB', '/home/matt/Downloads/*', '/home/matt/.cache'} -e ssh /home/matt admin@10.0.1.3:/media/nas/main/backup/desktop-nix/home
'';
};
};
};
}

13
systems/x86_64-linux/desktop/services/btrfs/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{ lib, ... }:
{
services.btrfs = {
autoScrub.enable = lib.mkDefault true;
autoScrub.fileSystems = lib.mkDefault [
"/nix"
"/root"
"/etc"
"/var/log"
"/home"
];
};
}

49
systems/x86_64-linux/desktop/services/keyd/default.nix Normal file
View File

@@ -0,0 +1,49 @@
{ ... }:
{
services.keyd = {
enable = false;
keyboards = {
default = {
ids = [ "*" ];
settings = {
main = {
# Use ⌘ key (leftmeta) to activate macOS-like layer
leftmeta = "layer(meta_mac)";
};
meta_mac = {
# Tab switching
tab = "swapm(app_switch_state, M-tab)";
"`" = "A-f6";
# App shortcuts
c = "C-insert"; # Copy
v = "S-insert"; # Paste
x = "S-delete"; # Cut
"1" = "A-1";
"2" = "A-2";
"3" = "A-3";
"4" = "A-4";
"5" = "A-5";
"6" = "A-6";
"7" = "A-7";
"8" = "A-8";
"9" = "A-9";
# Move to line start/end
left = "home";
right = "end";
};
app_switch_state = {
tab = "M-tab";
right = "M-tab";
"`" = "M-S-tab";
left = "M-S-tab";
};
};
};
};
};
}

4
systems/x86_64-linux/desktop/services/ratbagd/default.nix Normal file
View File

@@ -0,0 +1,4 @@
{ lib, ... }:
{
services.ratbagd.enable = lib.mkDefault true;
}

53
systems/x86_64-linux/desktop/services/restic/default.nix Normal file
View File

@@ -0,0 +1,53 @@
{ config, ... }:
{
services.restic.backups = {
jallen-nas = {
initialize = true;
createWrapper = true;
inhibitsSleep = true;
environmentFile = config.sops.templates."restic.env".path;
passwordFile = config.sops.secrets."desktop/restic/password".path;
repositoryFile = config.sops.secrets."desktop/restic/repo".path;
paths = [
"/home/matt"
];
exclude = [
"/home/matt/Steam"
"/home/matt/Heroic"
"/home/matt/1TB"
"/home/matt/Downloads"
"/home/matt/Nextcloud"
"/home/matt/.cache"
"/home/matt/.local/share/Steam"
"/home/matt/.var/app/com.valvesoftware.Steam"
"/home/matt/.tmp"
"/home/matt/.thumbnails"
"/home/matt/.compose-cache"
];
};
proton-drive = {
initialize = true;
createWrapper = true;
inhibitsSleep = true;
passwordFile = config.sops.secrets."desktop/restic/password".path;
rcloneConfigFile = "/home/matt/.config/rclone/rclone.conf";
repository = "rclone:proton-drive:backup-nix";
paths = [
"/home/matt"
];
exclude = [
"/home/matt/Steam"
"/home/matt/Heroic"
"/home/matt/1TB"
"/home/matt/Downloads"
"/home/matt/Nextcloud"
"/home/matt/.cache"
"/home/matt/.local/share/Steam"
"/home/matt/.var/app/com.valvesoftware.Steam"
"/home/matt/.tmp"
"/home/matt/.thumbnails"
"/home/matt/.compose-cache"
];
};
};
}

26
systems/x86_64-linux/desktop/sops.nix
View File

@@ -18,7 +18,7 @@ in
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
defaultSopsFile = ../../secrets/desktop-secrets.yaml;
defaultSopsFile = ../../../secrets/desktop-secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
@@ -44,34 +44,34 @@ in
mode = "0600";
};
"wifi" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
};
# ------------------------------
# SSH keys
# ------------------------------
"ssh-keys-public/desktop-nixos" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
mode = "0644";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "sshd.service" ];
};
"ssh-keys-private/desktop-nixos" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "sshd.service" ];
};
"ssh-keys-public/desktop-nixos-root" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/root/.ssh/id_ed25519.pub";
mode = "0600";
restartUnits = [ "sshd.service" ];
};
"ssh-keys-private/desktop-nixos-root" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/root/.ssh/id_ed25519";
mode = "0600";
restartUnits = [ "sshd.service" ];
@@ -81,37 +81,37 @@ in
# Secureboot keys
# ------------------------------
"secureboot/GUID" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/etc/secureboot/GUID";
mode = "0600";
};
"secureboot/keys/db-key" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/db/db.key";
mode = "0600";
};
"secureboot/keys/db-pem" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/db/db.pem";
mode = "0600";
};
"secureboot/keys/KEK-key" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/KEK/KEK.key";
mode = "0600";
};
"secureboot/keys/KEK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/KEK/KEK.pem";
mode = "0600";
};
"secureboot/keys/PK-key" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/PK/PK.key";
mode = "0600";
};
"secureboot/keys/PK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
sopsFile = ../../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/PK/PK.pem";
mode = "0600";
};

12
systems/x86_64-linux/desktop/specialisations/cosmic/default.nix Executable file
View File

@@ -0,0 +1,12 @@
{ namespace, ... }:
{
specialisation.cosmic.configuration = {
${namespace} = {
desktop = {
cosmic.enable = true;
gnome.enable = true;
};
};
environment.etc."specialisation".text = "cosmic";
};
}

12
systems/x86_64-linux/desktop/specialisations/hyprland/default.nix Executable file
View File

@@ -0,0 +1,12 @@
{ namespace, ... }:
{
specialisation.hyprland.configuration = {
${namespace} = {
desktop = {
hyprland.enable = true;
gnome.enable = false;
};
};
environment.etc."specialisation".text = "hyprland";
};
}

105
systems/x86_64-linux/nas/apps.nix Executable file
View File

@@ -0,0 +1,105 @@
{ pkgs, lib, ... }:
let
settings = import ./settings.nix;
in
{
imports = [
./apps/actual
./apps/arrs
./apps/crowdsec
./apps/excalidraw
./apps/gitea
./apps/immich
./apps/jellyfin
./apps/jellyseerr
./apps/lubelogger
./apps/nextcloud
./apps/ollama
./apps/orca
./apps/paperless
./apps/traefik
./apps/wyoming
../../modules
];
nas-apps = {
actual = {
enable = true;
port = 3333;
localAddress = "10.0.3.18";
dataDir = "/media/nas/ssd/nix-app-data/actual";
reverseProxy = {
enable = true;
host = "actual.mjallen.dev";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
};
};
arrs = {
enable = true;
localAddress = "10.0.1.51";
downloadsDir = "/media/nas/ssd/ssd_app_data/downloads";
incompleteDownloadsDir = "/media/nas/ssd/ssd_app_data/downloads-incomplete";
moviesDir = "/media/nas/main/movies";
tvDir = "/media/nas/main/tv";
isosDir = "/media/nas/main/isos";
radarr = {
enable = true;
port = 7878;
dataDir = "/media/nas/ssd/nix-app-data/radarr";
};
sonarr = {
enable = true;
port = 8989;
dataDir = "/media/nas/ssd/nix-app-data/sonarr";
};
sabnzbd = {
enable = true;
port = 8280;
dataDir = "/media/nas/ssd/nix-app-data/sabnzbd";
};
deluge = {
enable = true;
port = 8112;
};
jackett = {
enable = true;
port = 9117;
dataDir = "/media/nas/ssd/nix-app-data/jackett";
};
};
crowdsec = {
enable = true;
port = 9898;
apiAddress = settings.hostAddress;
apiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
dataDir = "/media/nas/ssd/nix-app-data/crowdsec";
};
gitea = {
enable = true;
httpPort = 3000;
sshPort = 2222;
localAddress = "10.0.4.18";
dataDir = "/media/nas/ssd/nix-app-data/gitea";
reverseProxy = {
enable = true;
host = "gitea.mjallen.dev";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
};
};
free-games-claimer.enable = true;
manyfold.enable = true;
orca-slicer = {
enable = true;
httpPort = "3100";
httpsPort = "3101";
};
tdarr.enable = true;
};
}

125
systems/x86_64-linux/nas/apps/actual/default.nix Normal file
View File

@@ -0,0 +1,125 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.nas-apps.actual;
settings = import ../../settings.nix;
dataDir = "/data";
hostAddress = settings.hostAddress;
actualUserId = config.users.users.nix-apps.uid;
actualGroupId = config.users.groups.jallen-nas.gid;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.actual = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = cfg.localAddress;
bindMounts = {
${dataDir} = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
};
config = { lib, ... }:
{
services.actual = {
enable = true;
openFirewall = true;
settings = {
trustedProxies = [ hostAddress ];
port = cfg.port;
dataDir = dataDir;
serverFiles = "${dataDir}/server-files";
userFiles = "${dataDir}/user-files";
};
};
users.users.actual = {
isSystemUser = true;
uid = lib.mkForce actualUserId;
group = "actual";
};
users.groups = {
actual = {
gid = lib.mkForce actualGroupId;
};
};
# System packages
environment.systemPackages = with pkgs; [
sqlite
];
# Create and set permissions for required directories
system.activationScripts.actual-dirs = ''
mkdir -p ${dataDir}
chown -R actual:actual ${dataDir}
chmod -R 0700 ${dataDir}
'';
systemd.services = {
actual = {
environment.ACTUAL_CONFIG_PATH = lib.mkForce "${dataDir}/config.json";
serviceConfig = {
ExecStart = lib.mkForce "${pkgs.actual-server}/bin/actual-server --config ${dataDir}/config.json";
WorkingDirectory = lib.mkForce dataDir;
StateDirectory = lib.mkForce dataDir;
StateDirectoryMode = lib.mkForce 0700;
DynamicUser = lib.mkForce false;
ProtectSystem = lib.mkForce null;
};
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ cfg.port ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable {
services.actual.loadBalancer.servers = [
{
url = "http://${cfg.localAddress}:${toString cfg.port}";
}
];
routers.actual = {
entryPoints = [ "websecure" ];
rule = "Host(`${cfg.reverseProxy.host}`)";
service = "actual";
middlewares = cfg.reverseProxy.middlewares;
tls.certResolver = "letsencrypt";
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${cfg.localAddress}:${toString cfg.port}";
sourcePort = cfg.port;
}
];
};
firewall = {
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
};
};
}

37
systems/x86_64-linux/nas/apps/actual/options.nix Normal file
View File

@@ -0,0 +1,37 @@
{ lib, ... }:
with lib;
{
options.nas-apps.actual = {
enable = mkEnableOption "actual service";
port = mkOption {
type = types.int;
default = 80;
};
localAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
dataDir = mkOption {
type = types.str;
default = "";
};
reverseProxy = {
enable = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
default = "";
};
middlewares = mkOption {
type = with types; listOf str;
default = [ ];
};
};
};
}

237
systems/x86_64-linux/nas/apps/arrs/default.nix Executable file
View File

@@ -0,0 +1,237 @@
{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.nas-apps.arrs;
settings = import ../../settings.nix;
radarrDataDir = "/var/lib/radarr";
downloadDir = "/downloads";
incompleteDir = "/downloads-incomplete";
sonarrDataDir = "/var/lib/sonarr";
sabnzbdConfig = "/var/lib/sabnzbd";
jackettDir = "/var/lib/jackett/.config/Jackett";
mediaDir = "/media";
arrUserId = config.users.users.nix-apps.uid;
arrGroupId = config.users.groups.jallen-nas.gid;
radarrPkg = pkgs.radarr;
sonarrPkg = pkgs.sonarr;
delugePkg = pkgs.deluge;
jackettPkg = pkgs.jackett;
sabnzbdPkg = pkgs.sabnzbd;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.arrs = {
autoStart = true;
privateNetwork = true;
hostAddress = settings.hostAddress;
localAddress = cfg.localAddress;
config =
{
pkgs,
lib,
...
}:
{
nixpkgs.config.allowUnfree = true;
# Enable radarr service
services.radarr = {
enable = cfg.radarr.enable;
openFirewall = true;
user = "arrs";
group = "media";
dataDir = radarrDataDir;
package = radarrPkg;
};
# Enable Sonarr service
services.sonarr = {
enable = cfg.sonarr.enable;
openFirewall = true;
user = "arrs";
group = "media";
dataDir = sonarrDataDir;
package = sonarrPkg;
};
# Enable Sabnzbd service
services.sabnzbd = {
enable = cfg.sabnzbd.enable;
openFirewall = true;
user = "arrs";
group = "media";
configFile = "${sabnzbdConfig}/sabnzbd.ini";
package = sabnzbdPkg;
};
services.deluge = {
enable = cfg.deluge.enable;
user = "arrs";
group = "media";
openFirewall = true;
dataDir = "/media";
package = delugePkg;
web = {
enable = true;
port = cfg.deluge.port;
openFirewall = true;
};
};
services.jackett = {
enable = cfg.jackett.enable;
user = "arrs";
group = "media";
openFirewall = true;
package = jackettPkg;
};
# Create required users and groups
users.users.arrs = {
isSystemUser = true;
uid = lib.mkForce arrUserId;
group = "media";
extraGroups = [ "downloads" ];
};
users.groups = {
media = {
gid = lib.mkForce arrGroupId;
};
downloads = { };
};
# System packages
environment.systemPackages = with pkgs; [
glib
sqlite
mono
mediainfo
protonvpn-cli_2
];
# Create and set permissions for required directories
system.activationScripts.arr-dirs = ''
mkdir -p ${radarrDataDir}
mkdir -p ${sonarrDataDir}
mkdir -p ${sabnzbdConfig}
mkdir -p ${downloadDir}
mkdir -p ${incompleteDir}
mkdir -p ${mediaDir}
chown -R arrs:media ${radarrDataDir}
chown -R arrs:media ${sonarrDataDir}
chown -R arrs:media ${sabnzbdConfig}
chown -R arrs:media ${downloadDir}
chown -R arrs:media ${incompleteDir}
chown -R arrs:media ${mediaDir}
chmod -R 775 ${radarrDataDir}
chmod -R 775 ${sonarrDataDir}
chmod -R 775 ${sabnzbdConfig}
chmod -R 775 ${downloadDir}
chmod -R 775 ${incompleteDir}
chmod -R 775 ${mediaDir}
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
cfg.radarr.port
cfg.sonarr.port
cfg.sabnzbd.port
8080
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
"${radarrDataDir}" = {
hostPath = cfg.radarr.dataDir;
isReadOnly = false;
};
"${sonarrDataDir}" = {
hostPath = cfg.sonarr.dataDir;
isReadOnly = false;
};
"${sabnzbdConfig}" = {
hostPath = cfg.sabnzbd.dataDir;
isReadOnly = false;
};
"${downloadDir}" = {
hostPath = cfg.downloadsDir;
isReadOnly = false;
};
"${incompleteDir}" = {
hostPath = cfg.incompleteDownloadsDir;
isReadOnly = false;
};
"${jackettDir}" = {
hostPath = cfg.jackett.dataDir;
isReadOnly = false;
};
"/media/movies" = {
hostPath = cfg.moviesDir;
isReadOnly = false;
};
"/media/tv" = {
hostPath = cfg.tvDir;
isReadOnly = false;
};
"/media/isos" = {
hostPath = cfg.isosDir;
isReadOnly = false;
};
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${cfg.localAddress}:${toString cfg.radarr.port}";
sourcePort = cfg.radarr.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.sonarr.port}";
sourcePort = cfg.sonarr.port;
}
{
destination = "${cfg.localAddress}:8080";
sourcePort = cfg.sabnzbd.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.deluge.port}";
sourcePort = cfg.deluge.port;
}
{
destination = "${cfg.localAddress}:${toString cfg.jackett.port}";
sourcePort = cfg.jackett.port;
}
];
};
firewall = {
allowedTCPPorts = [ cfg.radarr.port cfg.sonarr.port cfg.sabnzbd.port 8080 cfg.deluge.port cfg.jackett.port ];
allowedUDPPorts = [ cfg.radarr.port cfg.sonarr.port cfg.sabnzbd.port 8080 cfg.deluge.port cfg.jackett.port ];
};
};
};
}

112
systems/x86_64-linux/nas/apps/arrs/options.nix Normal file
View File

@@ -0,0 +1,112 @@
{ lib, ... }:
with lib;
{
options.nas-apps.arrs = {
enable = mkEnableOption "arrs services";
radarr = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 7878;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
sonarr = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 8989;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
sabnzbd = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 8280;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
deluge = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 8112;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
jackett = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 9117;
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
localAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
downloadsDir = mkOption {
type = types.str;
default = "";
};
incompleteDownloadsDir = mkOption {
type = types.str;
default = "";
};
moviesDir = mkOption {
type = types.str;
default = "";
};
tvDir = mkOption {
type = types.str;
default = "";
};
isosDir = mkOption {
type = types.str;
default = "";
};
};
}

58
systems/x86_64-linux/nas/apps/crowdsec/default.nix Executable file
View File

@@ -0,0 +1,58 @@
{ outputs, config, lib, pkgs, ... }:
with lib;
let
cfg = config.nas-apps.crowdsec;
in
{
imports = [ ./options.nix ];
config = lib.mkIf cfg.enable {
services = {
crowdsec = let
yaml = (pkgs.formats.yaml {}).generate;
acquisitions_file = yaml "acquisitions.yaml" {
source = "journalctl";
journalctl_filter = ["_SYSTEMD_UNIT=sshd.service"];
labels.type = "syslog";
};
in {
enable = true;
enrollKeyFile = "${cfg.dataDir}/enroll.key";
settings = {
crowdsec_service.acquisition_path = acquisitions_file;
api.server = {
listen_uri = "0.0.0.0:${toString cfg.port}";
};
};
};
crowdsec-firewall-bouncer = {
enable = true;
settings = {
api_key = cfg.apiKey;
api_url = "http://${cfg.apiAddress}:${toString cfg.port}";
};
};
};
systemd.services.crowdsec.serviceConfig = {
ExecStartPre = let
script = pkgs.writeScriptBin "register-bouncer" ''
#!${pkgs.runtimeShell}
set -eu
set -o pipefail
if ! cscli bouncers list | grep -q "nas-bouncer"; then
cscli bouncers add "nas-bouncer" --key "${cfg.apiKey}"
fi
'';
in ["${script}/bin/register-bouncer"];
};
networking = {
firewall = {
allowedTCPPorts = [ cfg.port ];
allowedUDPPorts = [ cfg.port ];
};
};
};
}

27
systems/x86_64-linux/nas/apps/crowdsec/options.nix Normal file
View File

@@ -0,0 +1,27 @@
{ lib, ... }:
with lib;
{
options.nas-apps.crowdsec = {
enable = mkEnableOption "crowdsec service";
port = mkOption {
type = types.int;
default = 9898;
};
apiAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
apiKey = mkOption {
type = types.str;
default = "";
};
dataDir = mkOption {
type = types.str;
default = "";
};
};
}

13
systems/x86_64-linux/nas/apps/excalidraw/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{ config, ... }:
{
virtualisation.oci-containers.containers.excalidraw = {
autoStart = true;
image = "excalidraw/excalidraw";
ports = [ "8765:80" ];
environment = {
PUID = toString config.users.users.nix-apps.uid;
PGID = toString config.users.groups.jallen-nas.gid;
TZ = "America/Chicago";
};
};
}

131
systems/x86_64-linux/nas/apps/gitea/default.nix Normal file
View File

@@ -0,0 +1,131 @@
{ config, lib, ... }:
with lib;
let
cfg = config.nas-apps.gitea;
settings = import ../../settings.nix;
hostAddress = settings.hostAddress;
# localAddress = "10.0.4.18";
# httpPort = 3000;
# sshPort = 2222;
rootUrl = "https://gitea.mjallen.dev/";
# stateDir = "/media/nas/ssd/nix-app-data/gitea";
dataDir = "/var/lib/gitea";
secretsDir = "/run/secrets/jallen-nas/gitea";
mailerPasswordFile = config.sops.secrets."jallen-nas/gitea/mail-key".path;
metricsTokenFile = config.sops.secrets."jallen-nas/gitea/metrics-key".path;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
containers.gitea = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = cfg.localAddress;
bindMounts = {
${dataDir} = {
hostPath = cfg.dataDir;
isReadOnly = false;
};
secrets = {
hostPath = secretsDir;
isReadOnly = true;
mountPoint = secretsDir;
};
};
config = { lib, ... }:
{
services.gitea = {
enable = true;
stateDir = dataDir;
mailerPasswordFile = mailerPasswordFile;
metricsTokenFile = metricsTokenFile;
settings = {
server = {
DOMAIN = "jallen-nas";
HTTP_ADDR = "0.0.0.0";
HTTP_PORT = cfg.httpPort;
PROTOCOL = "http";
ROOT_URL = rootUrl;
START_SSH_SERVER = true;
SSH_PORT = cfg.sshPort;
};
service = {
REGISTER_EMAIL_CONFIRM = false;
ENABLE_CAPTCHA = false;
DISABLE_REGISTRATION = true;
ENABLE_OPENID_SIGNIN = false;
ENABLE_LDAP_SIGNIN = false;
ENABLE_SSH_SIGNIN = true;
ENABLE_BUILTIN_SSH_SERVER = true;
ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
};
};
};
users.users.gitea = {
extraGroups = [ "keys" ];
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ cfg.httpPort cfg.sshPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
# Create and set permissions for required directories
system.activationScripts.gitea-dirs = ''
mkdir -p /var/lib/gitea
chown -R gitea:gitea /var/lib/gitea
chmod -R 775 /var/lib/gitea
mkdir -p /run/secrets/jallen-nas
chown -R gitea:gitea /run/secrets/jallen-nas
chmod -R 775 /run/secrets/jallen-nas
'';
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
services.traefik.dynamicConfigOptions = lib.mkIf cfg.reverseProxy.enable {
services.gitea.loadBalancer.servers = [
{
url = "http://${cfg.localAddress}:${toString cfg.httpPort}";
}
];
routers.gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`${cfg.reverseProxy.host}`)";
service = "gitea";
middlewares = cfg.reverseProxy.middlewares;
tls.certResolver = "letsencrypt";
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${cfg.localAddress}:${toString cfg.httpPort}";
sourcePort = cfg.httpPort;
}
{
destination = "${cfg.localAddress}:${toString cfg.sshPort}";
sourcePort = cfg.sshPort;
}
];
};
firewall = {
allowedTCPPorts = [ cfg.httpPort cfg.sshPort ];
allowedUDPPorts = [ cfg.httpPort cfg.sshPort ];
};
};
};
}

42
systems/x86_64-linux/nas/apps/gitea/options.nix Normal file
View File

@@ -0,0 +1,42 @@
{ lib, ... }:
with lib;
{
options.nas-apps.gitea = {
enable = mkEnableOption "gitea service";
httpPort = mkOption {
type = types.int;
default = 80;
};
sshPort = mkOption {
type = types.int;
default = 22;
};
localAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
dataDir = mkOption {
type = types.str;
default = "";
};
reverseProxy = {
enable = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
default = "";
};
middlewares = mkOption {
type = with types; listOf str;
default = [ ];
};
};
};
}

27
systems/x86_64-linux/nas/apps/immich/default.nix Executable file
View File

@@ -0,0 +1,27 @@
{ config, lib, ... }:
let
settings = import ../../settings.nix;
immichPort = 2283;
dataDir = "/media/nas/main/photos";
dbPassword = config.sops.secrets."jallen-nas/immich/db-password".path;
in
{
# Enable immich service
services.immich = {
enable = true;
port = immichPort;
openFirewall = true;
secretsFile = dbPassword;
mediaLocation = dataDir;
environment = {
IMMICH_HOST = lib.mkForce "0.0.0.0";
IMMICH_TRUSTED_PROXIES = settings.hostAddress;
TZ = "America/Chicago";
};
machine-learning = {
enable = true;
};
};
}

11
systems/x86_64-linux/nas/apps/jellyfin/default.nix Executable file
View File

@@ -0,0 +1,11 @@
{ ... }:
{
services.jellyfin = {
enable = true;
openFirewall = true;
user = "nix-apps";
group = "jallen-nas";
dataDir = "/media/nas/ssd/nix-app-data/jellyfin";
# cacheDir = "/cache";
};
}

73
systems/x86_64-linux/nas/apps/jellyseerr/default.nix Executable file
View File

@@ -0,0 +1,73 @@
{ ... }:
let
jellyseerrPort = 5055;
dataDir = "/var/lib/private/jellyseerr";
settings = import ../../settings.nix;
in
{
containers.jellyseerr = {
autoStart = true;
privateNetwork = true;
hostAddress = settings.hostAddress;
localAddress = "10.0.1.52";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::4";
bindMounts = {
${dataDir} = {
hostPath = "/media/nas/ssd/nix-app-data/jellyseerr";
isReadOnly = false;
};
};
config =
{
lib,
...
}:
{
# Enable jellyseerr service
services.jellyseerr = {
enable = true;
port = jellyseerrPort;
# package = package;
openFirewall = true;
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ jellyseerrPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
# Create and set permissions for required directories
system.activationScripts.jellyseerr-dirs = ''
mkdir -p /var/lib/private/jellyseerr
chown -R jellyseerr:jellyseerr /var/lib/private/jellyseerr
chmod -R 775 /var/lib/private/jellyseerr
ln -sf /var/lib/private/jellyseerr /var/lib/jellyfin
'';
services.resolved.enable = true;
system.stateVersion = "23.11";
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.52:5055";
sourcePort = jellyseerrPort;
}
];
};
}

20
systems/x86_64-linux/nas/apps/lubelogger/default.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, ... }:
{
virtualisation.oci-containers.containers.lubelogger = {
autoStart = true;
image = "ghcr.io/hargata/lubelogger";
ports = [ "6754:8080" ];
volumes = [
"/media/nas/ssd/nix-app-data/lubelogger:/App/data"
"/media/nas/ssd/nix-app-data/lubelogger/keys:/root/.aspnet/DataProtection-Keys"
];
environmentFiles = [
"/media/nas/ssd/nix-app-data/lubelogger/lubelogger.env"
];
environment = {
PUID = toString config.users.users.nix-apps.uid;
PGID = toString config.users.groups.jallen-nas.gid;
TZ = "America/Chicago";
};
};
}

241
systems/x86_64-linux/nas/apps/nextcloud/default.nix Executable file
View File

@@ -0,0 +1,241 @@
{ config, pkgs, ... }:
let
settings = import ../../settings.nix;
adminpass = config.sops.secrets."jallen-nas/nextcloud/adminpassword".path;
secretsFile = config.sops.secrets."jallen-nas/nextcloud/smtp_settings".path;
jwtSecretFile = config.sops.secrets."jallen-nas/onlyoffice-key".path;
nextcloudUserId = config.users.users.nix-apps.uid;
nextcloudGroupId = config.users.groups.jallen-nas.gid;
nextcloudPackage = pkgs.unstable.nextcloud31;
hostAddress = settings.hostAddress;
localAddress = "10.0.2.18";
nextcloudPortExtHttp = 9988;
nextcloudPortExtHttps = 9943;
onlyofficePortExt = 9943;
in
{
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = hostAddress;
localAddress = localAddress;
bindMounts = {
secrets = {
hostPath = "/run/secrets/jallen-nas/nextcloud";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/nextcloud";
};
secrets2 = {
hostPath = "/run/secrets/jallen-nas/onlyoffice-key";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/onlyoffice-key";
};
data = {
hostPath = "/media/nas/main/nextcloud";
isReadOnly = false;
mountPoint = "/data";
};
"/var/lib/nextcloud" = {
hostPath = "/media/nas/ssd/nix-app-data/nextcloud";
isReadOnly = false;
mountPoint = "/var/lib/nextcloud";
};
"/var/lib/onlyoffice" = {
hostPath = "/media/nas/ssd/nix-app-data/onlyoffice";
isReadOnly = false;
mountPoint = "/var/lib/onlyoffice";
};
};
config =
{ pkgs, lib, ... }:
{
imports = [ ../../../../modules/nvidia ];
nixpkgs.config.allowUnfree = true;
networking.extraHosts = ''
${hostAddress} host.containers protonmail-bridge
'';
services = {
nextcloud = {
enable = true;
package = nextcloudPackage;
# datadir = "/data";
database.createLocally = true;
hostName = "cloud.mjallen.dev";
appstoreEnable = true;
caching.redis = true;
configureRedis = true;
enableImagemagick = true;
https = true;
secretFile = secretsFile;
config = {
adminuser = "mjallen";
adminpassFile = adminpass;
dbhost = "localhost";
dbtype = "sqlite";
dbname = "nextcloud";
dbuser = "nextcloud";
};
settings = {
loglevel = 3;
allow_local_remote_servers = true;
upgrade.disable-web = false;
datadirectory = "/data";
trusted_domains = [
"${hostAddress}:${toString nextcloudPortExtHttp}"
"${hostAddress}:${toString nextcloudPortExtHttps}"
"${localAddress}:80"
"${localAddress}:443"
"cloud.mjallen.dev"
];
opcache.interned_strings_buffer = 16;
trusted_proxies = [ hostAddress ];
maintenance_window_start = 6;
default_phone_region = "US";
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\PNG"
"OC\\Preview\\JPEG"
"OC\\Preview\\GIF"
"OC\\Preview\\BMP"
"OC\\Preview\\XBitmap"
"OC\\Preview\\MP3"
"OC\\Preview\\TXT"
"OC\\Preview\\MarkDown"
"OC\\Preview\\OpenDocument"
"OC\\Preview\\Krita"
"OC\\Preview\\HEIC"
"OC\\Preview\\Movie"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOffice2007"
"OC\\Preview\\MSOfficeDoc"
];
installed = true;
user_oidc = {
auto_provision = false;
soft_auto_provision = false;
allow_multiple_user_backends = false; # auto redirect to authentik for login
};
};
};
};
services.onlyoffice = {
enable = true;
port = onlyofficePortExt;
hostname = "office.mjallen.dev";
jwtSecretFile = jwtSecretFile;
};
# System packages
environment.systemPackages = with pkgs; [
cudaPackages.cudnn
cudatoolkit
ffmpeg
# libtensorflow-bin
nextcloud31
nodejs
onlyoffice-documentserver
sqlite
];
# Create required users and groups
users.users.nextcloud = {
isSystemUser = true;
uid = lib.mkForce nextcloudUserId;
group = "nextcloud";
};
users.users.onlyoffice = {
group = lib.mkForce "nextcloud";
};
users.groups = {
nextcloud = {
gid = lib.mkForce nextcloudGroupId;
};
downloads = { };
};
# Create and set permissions for required directories
system.activationScripts.nextcloud-dirs = ''
mkdir -p /data
chown -R nextcloud:nextcloud /data
chown -R nextcloud:nextcloud /run/secrets/jallen-nas/nextcloud
chmod -R 775 /data
chmod -R 750 /run/secrets/jallen-nas/nextcloud
'';
hardware = {
graphics = {
enable = true;
# setLdLibraryPath = true;
};
};
programs = {
nix-ld.enable = true;
};
share.hardware.nvidia = {
enable = true;
enableBeta = true;
enableOpen = true;
nvidiaSettings = true;
enableNvidiaDocker = true;
};
system.stateVersion = "23.11";
networking = {
firewall = {
enable = true;
allowedTCPPorts = [
80
443
onlyofficePortExt
];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
};
};
networking = {
nat = {
forwardPorts = [
{
destination = "${localAddress}:443";
sourcePort = nextcloudPortExtHttps;
}
{
destination = "${localAddress}:80";
sourcePort = nextcloudPortExtHttp;
}
{
destination = "${localAddress}:8000";
sourcePort = 8000;
}
{
destination = "${localAddress}:${toString onlyofficePortExt}";
sourcePort = onlyofficePortExt;
}
];
};
};
}

70
systems/x86_64-linux/nas/apps/ollama/default.nix Executable file
View File

@@ -0,0 +1,70 @@
{ config, pkgs, ... }:
let
llamaPackage = pkgs.llama-cpp.overrideAttrs (old: {
src = pkgs.fetchFromGitHub {
owner = "ggml-org";
repo = "llama.cpp";
rev = "b4920";
sha256 = "sha256-SnQIeY74JpAPRMxWcpklDH5D4CQvAgi0GYx5+ECk2J4=";
};
# Optionally override other attributes if you need to
# version = "my-fork-version";
# pname = "llama-cpp-custom";
});
in
{
services.ollama = {
enable = true;
port = 11434;
host = "0.0.0.0";
user = "nix-apps";
group = "jallen-nas";
openFirewall = true;
acceleration = "cuda";
home = "/media/nas/ssd/nix-app-data/ollama";
};
environment.systemPackages = [ llamaPackage ];
services.llama-cpp = {
enable = true;
port = 8127;
host = "0.0.0.0";
openFirewall = true;
model = "/media/nas/ssd/nix-app-data/llama-cpp/models/functionary-small-v3.2-GGUF/functionary-small-v3.2.Q4_0.gguf";
package = llamaPackage; # pkgs.unstable.llama-cpp;
extraFlags = [
"--n_gpu-layers"
"500"
"-c"
"0"
"--numa"
"numactl"
"--jinja"
];
};
services.open-webui = {
enable = false;
host = "0.0.0.0";
port = 8888;
openFirewall = true;
# stateDir = "/media/nas/ssd/nix-app-data/open-webui";
environmentFile = config.sops.secrets."jallen-nas/open-webui".path;
environment = {
OPENID_PROVIDER_URL = "https://authentik.mjallen.dev/application/o/chat/.well-known/openid-configuration";
OAUTH_PROVIDER_NAME = "authentik";
OPENID_REDIRECT_URI = "https://chat.mjallen.dev/oauth/oidc/callback";
ENABLE_OAUTH_SIGNUP = "False";
OAUTH_MERGE_ACCOUNTS_BY_EMAIL = "True";
ENABLE_SIGNUP = "False";
ENABLE_LOGIN_FORM = "False";
ANONYMIZED_TELEMETRY = "False";
DO_NOT_TRACK = "True";
SCARF_NO_ANALYTICS = "True";
OLLAMA_API_BASE_URL = "http://127.0.0.1:11434";
LOCAL_FILES_ONLY = "False";
WEBUI_AUTH = "False";
};
};
}

46
systems/x86_64-linux/nas/apps/options.nix Normal file
View File

@@ -0,0 +1,46 @@
{ lib, ... }:
let
inherit (lib) types mkOption;
in
{
options.nas-apps = mkOption {
type = types.attrsOf (types.submodule ({ config, name, ... }: {
options = {
enable = mkOption {
type = types.bool;
default = false;
};
port = mkOption {
type = types.int;
default = 80;
};
localAddress = mkOption {
type = types.str;
default = "127.0.0.1";
};
dataDir = mkOption {
type = types.str;
default = "";
};
reverseProxy = {
enable = mkOption {
type = types.bool;
default = false;
};
host = mkOption {
type = types.str;
default = "";
};
middlewares = mkOption {
type = with types; listOf str;
default = [ ];
};
};
};
}));
};
}

30
systems/x86_64-linux/nas/apps/orca/default.nix Normal file
View File

@@ -0,0 +1,30 @@
{
lib,
pkgs,
config,
...
}:
with lib;
let
cfg = config.nas-apps.orca-slicer;
in
{
imports = [ ./options.nix ];
config = mkIf cfg.enable {
virtualisation.oci-containers.containers."${cfg.name}" = {
autoStart = cfg.autoStart;
image = cfg.image;
ports = [
"${cfg.httpPort}:3000"
"${cfg.httpsPort}:3001"
];
volumes = [ "${cfg.configPath}:/config" ];
environment = {
PUID = cfg.puid;
PGID = cfg.pgid;
TZ = cfg.timeZone;
};
};
};
}

57
systems/x86_64-linux/nas/apps/orca/options.nix Normal file
View File

@@ -0,0 +1,57 @@
{ lib, ... }:
with lib;
{
options.nas-apps.orca-slicer = {
enable = mkEnableOption "orca slicer docker service";
autoStart = mkOption {
type = types.bool;
default = true;
};
httpPort = mkOption {
type = types.str;
default = "3000";
};
httpsPort = mkOption {
type = types.str;
default = "3001";
};
name = mkOption {
type = types.str;
default = "orca-slicer";
};
image = mkOption {
type = types.str;
default = "linuxserver/orcaslicer";
};
configPath = mkOption {
type = types.str;
default = "/media/nas/ssd/ssd_app_data/orca-slicer";
};
dataPath = mkOption {
type = types.str;
default = "/media/nas/main/3d_printer";
};
puid = mkOption {
type = types.str;
default = "911";
};
pgid = mkOption {
type = types.str;
default = "1000";
};
timeZone = mkOption {
type = types.str;
default = "America/Chicago";
};
};
}

104
systems/x86_64-linux/nas/apps/paperless/default.nix Executable file
View File

@@ -0,0 +1,104 @@
{
config,
pkgs,
...
}:
let
settings = import ../../settings.nix;
paperlessPort = 28981;
paperlessUserId = config.users.users.nix-apps.uid;
paperlessGroupId = config.users.groups.jallen-nas.gid;
paperlessEnv = config.sops.templates."paperless.env".path;
paperlessPkg = pkgs.paperless-ngx;
in
{
containers.paperless = {
autoStart = true;
privateNetwork = true;
hostAddress = settings.hostAddress;
localAddress = "10.0.1.20";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::20";
config =
{
lib,
...
}:
{
# Enable paperless service
services.paperless = {
enable = false;
package = paperlessPkg;
port = paperlessPort;
user = "paperless";
address = "0.0.0.0";
passwordFile = "/var/lib/paperless/paperless-password";
# environmentFile = paperlessEnv; # unstable is too unstable, but this doesnt exist in stable.... disabling altogether....
};
# Create required users and groups
users.groups = {
documents = {
gid = lib.mkForce paperlessGroupId;
};
};
users.users.paperless = {
isSystemUser = true;
uid = lib.mkForce paperlessUserId;
group = lib.mkForce "documents";
};
# Create and set permissions for required directories
system.activationScripts.paperless-dirs = ''
mkdir -p /var/lib/paperless
chown -R paperless:documents /var/lib/paperless
chmod -R 775 /var/lib/paperless
'';
networking = {
firewall = {
enable = true;
allowedTCPPorts = [ paperlessPort ];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "23.11";
};
# Bind mount directories from host
bindMounts = {
"/var/lib/paperless" = {
hostPath = "/media/nas/ssd/nix-app-data/paperless";
isReadOnly = false;
};
secrets = {
hostPath = "/run/secrets/jallen-nas/paperless";
isReadOnly = true;
mountPoint = "/run/secrets/jallen-nas/paperless";
};
secret-env = {
hostPath = "/run/secrets/rendered/paperless.env";
isReadOnly = true;
mountPoint = "/run/secrets/rendered/paperless.env";
};
};
};
networking.nat = {
forwardPorts = [
{
destination = "10.0.1.20:28981";
sourcePort = paperlessPort;
}
];
};
}

391
systems/x86_64-linux/nas/apps/traefik/default.nix Executable file
View File

@@ -0,0 +1,391 @@
{ config, ... }:
let
settings = import ../../settings.nix;
domain = "mjallen.dev";
serverIp = settings.hostAddress;
# Forward services
authUrl = "http://${serverIp}:9000/outpost.goauthentik.io";
actualUrl = "http://${config.containers.actual.localAddress}:${toString config.containers.actual.config.services.actual.settings.port}";
authentikUrl = "http://${serverIp}:9000";
cacheUrl = "http://${serverIp}:9012";
cloudUrl = "http://${config.containers.nextcloud.localAddress}:80";
giteaUrl = "http://${config.containers.gitea.localAddress}:${toString config.containers.gitea.config.services.gitea.settings.server.HTTP_PORT}";
hassUrl = "http://homeassistant.local:8123";
immichUrl = "http://${serverIp}:${toString config.services.immich.port}";
jellyfinUrl = "http://${serverIp}:8096";
jellyseerrUrl = "http://${config.containers.jellyseerr.localAddress}:${toString config.containers.jellyseerr.config.services.jellyseerr.port}";
lubeloggerUrl = "http://${serverIp}:6754";
onlyofficeUrl = "http://${config.containers.nextcloud.localAddress}:${toString config.containers.nextcloud.config.services.onlyoffice.port}";
openWebUIUrl = "http://${serverIp}:8888";
paperlessUrl = "http://${config.containers.paperless.localAddress}:${toString config.containers.paperless.config.services.paperless.port}";
# Plugins
traefikPlugins = {
bouncer = {
moduleName = "github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin";
version = "v1.4.2";
};
geoblock = {
moduleName = "github.com/PascalMinder/geoblock";
version = "v0.2.5";
};
};
crowdsecAppsecHost = "${serverIp}:7422";
crowdsecLapiKeyFile = config.sops.secrets."jallen-nas/traefik/crowdsec-lapi-key".path;
# Ports
httpPort = 80;
httpsPort = 443;
traefikPort = 8080;
metricsPort = 8082;
forwardPorts = [
httpPort
httpsPort
traefikPort
metricsPort
];
# misc
letsEncryptEmail = "jalle008@proton.me";
dataDir = "/media/nas/ssd/nix-app-data/traefik";
authentikAddress = "http://${serverIp}:9000/outpost.goauthentik.io/auth/traefik";
in
{
sops = {
secrets = {
"jallen-nas/traefik/crowdsec-lapi-key" = {
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
"jallen-nas/traefik/cloudflare-dns-api-token" = { };
"jallen-nas/traefik/cloudflare-zone-api-token" = { };
"jallen-nas/traefik/cloudflare-api-key" = { };
"jallen-nas/traefik/cloudflare-email" = { };
};
templates = {
"traefik.env" = {
content = ''
CLOUDFLARE_DNS_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-dns-api-token"}
CLOUDFLARE_ZONE_API_TOKEN = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-zone-api-token"}
CLOUDFLARE_API_KEY = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-api-key"}
CLOUDFLARE_EMAIL = ${config.sops.placeholder."jallen-nas/traefik/cloudflare-email"}
'';
owner = config.users.users.traefik.name;
group = config.users.users.traefik.group;
restartUnits = [ "traefik.service" ];
};
};
};
networking.firewall = {
allowedTCPPorts = forwardPorts;
allowedUDPPorts = forwardPorts;
};
services.traefik = {
enable = true;
dataDir = dataDir;
group = "jallen-nas";#group;
environmentFiles = [ "${config.services.traefik.dataDir}/traefik.env" ]; # todo: sops
staticConfigOptions = {
entryPoints = {
web = {
address = ":${toString httpPort}";
asDefault = true;
http.redirections.entrypoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":${toString httpsPort}";
asDefault = true;
http.tls.certResolver = "letsencrypt";
};
metrics = {
address = ":${toString metricsPort}"; # Port for metrics
};
};
log = {
level = "INFO";
};
metrics = {
prometheus = {
entryPoint = "metrics";
addEntryPointsLabels = true;
addServicesLabels = true;
buckets = [0.1 0.3 1.2 5.0]; # Response time buckets
};
};
certificatesResolvers.letsencrypt.acme = {
email = letsEncryptEmail;
storage = "${config.services.traefik.dataDir}/acme.json";
dnsChallenge = {
provider = "cloudflare";
resolvers = [
"1.1.1.1:53"
"8.8.8.8:53"
];
};
};
api.dashboard = true;
# Access the Traefik dashboard on <Traefik IP>:8080 of your server
api.insecure = true;
experimental = {
plugins = traefikPlugins;
};
};
dynamicConfigOptions = {
http = {
middlewares = {
authentik = {
forwardAuth = {
tls.insecureSkipVerify = true;
address = authentikAddress;
trustForwardHeader = true;
authResponseHeaders = [
"X-authentik-username"
"X-authentik-groups"
"X-authentik-email"
"X-authentik-name"
"X-authentik-uid"
"X-authentik-jwt"
"X-authentik-meta-jwks"
"X-authentik-meta-outpost"
"X-authentik-meta-provider"
"X-authentik-meta-app"
"X-authentik-meta-version"
];
};
};
onlyoffice-websocket = {
headers.customrequestheaders = {
X-Forwarded-Proto = "https";
};
};
crowdsec = {
plugin = {
bouncer = {
crowdsecAppsecEnabled = true;
crowdsecAppsecHost = crowdsecAppsecHost;
crowdsecAppsecFailureBlock = true;
crowdsecAppsecUnreachableBlock = true;
crowdsecLapiKeyFile = crowdsecLapiKeyFile;
};
};
};
whitelist-geoblock = {
plugin = {
geoblock = {
silentStartUp = false;
allowLocalRequests = true;
logLocalRequests = false;
logAllowedRequests = false;
logApiRequests = false;
api = "https://get.geojs.io/v1/ip/country/{ip}";
apiTimeoutMs = 500;
cacheSize = 25;
forceMonthlyUpdate = true;
allowUnknownCountries = false;
unknownCountryApiResponse = "nil";
blackListMode = false;
countries = [
"CA"
"US"
];
};
};
};
internal-ipallowlist =
{
ipAllowList = {
sourceRange = [
"127.0.0.1/32"
"10.0.1.0/24"
];
};
};
};
services = {
auth.loadBalancer.servers = [
{
url = authUrl;
}
];
actual.loadBalancer.servers = [
{
url = actualUrl;
}
];
authentik.loadBalancer.servers = [
{
url = authentikUrl;
}
];
cache.loadBalancer.servers = [
{
url = cacheUrl;
}
];
chat.loadBalancer.servers = [
{
url = openWebUIUrl;
}
];
cloud.loadBalancer.servers = [
{
url = cloudUrl;
}
];
gitea.loadBalancer.servers = [
{
url = giteaUrl;
}
];
hass.loadBalancer.servers = [
{
url = hassUrl;
}
];
immich.loadBalancer.servers = [
{
url = immichUrl;
}
];
jellyfin.loadBalancer.servers = [
{
url = jellyfinUrl;
}
];
jellyseerr.loadBalancer.servers = [
{
url = jellyseerrUrl;
}
];
lubelogger.loadBalancer.servers = [
{
url = lubeloggerUrl;
}
];
onlyoffice.loadBalancer.servers = [
{
url = onlyofficeUrl;
}
];
paperless.loadBalancer.servers = [
{
url = paperlessUrl;
}
];
};
routers = {
auth = {
entryPoints = [ "websecure" ];
rule = "HostRegexp(`{subdomain:[a-z]+}.mjallen.dev`) && PathPrefix(`/outpost.goauthentik.io/`)";
service = "auth";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
priority = 15;
tls.certResolver = "letsencrypt";
};
actual = {
entryPoints = [ "websecure" ];
rule = "Host(`actual.${domain}`)";
service = "actual";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
authentik = {
entryPoints = [ "websecure" ];
rule = "Host(`authentik.${domain}`)";
service = "authentik";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
cache = {
entryPoints = [ "websecure" ];
rule = "Host(`cache.${domain}`)";
service = "cache";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
cloud = {
entryPoints = [ "websecure" ];
rule = "Host(`cloud.${domain}`)";
service = "cloud";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.${domain}`)";
service = "gitea";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
hass = {
entryPoints = [ "websecure" ];
rule = "Host(`hass.${domain}`)";
service = "hass";
middlewares = [ "crowdsec" "whitelist-geoblock" "authentik" ];
priority = 10;
tls.certResolver = "letsencrypt";
};
immich = {
entryPoints = [ "websecure" ];
rule = "Host(`immich.${domain}`)";
service = "immich";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
jellyfin = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyfin.${domain}`)";
service = "jellyfin";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
jellyseerr = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyseerr.${domain}`)";
service = "jellyseerr";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
lubelogger = {
entryPoints = [ "websecure" ];
rule = "Host(`lubelogger.${domain}`)";
service = "lubelogger";
middlewares = [ "crowdsec" "whitelist-geoblock" ];
tls.certResolver = "letsencrypt";
};
onlyoffice = {
entryPoints = [ "websecure" ];
rule = "Host(`office.${domain}`)";
service = "onlyoffice";
middlewares = [ "crowdsec" "whitelist-geoblock" "onlyoffice-websocket" ];
tls.certResolver = "letsencrypt";
};
};
};
};
};
}

19
systems/x86_64-linux/nas/apps/wyoming/default.nix Executable file
View File

@@ -0,0 +1,19 @@
{ pkgs, ... }:
{
services.wyoming = {
faster-whisper.servers.hass-whisper = {
enable = true;
useTransformers = false;
device = "cuda";
language = "en";
model = "distil-large-v3";
uri = "tcp://0.0.0.0:10300";
};
piper.servers.hass-piper = {
enable = true;
voice = "en-us-ryan-high";
uri = "tcp://0.0.0.0:10200";
};
};
}

68
systems/x86_64-linux/nas/boot.nix Executable file
View File

@@ -0,0 +1,68 @@
{ pkgs, ... }:
let
configLimit = 50;
kernel = pkgs.linuxPackages; # linuxPackages_latest;
in
{
# Configure bootloader with lanzaboot and secureboot
boot = {
kernelModules = [ "nct6775" ];
loader = {
systemd-boot = {
enable = false;
configurationLimit = configLimit;
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
lanzaboote = {
enable = true;
pkiBundle = "/etc/secureboot";
settings = {
console-mode = "max";
};
configurationLimit = configLimit;
};
kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
"vm.swappiness" = 60;
};
# Override kernel to latest
kernelPackages = kernel;
kernelParams = [
"nohibernate"
];
consoleLogLevel = 3;
bootspec.enable = true;
initrd = {
kernelModules = [
"tpm"
"tpm_tis"
"tpm_crb"
"tpm_infineon"
];
systemd = {
enable = true;
# tpm2.enable = true;
tpm2.enable = true;
};
};
# Enable binfmt emulation for ARM
binfmt.emulatedSystems = [ "aarch64-linux" ]; # --argstr system aarch64-linux
};
zramSwap = {
enable = true;
};
}

199
systems/x86_64-linux/nas/configuration.nix Executable file
View File

@@ -0,0 +1,199 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
config,
pkgs,
lib,
inputs,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./filesystems.nix
./boot.nix
./apps.nix
./grafana.nix
./networking.nix
./nixpkgs.nix
./ups.nix
./users.nix
./samba.nix
./services.nix
./sops.nix
];
powerManagement.cpuFreqGovernor = "powersave";
share.hardware.nvidia = {
enable = true;
enableBeta = true;
enableOpen = true;
nvidiaSettings = true;
enableNvidiaDocker = true;
};
security.tpm2 = {
enable = true;
};
# Configure environment
environment = {
etc.crypttab.text = ''
ssd1 UUID=eff4b19c-aba7-41ab-b452-a8c6654d8754 none tpm2-device=auto
ssd2 UUID=c8640e19-6cd9-49d0-a355-bac09d17ea0d none tpm2-device=auto
hdd1 UUID=8d7dd657-d9b0-47ed-97e1-a9d1eba12b56 none tpm2-device=auto
hdd2 UUID=11ee92b0-6334-4be7-bb2d-d85f5a3f51a6 none tpm2-device=auto
hdd3 UUID=4463ea6f-3fcf-4e49-80c8-ba7f424471f0 none tpm2-device=auto
hdd4 UUID=13fe7737-b72b-4d5f-a79d-1ca0d438f8f0 none tpm2-device=auto
hdd5 UUID=2b4be219-613d-4512-8277-0260989d5377 none tpm2-device=auto
'';
etc.machine-id.text = ''
57cdf5fc27f3469f80d0a339f1238aeb
'';
systemPackages = with pkgs; [
attic-client
binutils
cryptsetup
cmake
deconz
duperemove
efibootmgr
ffmpeg
gcc
glances
ipset
jq
llama-cpp
ninja
inputs.nas-nixai.packages.x86_64-linux.nixai
networkmanagerapplet
nmon
nut
packagekit
pass
protonmail-bridge
protonvpn-cli
python3
unstable.python3Packages.llama-cpp-python
qrencode
rcon
sbctl
speedtest-cli
tigervnc
tpm2-tools
tpm2-tss
];
};
# Configure programs
programs = {
virt-manager.enable = true;
nix-ld.enable = true;
screen.enable = true;
coolercontrol = {
enable = true;
nvidiaSupport = true;
};
msmtp = {
enable = true;
accounts = {
default = {
auth = true;
tls_starttls = false;
host = "smtp.gmail.com";
user = "matt.l.jallen";
from = "matt.l.jallen@gmail.com";
passwordeval = "cat ${config.sops.secrets."jallen-nas/gitea/mail-key".path}";
};
};
defaults = {
port = 465;
tls = true;
};
};
};
hardware.fancontrol = {
enable = false;
config = ''
# Configuration file generated by pwmconfig, changes will be lost
# hwmon6/temp9_input -- chipset temp?
# hwmon2/temp1_input -- cpu temp?
# hwmon6/pwm5 -- chipset fan?
# hwmon6/pwm2, hwmon6/pwm3 -- cpu fans?
# hwmon6/pwm4 -- case fans?
INTERVAL=10
DEVPATH=hwmon2=devices/pci0000:00/0000:00:18.3 hwmon6=devices/platform/nct6775.656
DEVNAME=hwmon2=k10temp hwmon6=nct6798
FCTEMPS=hwmon6/pwm5=hwmon6/temp9_input hwmon6/pwm2=hwmon2/temp1_input hwmon6/pwm3=hwmon2/temp1_input hwmon6/pwm4=hwmon2/temp1_input
FCFANS=hwmon6/pwm5=hwmon6/fan5_input hwmon6/pwm2=hwmon6/fan2_input hwmon6/pwm3=hwmon6/fan3_input hwmon6/pwm4=hwmon6/fan4_input
MINTEMP=hwmon6/pwm5=20 hwmon6/pwm2=20 hwmon6/pwm3=20 hwmon6/pwm4=20
MAXTEMP=hwmon6/pwm5=60 hwmon6/pwm2=90 hwmon6/pwm3=90 hwmon6/pwm4=90
MINSTART=hwmon6/pwm5=16 hwmon6/pwm2=90 hwmon6/pwm3=45 hwmon6/pwm4=60
MINSTOP=hwmon6/pwm5=14 hwmon6/pwm2=0 hwmon6/pwm3=30 hwmon6/pwm4=45
MINPWM=hwmon6/pwm5=14 hwmon6/pwm2=0 hwmon6/pwm3=0 hwmon6/pwm4=0
MAXPWM=hwmon6/pwm5=255 hwmon6/pwm2=255 hwmon6/pwm3=255 hwmon6/pwm4=255
'';
};
# Virtualisation
virtualisation = {
podman = {
enable = true;
dockerCompat = true;
autoPrune.enable = true;
defaultNetwork.settings = {
dns_enabled = true;
};
};
libvirtd.enable = true;
};
# Enable nix flakes and nix-command tools
nix = {
settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
warn-dirty = lib.mkForce false;
experimental-features = lib.mkForce [
"nix-command"
"flakes"
];
trusted-users = [ "@wheel" ];
};
# Garbage collect automatically every week
gc.automatic = lib.mkDefault true;
gc.options = lib.mkDefault "--delete-older-than 30d";
optimise.automatic = lib.mkDefault true;
};
# Nixpkgs configuration
nixpkgs = {
config = {
allowUnfree = lib.mkForce true;
allowUnsupportedSystem = true;
permittedInsecurePackages = [
# ...
];
};
};
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"vscode-extension-github-copilot"
];
}

135
systems/x86_64-linux/nas/filesystems.nix Executable file
View File

@@ -0,0 +1,135 @@
{ ... }:
let
defaultOptions = [ "compress=zstd" ];
in
{
fileSystems."/media/nas/ssd/nix-app-data" = {
device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c";
fsType = "btrfs";
options = [ "subvol=nix-app-data" ] ++ defaultOptions;
};
fileSystems."/media/nas/ssd/ssd_app_data" = {
device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c";
fsType = "btrfs";
options = [ "subvol=ssd_app_data" ] ++ defaultOptions;
};
fileSystems."/media/nas/ssd/mariadb" = {
device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c";
fsType = "btrfs";
options = [ "subvol=mariadb" ] ++ defaultOptions;
};
fileSystems."/media/nas/ssd/mongodb" = {
device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c";
fsType = "btrfs";
options = [ "subvol=mongodb" ] ++ defaultOptions;
};
fileSystems."/media/nas/ssd/VMs" = {
device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c";
fsType = "btrfs";
options = [ "subvol=VMs" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/3d_printer" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=3d_printer" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/backup" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=backup" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/books" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=books" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/documents" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=documents" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/homeassistant" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=homeassistant" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/isos" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=isos" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/movies" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=movies" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/nextcloud" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=nextcloud" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/photos" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=photos" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/switch" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=switch" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/tv" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=tv" ] ++ defaultOptions;
};
fileSystems."/media/nas/main/timemachine" = {
device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
fsType = "btrfs";
options = [ "subvol=timemachine" ] ++ defaultOptions;
};
fileSystems."/run/mount/ssd" = {
device = "/dev/mapper/ssd1";
fsType = "btrfs";
};
fileSystems."/run/mount/main" = {
device = "/dev/mapper/hdd1";
fsType = "btrfs";
};
# fileSystems."/media/nas/junk/nextcloud-backup" = {
# device = "/dev/disk/by-uuid/11948951106919390044";
# fsType = "btrfs";
# options = [
# "subvol=nextcloud-backup"
# ]
# ++ defaultOptions;
# };
# fileSystems."/media/nas/main/vms" = {
# device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28";
# fsType = "btrfs";
# options = [
# "subvol=vms"
# ]
# ++ defaultOptions;
# };
}

80
systems/x86_64-linux/nas/grafana.nix Executable file
View File

@@ -0,0 +1,80 @@
{ config, ... }:
let
upsUser = "nas-admin";
in
{
services = {
prometheus = {
enable = true;
exporters = {
node = {
enable = true;
enabledCollectors = [
"filesystem"
"diskstats"
"meminfo"
"cpu"
"systemd" # Ensures systemd collector is enabled
"processes"
];
extraFlags = [
"--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run)($|/)"
];
};
libvirt = {
enable = false;
openFirewall = true;
};
nut = {
enable = true;
openFirewall = true;
passwordPath = config.sops.secrets."jallen-nas/ups_password".path;
nutUser = upsUser;
};
# restic = {
# enable = true;
# openFirewall = true;
# resticPort = 8008;
# };
};
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}];
}
{
job_name = "traefik";
static_configs = [{
targets = [ "localhost:8082" ];
}];
}
];
};
grafana = {
enable = true;
settings = {
server = {
http_port = 9999;
http_addr = "0.0.0.0";
};
};
dataDir = "/media/nas/ssd/nix-app-data/grafana";
provision = {
enable = true;
datasources.settings.datasources = [{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://localhost:${toString config.services.prometheus.port}";
}];
};
};
};
# Open firewall ports for Grafana
networking.firewall.allowedTCPPorts = [ 9999 ];
}

128
systems/x86_64-linux/nas/hardware-configuration.nix Executable file
View File

@@ -0,0 +1,128 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"nvme"
"mpt3sas"
"xhci_pci"
"ahci"
"uas"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=25%"
"mode=755"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/C6E9-7371";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=nix"
"compress-force=zstd"
"noatime"
];
};
fileSystems."/etc" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=etc"
"compress-force=zstd"
"noatime"
];
};
fileSystems."/root" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=root"
"compress-force=zstd"
"noatime"
];
};
fileSystems."/var/log" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=log"
"compress-force=zstd"
"noatime"
];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=home"
"compress-force=zstd"
];
};
fileSystems."/tmp" = {
device = "/dev/disk/by-uuid/8e3841fc-9222-443c-af72-075dd8ac07f2";
fsType = "btrfs";
options = [
"compress-force=zstd"
"noatime"
];
};
swapDevices = [
{
device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_500GB_S3Z1NW0KA10457X-part2";
randomEncryption.enable = true;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.docker0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
# networking.interfaces.podman0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth1.useDHCP = lib.mkDefault true;
# networking.interfaces.veth2.useDHCP = lib.mkDefault true;
# networking.interfaces.veth3.useDHCP = lib.mkDefault true;
# networking.interfaces.veth4.useDHCP = lib.mkDefault true;
# networking.interfaces.veth5.useDHCP = lib.mkDefault true;
# networking.interfaces.veth6.useDHCP = lib.mkDefault true;
# networking.interfaces.veth7.useDHCP = lib.mkDefault true;
# networking.interfaces.vethd3ca67e.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp6s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp7s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

75
systems/x86_64-linux/nas/home.nix Executable file
View File

@@ -0,0 +1,75 @@
{ pkgs,... }:
let
shellAliases = {
update-boot = "sudo nixos-rebuild boot --max-jobs 10";
update-switch = "sudo nixos-rebuild switch --max-jobs 10";
update-flake = "nix flake update nas-nixpkgs nas-authentik-nix nas-cosmic nas-crowdsec nas-home-manager nas-impermanence nas-lanzaboote nas-nixos-hardware nas-sops-nix --flake /etc/nixos";
};
in
{
home.username = "admin";
sops = {
age.keyFile = "/home/admin/.config/sops/age/keys.txt";
defaultSopsFile = "/etc/nixos/secrets/secrets.yaml";
validateSopsFiles = false;
secrets = {
"ssh-keys-public/jallen-nas" = {
path = "/home/admin/.ssh/id_ed25519.pub";
mode = "0644";
};
"ssh-keys-private/jallen-nas" = {
path = "/home/admin/.ssh/id_ed25519";
mode = "0600";
};
"ssh-keys-public/desktop-nixos" = {
path = "/home/admin/.ssh/authorized_keys";
mode = "0600";
};
"ssh-keys-public/desktop-nixos-root" = {
path = "/home/admin/.ssh/authorized_keys2";
mode = "0600";
};
"ssh-keys-public/desktop-windows" = {
path = "/home/admin/.ssh/authorized_keys3";
mode = "0600";
};
"ssh-keys-public/macbook-macos" = {
path = "/home/admin/.ssh/authorized_keys4";
mode = "0600";
};
};
};
programs = {
neovim = {
enable = true;
viAlias = true;
vimAlias = true;
defaultEditor = true;
plugins = [
pkgs.vimPlugins.nvim-tree-lua
{
plugin = pkgs.vimPlugins.vim-startify;
config = "let g:startify_change_to_vcs_root = 0";
}
];
};
zsh.shellAliases = shellAliases;
};
# services.nixai = {
# enable = true;
# mcp = {
# enable = true;
# # Optional: custom socket path (uses `$HOME` expansion)
# socketPath = "$HOME/.local/share/nixai/mcp.sock";
# };
# # Optional: integrate with VS Code
# vscodeIntegration = true;
# };
}

65
systems/x86_64-linux/nas/impermanence.nix Executable file
View File

@@ -0,0 +1,65 @@
{ ... }:
{
# Set up impernance configuration for things like bluetooth
# In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
environment.persistence."/nix/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/tailscale"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
{
directory = "/var/lib/private/authentik/media";
user = "authentik";
group = "authentik";
mode = "u=rwx,g=,o=";
}
{
directory = "/var/lib/private";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/etc/nix";
user = "root";
group = "wheel";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = "/media/nas";
user = "nas-apps";
group = "jallen-nas";
mode = "u=rwx,g=rx,o=rx";
}
{
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
mode = "u=rwx,g=rwx,o=rx";
}
{
directory = "/plugins-storage";
user = "traefik";
group = "traefik";
mode = "u=rwx,g=rwx,o=rx";
}
];
files = [
"/var/cache-priv-key.pem"
];
};
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
}

94
systems/x86_64-linux/nas/networking.nix Executable file
View File

@@ -0,0 +1,94 @@
{ config, ... }:
let
settings = import ./settings.nix;
ports = [
8008 # restic
9000 # authentik
2342 # grafana
51820 # wireguard
1025
1143
10200
10300
8127
9980 # onlyoffice
4000 # netbootxyz
4080 # netbootxyz
3000 # gitea
2222 # gitea ssh
3300
9898
6754 # lubelogger
2283 # immich
4444 # code-server
9012
8192
];
in
{
# Networking configs
networking = {
hostName = settings.hostName;
useNetworkd = true;
hostId = "4b501480";
# Disable Network Manager
networkmanager = {
enable = true;
ensureProfiles = {
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = {
"Joey's Jungle 6G" = {
connection = {
id = "Joey's Jungle 6G";
type = "wifi";
};
ipv4 = {
address1 = "${settings.hostAddress}/24";
dns = "10.0.1.1";
gateway = "10.0.1.1";
method = "manual";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "Joey's Jungle 6G";
};
wifi-security = {
key-mgmt = "sae";
psk = "$PSK";
};
};
};
};
};
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "wlp6s0";
# Lazy IPv6 connectivity for the container
enableIPv6 = true;
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = ports;
allowedUDPPorts = ports;
# always allow traffic from your Tailscale network
trustedInterfaces = [ "tailscale0" ];
};
};
}

346
systems/x86_64-linux/nas/nix-serve.nix Executable file
View File

@@ -0,0 +1,346 @@
{ config, pkgs, ... }:
let
nix-build-mail = pkgs.writeShellScript "echo -e \"Content-Type: text/plain\\r\\nSubject: NixOS cache rebuild failed\\r\\n\\r\\nThe nix-rebuild-cache service failed at $(date).\" | sendmail jalle008@proton.me";
in
{
# "https://cache.mjallen.dev"
# "cache.mjallen.dev-1:IzFmKCd8/gggI6lcCXsW65qQwiCLGFFN9t9s2iw7Lvc="
services.nix-serve = {
enable = false;
package = pkgs.nix-serve-ng;
secretKeyFile = "/etc/nix/cache-priv-key.pem";
port = 5000; # Choose your preferred port
openFirewall = true;
};
services.atticd = {
enable = true;
environmentFile = config.sops.secrets."jallen-nas/attic-key".path;
settings = {
listen = "[::]:9012";
};
};
# Improved systemd service with better error handling
systemd = {
services = {
attic-watch-store = {
enable = true;
description = "watch store for cache";
serviceConfig = {
Type = "simple";
User = "admin";
Group = "jallen-nas";
WorkingDirectory = "/etc/nixos";
StandardOutput = "journal+console";
StandardError = "journal+console";
Restart = "always";
restartSec = "5";
};
path = with pkgs; [
bash
attic-client
];
script = ''
#!/usr/bin/env bash
attic watch-store nas-cache
'';
};
nix-rebuild-cache-desktop = {
enable = true;
description = "Rebuild desktop NixOS configurations for cache";
serviceConfig = {
Type = "oneshot";
User = "admin";
Group = "jallen-nas";
WorkingDirectory = "/etc/nixos";
StandardOutput = "journal+console";
StandardError = "journal+console";
Restart = "no";
# Increase timeout for large builds
TimeoutStartSec = "2h";
};
path = with pkgs; [
nix
git
uutils-coreutils
gnugrep
gnused
openssh
];
script = ''
#!/usr/bin/env bash
# Pull latest changes if in a git repo
if [ -d .git ]; then
git pull || echo "Warning: Could not pull latest changes"
fi
echo "Starting build of matt-nixos at $(date)"
if nix flake update desktop-nixpkgs desktop-chaotic desktop-home-manager desktop-impermanence desktop-lanzaboote desktop-nixos-hardware desktop-sops-nix desktop-steam-rom-manager nixpkgs-unstable nixpkgs-stable nix-darwin; then
echo "matt-nixos flake updated successfully at $(date)"
else
echo "matt-nixos failed to build at $(date)"
fi
if nix build .\#nixosConfigurations.matt-nixos.config.system.build.toplevel --no-link; then
echo "matt-nixos built successfully at $(date)"
git add .
git commit -m "Desktop Updates $(date)"
else
echo "matt-nixos failed to build at $(date)"
git reset --hard
fi
'';
};
nix-rebuild-cache-steamdeck = {
enable = true;
description = "Rebuild steamdeck NixOS configurations for cache";
serviceConfig = {
Type = "oneshot";
User = "admin";
Group = "jallen-nas";
WorkingDirectory = "/etc/nixos";
StandardOutput = "journal+console";
StandardError = "journal+console";
Restart = "no";
# Increase timeout for large builds
TimeoutStartSec = "2h";
};
path = with pkgs; [
nix
git
uutils-coreutils
gnugrep
gnused
openssh
];
script = ''
#!/usr/bin/env bash
# Pull latest changes if in a git repo
if [ -d .git ]; then
git pull || echo "Warning: Could not pull latest changes"
fi
echo "Starting build of steamdeck at $(date)"
if nix flake update steamdeck-nixpkgs steamdeck-chaotic steamdeck-home-manager steamdeck-impermanence steamdeck-jovian steamdeck-lanzaboote steamdeck-nixos-hardware steamdeck-sops-nix steamdeck-steam-rom-manager; then
echo "steamdeck flake updated successfully at $(date)"
else
echo "steamdeck flake failed to update at $(date)"
git reset --hard
fi
if nix build .\#nixosConfigurations.steamdeck.config.system.build.toplevel --no-link; then
echo "steamdeck built successfully at $(date)"
git add .
git commit -m "Steamdeck Updates $(date)"
else
echo "steamdeck failed to build at $(date)"
git reset --hard
fi
'';
};
nix-rebuild-cache-pi4 = {
enable = true;
description = "Rebuild pi4 NixOS configurations for cache";
serviceConfig = {
Type = "oneshot";
User = "admin";
Group = "jallen-nas";
WorkingDirectory = "/etc/nixos";
StandardOutput = "journal+console";
StandardError = "journal+console";
Restart = "no";
# Increase timeout for large builds
TimeoutStartSec = "2h";
};
path = with pkgs; [
nix
git
uutils-coreutils
gnugrep
gnused
openssh
];
script = ''
#!/usr/bin/env bash
# Pull latest changes if in a git repo
if [ -d .git ]; then
git pull || echo "Warning: Could not pull latest changes"
fi
echo "Starting build of pi4 at $(date)"
if nix flake update pi4-nixpkgs pi4-home-manager pi4-impermanence pi4-sops-nix pi4-nixos-hardware pi4-nixos-raspberrypi pi4-disko; then
echo "pi4 flake updated successfully at $(date)"
else
echo "pif flake failed to update at $(date)"
fi
if nix build .\#nixosConfigurations.pi4.config.system.build.toplevel --no-link --impure; then
echo "pi4 built successfully at $(date)"
git add .
git commit -m "Pi4 Updates $(date)"
else
echo "pi4 failed to build at $(date)"
git reset --hard
fi
'';
};
nix-rebuild-cache-pi5 = {
enable = true;
description = "Rebuild pi5 NixOS configurations for cache";
serviceConfig = {
Type = "oneshot";
User = "admin";
Group = "jallen-nas";
WorkingDirectory = "/etc/nixos";
StandardOutput = "journal+console";
StandardError = "journal+console";
Restart = "no";
# Increase timeout for large builds
TimeoutStartSec = "2h";
};
path = with pkgs; [
nix
git
uutils-coreutils
gnugrep
gnused
openssh
];
script = ''
#!/usr/bin/env bash
# Pull latest changes if in a git repo
if [ -d .git ]; then
git pull || echo "Warning: Could not pull latest changes"
fi
echo "Starting build of pi5 at $(date)"
if nix flake update pi5-nixpkgs pi5-home-manager pi5-impermanence pi5-nixos-hardware pi5-sops-nix nixos-raspberrypi; then
echo "pi5 flake updated successfully at $(date)"
else
echo "pi5 flake failed to update at $(date)"
fi
if nix build .\#nixosConfigurations.pi5.config.system.build.toplevel --no-link; then
echo "pi5 built successfully at $(date)"
git add .
git commit -m "Pi5 Updates $(date)"
else
echo "pi5 failed to build at $(date)"
git reset --hard
fi
'';
};
nix-rebuild-cache-nas = {
enable = true;
description = "Rebuild nas NixOS configurations for cache";
serviceConfig = {
Type = "oneshot";
User = "admin";
Group = "jallen-nas";
WorkingDirectory = "/etc/nixos";
StandardOutput = "journal+console";
StandardError = "journal+console";
Restart = "no";
# Increase timeout for large builds
TimeoutStartSec = "2h";
};
path = with pkgs; [
nix
git
uutils-coreutils
gnugrep
gnused
openssh
];
script = ''
#!/usr/bin/env bash
# Pull latest changes if in a git repo
if [ -d .git ]; then
git pull || echo "Warning: Could not pull latest changes"
fi
echo "Starting build of jallen-nas at $(date)"
if nix flake update nas-nixpkgs nas-authentik-nix nas-cosmic nas-crowdsec nas-home-manager nas-impermanence nas-lanzaboote nas-nixos-hardware nas-sops-nix; then
echo "jallen-nas flake updated successfully at $(date)"
else
echo "jallen-nas flake failed to update at $(date)"
fi
export NIXPKGS_ALLOW_UNFREE=1
if nix build .\#nixosConfigurations.jallen-nas.config.system.build.toplevel --no-link --impure; then
echo "jallen-nas built successfully at $(date)"
git add .
git commit -m "Jallen-NAS Updates $(date)"
else
echo "jallen-nas failed to build at $(date)"
git reset --hard
fi
'';
};
};
timers = {
nix-rebuild-cache-desktop = {
description = "Timer for rebuilding desktop NixOS configurations cache";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "weekly";
Persistent = true;
RandomizedDelaySec = "24h";
};
};
nix-rebuild-cache-steamdeck = {
description = "Timer for rebuilding steamdeck NixOS configurations cache";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "weekly";
Persistent = true;
RandomizedDelaySec = "24h";
};
};
nix-rebuild-cache-pi4 = {
description = "Timer for rebuilding pi4 NixOS configurations cache";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "weekly";
Persistent = true;
RandomizedDelaySec = "24h";
};
};
nix-rebuild-cache-pi5 = {
description = "Timer for rebuilding pi5 NixOS configurations cache";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "weekly";
Persistent = true;
RandomizedDelaySec = "24h";
};
};
nix-rebuild-cache-nas = {
description = "Timer for rebuilding nas NixOS configurations cache";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "weekly";
Persistent = true;
RandomizedDelaySec = "24h";
};
};
};
};
nix = {
settings.builders-use-substitutes = true;
distributedBuilds = true;
buildMachines = [
{
hostName = "pi5.local";
system = "aarch64-linux";
maxJobs = 4;
sshUser = "matt";
supportedFeatures = [ "nixos-test" "benchmark" "big-parallel" "kvm" ];
}
];
};
}

29
systems/x86_64-linux/nas/nixpkgs.nix Executable file
View File

@@ -0,0 +1,29 @@
{ outputs, ... }:
{
# Configure nixpkgs
nixpkgs = {
overlays = [
outputs.overlays.nixpkgs-unstable
outputs.overlays.nixpkgs-stable
];
config = {
# Enable non free
allowUnfree = true;
# enable cuda support
cudaSupport = true;
allowUnfreePredicate = p:
builtins.all (
license:
license.free
|| builtins.elem license.shortName [
"CUDA EULA"
"cuDNN EULA"
"cuTENSOR EULA"
"NVidia OptiX EULA"
]
) (if builtins.isList p.meta.license then p.meta.license else [ p.meta.license ]);
};
};
}

42
systems/x86_64-linux/nas/samba.nix Executable file
View File

@@ -0,0 +1,42 @@
{ ... }:
{
nas-samba = {
enable = true;
hostsAllow = "10.0.1.";
enableTimeMachine = true;
timeMachinePath = "/media/nas/main/timemachine";
shares = {
"3d_printer" = {
public = true;
sharePath = "/media/nas/main/3d_printer";
};
Backup = {
public = true;
sharePath = "/media/nas/main/backup";
};
Documents = {
public = true;
sharePath = "/media/nas/main/documents";
};
isos = {
public = true;
sharePath = "/media/nas/main/isos";
};
TimeMachine = {
public = false;
sharePath = "/media/nas/main/timemachine";
enableTimeMachine = true;
timeMachineMaxSize = "1T";
};
app_data = {
public = true;
sharePath = "/media/nas/ssd/ssd_app_data";
};
nix-config = {
public = true;
sharePath = "/home/matt/nix-config";
};
};
};
}

36
systems/x86_64-linux/nas/sensors.txt Executable file
View File

@@ -0,0 +1,36 @@
Common Settings:
INTERVAL=10
Settings of hwmon6/pwm5: -- chipset?
Depends on hwmon6/temp9_input
Controls hwmon6/fan5_input
MINTEMP=20
MAXTEMP=60
MINSTART=16
MINSTOP=14
MINPWM=14
Settings of hwmon6/pwm4: -- case?
Depends on hwmon2/temp1_input
Controls hwmon6/fan4_input
MINTEMP=20
MAXTEMP=90
MINSTART=60
MINSTOP=45
Settings of hwmon6/pwm3: -- cpu?
Depends on hwmon2/temp1_input
Controls hwmon6/fan3_input
MINTEMP=20
MAXTEMP=90
MINSTART=150
MINSTOP=0
MAXPWM=30
Settings of hwmon6/pwm2: -- cpu?
Depends on hwmon2/temp1_input
Controls hwmon6/fan2_input
MINTEMP=20
MAXTEMP=90
MINSTART=105
MINSTOP=0

367
systems/x86_64-linux/nas/services.nix Executable file
View File

@@ -0,0 +1,367 @@
{ pkgs, config, ... }:
let
enableDisplayManager = false;
in
{
imports = [ ./nix-serve.nix ];
# Services configs
services = {
code-server = {
enable = true;
disableTelemetry = true;
disableUpdateCheck = true;
user = "admin";
group = "jallen-nas";
host = "0.0.0.0";
port = 4444;
auth = "none";
hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
extraEnvironment = {
PROXY_DOMAIN = "code.mjallen.dev";
};
};
minecraft-server = {
enable = false;
eula = true;
declarative = true;
openFirewall = true;
dataDir = "/media/nas/ssd/ssd_app_data/minecraft";
serverProperties = {
enforce-whitelist = true;
white-list = true;
"enable-rcon" = true;
"rcon.password" = config.sops.secrets."jallen-nas/admin_password".path;
};
whitelist = {
mjallen18 = "03d9fba9-4453-4ad1-afa6-c67738685189";
AlpineScent = "76ff084d-2e66-4877-aec2-d6b278431bda";
Fortltude = "61a01913-8b10-4d64-b7ce-7958088cd6d3";
SpicyNick = "8bb5976f-6fd9-4fa5-8697-6ecb4ee38427";
};
jvmOpts = "-Xms4092M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
};
udisks2.enable = true;
# Enable the Desktop Environment.
desktopManager.plasma6.enable = enableDisplayManager;
displayManager = {
sddm.enable = enableDisplayManager;
defaultSession = "plasma";
};
gnome.gnome-keyring.enable = true;
# Enable RDP
xrdp = {
enable = true;
openFirewall = true;
};
avahi = {
enable = true;
nssmdns4 = true;
publish = {
enable = true;
addresses = true;
domain = true;
hinfo = true;
userServices = true;
workstation = true;
};
extraServiceFiles = {
# TODO is this needed?
smb = ''
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
</service-group>
'';
};
};
tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "client";
extraUpFlags = [
"--advertise-exit-node"
"--accept-dns=false"
"--advertise-routes=10.0.1.0/24"
"--hostname=jallen-nas"
];
extraSetFlags = [
"--advertise-exit-node"
"--hostname=jallen-nas"
"--webclient"
];
# authKeyFile = "/media/nas/ssd/nix-app-data/tailscale/auth";
};
btrfs = {
autoScrub.enable = false;
autoScrub.fileSystems = [
"/nix"
"/root"
"/etc"
"/var/log"
"/home"
"/media/nas/ssd/nix-app-data"
"/media/nas/ssd/ssd_app_data"
"/media/nas/ssd/mariadb"
"/media/nas/main/3d_printer"
"/media/nas/main/backup"
"/media/nas/main/documents"
"/media/nas/main/nextcloud"
"/media/nas/main/movies"
"/media/nas/main/tv"
"/media/nas/main/isos"
];
};
authentik = {
enable = true;
environmentFile = config.sops.secrets."jallen-nas/authentik-env".path;
};
# nixai = {
# enable = true;
# mcp = {
# enable = true;
# # Optional: custom socket path
# socketPath = "/run/nixai/mcp.sock";
# };
# };
postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/media/nas/ssd/nix-app-data/postgresql";
ensureDatabases = [ "authentik" ];
ensureUsers = [
{
name = "authentik";
ensureDBOwnership = true;
}
];
};
redis = {
servers = {
authentik = {
enable = true;
port = 6379;
};
manyfold = {
enable = true;
port = 6380;
};
};
};
restic.server = {
enable = true;
dataDir = "/media/nas/main/backup/restic";
prometheus = true;
listenAddress = "0.0.0.0:8008";
htpasswd-file = "/media/nas/main/backup/restic/.htpasswd";
};
};
systemd.user.services = {
protonmail-bridge = {
description = "Protonmail Bridge";
enable = true;
environment = {
GNUPGHOME = "%h/.gnupg";
PASSWORD_STORE_DIR = "%h/.password-store";
};
script = "${pkgs.protonmail-bridge}/bin/protonmail-bridge --noninteractive";
path = [
pkgs.gnome-keyring
pkgs.gnupg
pkgs.pass
pkgs.protonmail-bridge
];
wantedBy = [ "default.target" ];
after = [ "gpg-agent.service" ];
};
};
# TODO move to normal samba settings
services.samba.settings.global = {
"workgroup" = "WORKGROUP";
"server string" = "Jallen-NAS";
"netbios name" = "Jallen-NAS";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "10.0.1. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
systemd.services = {
btrfs-balance = {
description = "BTRFS Balance Service";
# This ensures the service only runs when the filesystem is mounted
requires = [ "local-fs.target" ];
after = [ "local-fs.target" ];
# The actual balance command
script = ''
# Start with lower usage to handle the most fragmented blocks first
${pkgs.btrfs-progs}/bin/btrfs balance start -dusage=5 -musage=5 /mount/point
${pkgs.btrfs-progs}/bin/btrfs balance start -dusage=10 -musage=10 /mount/point
${pkgs.btrfs-progs}/bin/btrfs balance start -dusage=20 -musage=20 /mount/point
'';
serviceConfig = {
Type = "oneshot";
Nice = 19; # Lowest CPU priority
IOSchedulingClass = "idle"; # Lowest I/O priority
# Prevent multiple instances from running simultaneously
ExecStartPre = "${pkgs.coreutils}/bin/rm -f /var/run/btrfs-balance.stamp";
ExecStopPost = "${pkgs.coreutils}/bin/touch /var/run/btrfs-balance.stamp";
};
};
system-update-check = {
description = "Check for system configuration updates";
# Required packages for the service
path = with pkgs; [
git
nixos-rebuild
openssh
];
# Service configuration
serviceConfig = {
Type = "oneshot";
User = "root";
WorkingDirectory = "/etc/nixos"; # Adjust this path to your config location
};
# The script that runs to check for updates
script = ''
# Store the current commit hash
OLD_HASH=$(git rev-parse HEAD)
# Fetch updates from remote
git fetch origin main # Adjust branch name if needed
# Get the new commit hash
NEW_HASH=$(git rev-parse origin/main)
# If there are changes, pull and rebuild
if [ "$OLD_HASH" != "$NEW_HASH" ]; then
echo "Updates found, pulling changes..."
git pull origin main
# Get commit message and timestamp for the tag
COMMIT_MSG=$(git log -1 --pretty=%B | head -n1 | tr -dc '[:alnum:][:space:]-' | tr '[:space:]' '-')
TIMESTAMP=$(date +%Y%m%d-%H%M)
SHORT_HASH=$(git rev-parse --short HEAD)
# Create a profile name using the timestamp, short hash, and commit message
PROFILE_NAME="$TIMESTAMP-$SHORT_HASH-$COMMIT_MSG"
# Rebuild the system
nixos-rebuild boot --profile-name "$PROFILE_NAME"
echo "System rebuilt with profile: $PROFILE_NAME"
else
echo "No updates found"
fi
'';
};
rsync-ssd = {
path = [
pkgs.bash
pkgs.rsync
];
script = ''
rsync -rtpogvPlHzs --ignore-existing /media/nas/ssd /media/nas/main/backup/ssd
'';
};
glances-server = {
path = [
pkgs.bash
pkgs.glances
];
script = ''
glances -w
'';
wantedBy = [ "multi-user.target" ];
};
hd-idle = {
enable = false;
environment = {
HD_IDLE_OPTS = "-a /dev/disk/by-id/ata-Samsung_SSD_860_EVO_500GB_S3Z1NW0KA10457X,/dev/disk/by-id/ata-SSD2SC240G1SA754D117-820_PNY29140000558890457,/dev/disk/by-id/ata-ST3000DM007-1WY10G_ZFN28XXS,/dev/disk/by-id/ata-ST3000DM007-1WY10G_ZFQ052KN,/dev/disk/by-id/ata-ST3000DM007-1WY10G_ZFQ052NN,/dev/disk/by-id/ata-ST3000VN007-2E4166_Z731JVZJ,/dev/disk/by-id/ata-ST4000VN008-2DR166_ZDHBNBGP,/dev/disk/by-id/ata-ST8000AS0002-1NA17Z_Z8411RMB";
};
path = [
pkgs.bash
pkgs.hd-idle
];
script = ''
hd-idle $HD_IDLE_OPTS
'';
serviceConfig = {
Type = "oneshot";
};
};
};
security.pam.services.login.enableGnomeKeyring = true;
# Configure gpg-agent to cache keys
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
# Set how long to cache the passphrase (in seconds)
# defaultCacheTtl = 34560;
# maxCacheTtl = 34560;
};
# Create a timer to run the service periodically
systemd.timers = {
btrfs-balance = {
description = "Timer for BTRFS Balance Service";
wantedBy = [ "timers.target" ];
timerConfig = {
# Run weekly on Sunday at 2am
OnCalendar = "Sun *-*-* 02:00:00";
# Add randomized delay to prevent multiple systems from starting at exactly the same time
RandomizedDelaySec = "1h";
# Ensure we don't start multiple times if the system was off
Persistent = true;
};
};
system-update-check = {
description = "Timer for system configuration updates";
wantedBy = [ "timers.target" ];
# Timer configuration
timerConfig = {
OnCalendar = "daily"; # Check every day
Persistent = true; # Run immediately if last run was missed
Unit = "system-update-check.service";
};
};
};
}

5
systems/x86_64-linux/nas/settings.nix Normal file
View File

@@ -0,0 +1,5 @@
{
username = "admin";
hostAddress = "10.0.1.3";
hostName = "jallen-nas";
}

276
systems/x86_64-linux/nas/sops.nix Executable file
View File

@@ -0,0 +1,276 @@
{ config, ... }:
let
user = "nix-apps";
in
{
# Permission modes are in octal representation (same as chmod),
# the digits represent: user|group|others
# 7 - full (rwx)
# 6 - read and write (rw-)
# 5 - read and execute (r-x)
# 4 - read only (r--)
# 3 - write and execute (-wx)
# 2 - write only (-w-)
# 1 - execute only (--x)
# 0 - none (---)
# Either a user id or group name representation of the secret owner
# It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
defaultSopsFile = ../../secrets/nas-secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
# Secrets
# ------------------------------
secrets = {
"jallen-nas/admin_password" = {
neededForUsers = true;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
};
"wifi" = {
sopsFile = ../../secrets/secrets.yaml;
};
# ------------------------------
# ups
# ------------------------------
"jallen-nas/ups_password" = {
mode = "0777";
restartUnits = [
"upsdrv.service"
"upsd.service"
"ups-killpower.service"
"upsmon.service"
];
};
# ------------------------------
# SSH keys
# ------------------------------
"ssh-keys-public/jallen-nas-root" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/root/.ssh/id_ed25519.pub";
mode = "0640";
};
"ssh-keys-private/jallen-nas-root" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/root/.ssh/id_ed25519";
mode = "0600";
};
# ------------------------------
# authentik
# ------------------------------
"jallen-nas/authentik-env" = {
restartUnits = [ "authentik.service" ];
};
# ------------------------------
# collabora # TODO
# ------------------------------
"jallen-nas/collabora" = {
restartUnits = [ "podman-collabora.service" ];
};
# ------------------------------
# mariadb # TODO
# ------------------------------
"jallen-nas/mariadb/db_pass" = {
restartUnits = [ "podman-mariadb.service" ];
};
"jallen-nas/mariadb/root_pass" = {
restartUnits = [ "podman-mariadb.service" ];
};
# ------------------------------
# nextcloud
# ------------------------------
"jallen-nas/nextcloud/dbpassword" = {
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
"jallen-nas/nextcloud/adminpassword" = {
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
"jallen-nas/nextcloud/smtp_settings" = {
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
# ------------------------------
# onlyoffice
# ------------------------------
"jallen-nas/onlyoffice-key" = {
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
# ------------------------------
# manyfold
# ------------------------------
"jallen-nas/manyfold/secretkeybase" = {
restartUnits = [ "podman-manyfold.service" ];
};
# ------------------------------
# immich
# ------------------------------
"jallen-nas/immich/db-password" = {
mode = "0440";
group = "keys";
restartUnits = [ "container@immich.service" ];
};
# ------------------------------
# open-webui
# ------------------------------
"jallen-nas/open-webui" = {
restartUnits = [ "open-webui.service" ];
};
# ------------------------------
# paperless
# ------------------------------
"jallen-nas/paperless/secret" = {
restartUnits = [ "container@paperless.service" ];
};
"jallen-nas/paperless/authentik-client-id" = {
restartUnits = [ "container@paperless.service" ];
};
"jallen-nas/paperless/authentik-client-secret" = {
restartUnits = [ "container@paperless.service" ];
};
# ------------------------------
# Gitea
# ------------------------------
"jallen-nas/gitea/mail-key" = {
owner = "root";
group = "keys";
mode = "0440";
restartUnits = [ "container@gitea.service" ];
};
"jallen-nas/gitea/metrics-key" = {
owner = "root";
group = "keys";
mode = "0440";
restartUnits = [ "container@gitea.service" ];
};
# ------------------------------
# free-games-claimer
# ------------------------------
"jallen-nas/free-games/eg-email" = { };
"jallen-nas/free-games/eg-pass" = { };
"jallen-nas/free-games/eg-otp" = { };
"jallen-nas/free-games/pg-email" = { };
"jallen-nas/free-games/pg-pass" = { };
"jallen-nas/free-games/gog-email" = { };
"jallen-nas/free-games/gog-pass" = { };
# ------------------------------
# Secureboot keys
# ------------------------------
"secureboot/GUID" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/GUID";
mode = "0640";
};
"secureboot/keys/db-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/db/db.key";
mode = "0640";
};
"secureboot/keys/db-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/db/db.pem";
mode = "0640";
};
"secureboot/keys/KEK-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/KEK/KEK.key";
mode = "0640";
};
"secureboot/keys/KEK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/KEK/KEK.pem";
mode = "0640";
};
"secureboot/keys/PK-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/PK/PK.key";
mode = "0640";
};
"secureboot/keys/PK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/PK/PK.pem";
mode = "0640";
};
"jallen-nas/attic-key" = {
# owner = "atticd";
};
};
# ------------------------------
# Templates
# ------------------------------
templates = {
"fgc.env" = {
content = ''
EG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/eg-email"}
EG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/eg-pass"}
EG_OTPKEY = ${config.sops.placeholder."jallen-nas/free-games/eg-otp"}
PG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/pg-email"}
PG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/pg-pass"}
GOG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/gog-email"}
GOG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/gog-pass"}
'';
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "podman-free-games-claimer.service" ];
};
"paperless.env" = {
content = ''
PAPERLESS_URL = "https://paperless.jallen.dev"
PAPERLESS_SECRET = ${config.sops.placeholder."jallen-nas/paperless/secret"}
PAPERLESS_ENABLE_ALLAUTH = true
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"
PAPERLESS_SOCIALACCOUNT_PROVIDERS = {"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${config.sops.placeholder."jallen-nas/paperless/authentik-client-id"}","secret":"${config.sops.placeholder."jallen-nas/paperless/authentik-client-secret"}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}
'';
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@paperless.service" ];
};
};
};
}

52
systems/x86_64-linux/nas/ups.nix Executable file
View File

@@ -0,0 +1,52 @@
{ config, ... }:
let
enableUps = true;
upsName = "nas-ups";
upsUser = "nas-admin";
in
{
power.ups = {
enable = enableUps;
openFirewall = enableUps;
mode = "netserver";
ups = {
"${upsName}" = {
description = "NAS UPS";
driver = "usbhid-ups";
port = "auto";
};
};
users."${upsUser}" = {
passwordFile = config.sops.secrets."jallen-nas/ups_password".path;
actions = [ "ALL" ];
instcmds = [ "ALL" ];
upsmon = "primary";
};
upsmon = {
enable = enableUps;
monitor."${upsName}" = {
passwordFile = config.sops.secrets."jallen-nas/ups_password".path;
user = upsUser;
};
};
upsd = {
enable = enableUps;
listen = [
{
address = "0.0.0.0";
port = 3493;
}
];
};
};
services = {
apcupsd = {
enable = true;
};
};
}

96
systems/x86_64-linux/nas/users.nix Executable file
View File

@@ -0,0 +1,96 @@
{ pkgs, config, ... }:
let
user = "admin";
passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
# Define a user account. Don't forget to set a password with passwd.
users = {
# See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
mutableUsers = false;
groups.jallen-nas.gid = 1000; # create nas group cause truenas perms
# Admin account
users."${user}" = {
isNormalUser = true;
linger = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
"podman"
"libvirtd"
"nix-apps"
"jallen-nas"
"media"
"nscd"
"grafana"
"traefik"
"avahi"
"62900"
"1001"
];
hashedPasswordFile = passwordFile;
shell = pkgs.zsh;
packages = with pkgs; [
cachix
fastfetch
git
parted
aspell
aspellDicts.en
aspellDicts.en-computers
aspellDicts.en-science
aha
papirus-icon-theme
firefox
swtpm
tigervnc
];
openssh.authorizedKeys.keys = [
# macBook
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
# desktop windows
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
# desktop nixos
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
];
};
# Nix app account
users.nix-apps = {
isSystemUser = true;
uid = 911;
group = "jallen-nas";
extraGroups = [
"jallen-nas"
"docker"
"podman"
];
hashedPasswordFile = passwordFile;
};
groups.nut.name = "nut";
users.upsuser = {
group = "nut";
isNormalUser = false;
isSystemUser = true;
createHome = true;
home = "/var/lib/nut";
homeMode = "750";
hashedPasswordFile = passwordFile;
};
users.nextcloud = {
isNormalUser = true;
extraGroups = [
"jallen-nas"
"nix-apps"
];
hashedPasswordFile = passwordFile;
};
users.root.shell = pkgs.zsh;
};
}

58
systems/x86_64-linux/nuc/boot.nix Executable file
View File

@@ -0,0 +1,58 @@
{ pkgs, ... }:
let
configLimit = 20;
kernel = pkgs.linuxPackages_latest;
in
{
# Configure bootloader with lanzaboot and secureboot
boot = {
kernelModules = [ "nct6775" ];
loader = {
systemd-boot = {
enable = true;
configurationLimit = configLimit;
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
lanzaboote = {
enable = false;
pkiBundle = "/etc/secureboot";
settings = {
console-mode = "max";
};
configurationLimit = configLimit;
};
# Override kernel to latest
kernelPackages = kernel;
kernelParams = [
"nohibernate"
];
consoleLogLevel = 3;
bootspec.enable = true;
initrd = {
kernelModules = [
# "tpm"
# "tpm_tis"
# "tpm_crb"
# "tpm_infineon"
];
systemd = {
enable = true;
tpm2.enable = true;
};
};
};
zramSwap = {
enable = true;
};
}

57
systems/x86_64-linux/nuc/configuration.nix Normal file
View File

@@ -0,0 +1,57 @@
{
config,
pkgs,
lib,
inputs,
...
}:
{
imports = [
./boot.nix
./networking.nix
./users.nix
./sops.nix
../../modules/homeassistant/homeassistant.nix
];
security.tpm2 = {
enable = true;
};
# Enable nix flakes and nix-command tools
nix = {
settings = {
substituters = [
"https://nix-community.cachix.org"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
];
warn-dirty = lib.mkForce false;
experimental-features = lib.mkForce [
"nix-command"
"flakes"
];
trusted-users = [ "@wheel" ];
};
# Garbage collect automatically every week
gc.automatic = lib.mkDefault true;
gc.options = lib.mkDefault "--delete-older-than 30d";
optimise.automatic = lib.mkDefault true;
};
# Nixpkgs configuration
nixpkgs = {
config = {
allowUnfree = lib.mkForce true;
allowUnsupportedSystem = true;
permittedInsecurePackages = [
# ...
];
};
};
}

15
systems/x86_64-linux/nuc/home.nix Executable file
View File

@@ -0,0 +1,15 @@
{ pkgs,... }:
let
shellAliases = {
update-boot = "sudo nixos-rebuild boot --max-jobs 10";
update-switch = "sudo nixos-rebuild switch --max-jobs 10";
update-flake = "nix flake update nas-nixpkgs nas-authentik-nix nas-cosmic nas-crowdsec nas-home-manager nas-impermanence nas-lanzaboote nas-nixos-hardware nas-sops-nix --flake /etc/nixos";
};
in
{
home.username = "admin";
programs = {
zsh.shellAliases = shellAliases;
};
}

37
systems/x86_64-linux/nuc/impermanence.nix Executable file
View File

@@ -0,0 +1,37 @@
{ ... }:
{
# Set up impernance configuration for things like bluetooth
# In this configuration with /etc and /var/log being persistent, only directories outside of that need to be done here. See hardware configuration for all mountpoints.
environment.persistence."/nix/persist/system" = {
hideMounts = true;
directories = [
"/var/lib/bluetooth"
"/var/lib/nixos"
"/var/lib/tailscale"
"/var/lib/homeassistant"
"/var/lib/mosquitto"
"/var/lib/music-assistant"
"/var/lib/postgresql"
"/var/lib/zigbee2mqtt"
"/var/lib/systemd/coredump"
"/etc/NetworkManager/system-connections"
"/etc/secureboot"
{
directory = "/var/lib/private";
mode = "u=rwx,g=rx,o=";
}
{
directory = "/var/lib/colord";
user = "colord";
group = "colord";
mode = "u=rwx,g=rx,o=";
}
];
};
security.sudo.extraConfig = ''
# rollback results in sudo lectures after each reboot
Defaults lecture = never
'';
}

60
systems/x86_64-linux/nuc/networking.nix Executable file
View File

@@ -0,0 +1,60 @@
{ config, ... }:
let
# settings = import ./settings.nix;
ports = [
8192
];
in
{
# Networking configs
networking = {
hostName = "nuc-nixos";#settings.hostName;
useNetworkd = true;
# Disable Network Manager
networkmanager = {
enable = true;
ensureProfiles = {
environmentFiles = [
config.sops.secrets.wifi.path
];
profiles = {
"Joey's Jungle 6G" = {
connection = {
id = "Joey's Jungle 6G";
type = "wifi";
};
ipv4 = {
address1 = "10.0.1.4/24";
dns = "10.0.1.1";
gateway = "10.0.1.1";
method = "manual";
};
ipv6 = {
addr-gen-mode = "stable-privacy";
method = "auto";
};
wifi = {
mode = "infrastructure";
ssid = "Joey's Jungle 6G";
};
wifi-security = {
key-mgmt = "sae";
psk = "$PSK";
};
};
};
};
};
firewall = {
enable = true;
allowPing = true;
allowedTCPPorts = ports;
allowedUDPPorts = ports;
};
};
}

81
systems/x86_64-linux/nuc/sops.nix Executable file
View File

@@ -0,0 +1,81 @@
{ config, ... }:
let
user = "nix-apps";
in
{
# Permission modes are in octal representation (same as chmod),
# the digits represent: user|group|others
# 7 - full (rwx)
# 6 - read and write (rw-)
# 5 - read and execute (r-x)
# 4 - read only (r--)
# 3 - write and execute (-wx)
# 2 - write only (-w-)
# 1 - execute only (--x)
# 0 - none (---)
# Either a user id or group name representation of the secret owner
# It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
defaultSopsFile = ../../secrets/nuc-secrets.yaml;
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
# Secrets
# ------------------------------
secrets = {
"wifi" = {
sopsFile = ../../secrets/secrets.yaml;
};
# ------------------------------
# Secureboot keys
# ------------------------------
"secureboot/GUID" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/GUID";
mode = "0640";
};
"secureboot/keys/db-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/db/db.key";
mode = "0640";
};
"secureboot/keys/db-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/db/db.pem";
mode = "0640";
};
"secureboot/keys/KEK-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/KEK/KEK.key";
mode = "0640";
};
"secureboot/keys/KEK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/KEK/KEK.pem";
mode = "0640";
};
"secureboot/keys/PK-key" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/PK/PK.key";
mode = "0640";
};
"secureboot/keys/PK-pem" = {
sopsFile = ../../secrets/secrets.yaml;
path = "/etc/secureboot/keys/PK/PK.pem";
mode = "0640";
};
};
# ------------------------------
# Templates
# ------------------------------
templates = {
#
};
};
}

40
systems/x86_64-linux/nuc/users.nix Executable file
View File

@@ -0,0 +1,40 @@
{ pkgs, config, ... }:
let
user = "admin";
# passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
# Define a user account. Don't forget to set a password with passwd.
users = {
# See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
mutableUsers = false;
# Admin account
users."${user}" = {
isNormalUser = true;
linger = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
"podman"
"libvirtd"
];
# hashedPasswordFile = passwordFile;
password = "BogieDudie1";
shell = pkgs.zsh;
packages = with pkgs; [
];
openssh.authorizedKeys.keys = [
# macBook
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
# desktop windows
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
# desktop nixos
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
];
};
users.root.shell = pkgs.zsh;
};
}