mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move stuff

Browse Source
This commit is contained in:
mjallen18
2025-08-26 17:20:27 -05:00
parent f66c0726b0
commit d15762b199
68 changed files with 24 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

156
systems/x86_64-linux/jallen-nas/apps.nix Executable file
View File

@@ -0,0 +1,156 @@
{ namespace, ... }:
{
${namespace} = {
services = {
# Existing properly namespaced services
immich.enable = true;
jellyfin.enable = true;
jellyseerr.enable = true;
lubelogger.enable = true;
nextcloud.enable = true;
ollama.enable = true;
paperless.enable = true;
traefik.enable = true;
wyoming.enable = true;
# Newly migrated services
actual = {
enable = true;
port = 3333;
localAddress = "10.0.3.18";
dataDir = "/media/nas/main/nix-app-data/actual";
reverseProxy = {
enable = true;
host = "actual.mjallen.dev";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
};
};
arrs = {
enable = true;
localAddress = "10.0.1.51";
downloadsDir = "/media/nas/main/ssd_app_data/downloads";
incompleteDownloadsDir = "/media/nas/main/ssd_app_data/downloads-incomplete";
moviesDir = "/media/nas/main/movies";
tvDir = "/media/nas/main/tv";
isosDir = "/media/nas/main/isos";
radarr = {
enable = true;
port = 7878;
dataDir = "/media/nas/main/nix-app-data/radarr";
};
sonarr = {
enable = true;
port = 8989;
dataDir = "/media/nas/main/nix-app-data/sonarr";
};
sabnzbd = {
enable = true;
port = 8280;
dataDir = "/media/nas/main/nix-app-data/sabnzbd";
};
deluge = {
enable = true;
port = 8112;
};
jackett = {
enable = true;
port = 9117;
dataDir = "/media/nas/main/nix-app-data/jackett";
};
};
crowdsec = {
enable = true;
port = 9898;
apiAddress = "10.0.1.3";
apiKey = "1daH89qmJ41r2Lpd9hvDw4sxtOAtBzaj3aKFOFqE";
dataDir = "/media/nas/main/nix-app-data/crowdsec";
};
gitea = {
enable = true;
httpPort = 3000;
sshPort = 2222;
localAddress = "10.0.4.18";
dataDir = "/media/nas/main/nix-app-data/gitea";
reverseProxy = {
enable = true;
host = "gitea.mjallen.dev";
middlewares = [
"crowdsec"
"whitelist-geoblock"
];
};
};
free-games-claimer.enable = true;
manyfold.enable = true;
orca-slicer = {
enable = true;
httpPort = "3100";
httpsPort = "3101";
};
tdarr.enable = true;
authentik = {
enable = true;
port = 9000;
environmentFile = "/run/secrets/jallen-nas/authentik-env";
};
attic = {
enable = true;
port = 9012;
listenAddress = "[::]";
environmentFile = "/run/secrets/jallen-nas/attic-key";
};
protonmail-bridge = {
enable = true;
smtpPort = 1025;
imapPort = 1143;
user = "admin";
};
netbootxyz = {
enable = true;
};
glances = {
enable = true;
port = 61208;
bindAddress = "0.0.0.0";
};
code-server = {
enable = true;
port = 4444;
user = "admin";
group = "jallen-nas";
host = "0.0.0.0";
auth = "none";
hashedPassword = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06";
extraEnvironment = {
PROXY_DOMAIN = "code.mjallen.dev";
};
};
restic = {
enable = true;
port = 8008;
dataDir = "/media/nas/main/backup/restic";
prometheus = true;
listenAddress = "0.0.0.0";
htpasswdFile = "/media/nas/main/backup/restic/.htpasswd";
extraFlags = [ "--no-auth" ];
};
};
};
}

74
systems/x86_64-linux/jallen-nas/boot.nix Executable file
View File

@@ -0,0 +1,74 @@
{
config,
lib,
pkgs,
...
}:
let
configLimit = 50;
kernel = pkgs.linuxPackages; # linuxPackages_latest;
in
{
# Configure bootloader with lanzaboot and secureboot
boot = {
kernelModules = [ "nct6775" ];
loader = {
systemd-boot = {
enable = false;
configurationLimit = configLimit;
};
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot";
};
};
kernel.sysctl = {
"net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1;
"vm.swappiness" = 60;
};
# Override kernel to latest
kernelPackages = kernel;
kernelParams = [
"nohibernate"
];
consoleLogLevel = 3;
bootspec.enable = true;
plymouth.enable = lib.mkForce false;
initrd = {
kernelModules = [
"tpm"
"tpm_tis"
"tpm_crb"
"tpm_infineon"
];
systemd = {
enable = true;
# tpm2.enable = true;
tpm2.enable = true;
};
clevis = {
enable = true;
devices = {
"/dev/disk/by-label/nas_pool".secretFile = config.sops.secrets."jallen-nas/nas_pool".path;
};
};
};
# Enable binfmt emulation for ARM
binfmt.emulatedSystems = [ "aarch64-linux" ]; # --argstr system aarch64-linux
};
environment.etc."clevis/nas_pool.jwe".source = config.sops.secrets."jallen-nas/nas_pool".path;
zramSwap = {
enable = true;
};
}

121
systems/x86_64-linux/jallen-nas/default.nix Executable file
View File

@@ -0,0 +1,121 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{
pkgs,
namespace,
...
}:
{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
./filesystems.nix
./boot.nix
./apps.nix
./grafana.nix
./networking.nix # - moved to modules/nixos/network
./ups.nix
./users.nix
./samba.nix
./services.nix
./sops.nix
];
services.kmscon.enable = true;
powerManagement.cpuFreqGovernor = "powersave";
${namespace} = {
bootloader.lanzaboote.enable = true;
impermanence.enable = true;
desktop.cosmic.enable = false;
development = {
enable = true;
includeLanguages = [
"python"
"c"
];
includeContainers = true;
};
monitoring.enable = true;
hardware.nvidia = {
enable = true;
enableBeta = true;
enableOpen = true;
nvidiaSettings = true;
enableNvidiaDocker = true;
};
network = {
ipv4 = {
address = "10.0.1.3/24";
method = "manual";
gateway = "10.0.1.1";
interface = "wlp6s0";
};
useNetworkd = true;
hostId = "4b501480";
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "wlp6s0";
enableIPv6 = true;
};
firewall = {
enable = true;
allowPing = true;
trustedInterfaces = [ "tailscale0" ];
};
};
user = {
name = "admin";
linger = true;
};
};
security.tpm2 = {
enable = true;
};
# Configure environment
environment = {
systemPackages = with pkgs; [
attic-client
bcachefs-tools
cryptsetup
clevis
deconz
duperemove
efibootmgr
ffmpeg
ipset
llama-cpp
networkmanagerapplet
nut
packagekit
pass
protonmail-bridge
protonvpn-cli
python3Packages.llama-cpp-python
qrencode
rcon
sbctl
tigervnc
tpm2-tools
tpm2-tss
];
};
# Configure programs
programs = {
virt-manager.enable = true;
coolercontrol = {
enable = true;
nvidiaSupport = true;
};
};
# Additional virtualization beyond what's in development module
virtualisation.libvirtd.enable = true;
}

9
systems/x86_64-linux/jallen-nas/filesystems.nix Executable file
View File

@@ -0,0 +1,9 @@
{ ... }:
{
fileSystems."/media/nas/main" = {
label = "nas_pool";
# device = "/dev/sde:/dev/sdf:/dev/sdh:/dev/sdi:/dev/sdj:/dev/nmve0n1:/dev/nvme1n1";
fsType = "bcachefs";
mountPoint = "/media/nas/main";
};
}

89
systems/x86_64-linux/jallen-nas/grafana.nix Executable file
View File

@@ -0,0 +1,89 @@
{ config, ... }:
let
upsUser = "nas-admin";
in
{
services = {
prometheus = {
enable = true;
exporters = {
node = {
enable = true;
enabledCollectors = [
"filesystem"
"diskstats"
"meminfo"
"cpu"
"systemd" # Ensures systemd collector is enabled
"processes"
];
extraFlags = [
"--collector.filesystem.mount-points-exclude=^/(dev|proc|sys|run)($|/)"
];
};
libvirt = {
enable = false;
openFirewall = true;
};
nut = {
enable = true;
openFirewall = true;
passwordPath = config.sops.secrets."jallen-nas/ups_password".path;
nutUser = upsUser;
};
# restic = {
# enable = true;
# openFirewall = true;
# resticPort = 8008;
# };
};
scrapeConfigs = [
{
job_name = "node";
static_configs = [
{
targets = [ "localhost:${toString config.services.prometheus.exporters.node.port}" ];
}
];
}
{
job_name = "traefik";
static_configs = [
{
targets = [ "localhost:8082" ];
}
];
}
];
};
grafana = {
enable = true;
settings = {
server = {
http_port = 9999;
http_addr = "0.0.0.0";
};
};
dataDir = "/media/nas/main/nix-app-data/grafana";
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
url = "http://localhost:${toString config.services.prometheus.port}";
}
];
};
};
};
# Open firewall ports for Grafana
networking.firewall = {
allowedTCPPorts = [ 9999 ];
allowedUDPPorts = [ 9999 ];
};
}

128
systems/x86_64-linux/jallen-nas/hardware-configuration.nix Executable file
View File

@@ -0,0 +1,128 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{
config,
lib,
modulesPath,
...
}:
{
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot.initrd.availableKernelModules = [
"nvme"
"mpt3sas"
"xhci_pci"
"ahci"
"uas"
"sd_mod"
];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "none";
fsType = "tmpfs";
options = [
"defaults"
"size=25%"
"mode=755"
];
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/C6E9-7371";
fsType = "vfat";
};
fileSystems."/nix" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=nix"
"compress-force=zstd"
"noatime"
];
};
fileSystems."/etc" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=etc"
"compress-force=zstd"
"noatime"
];
};
fileSystems."/root" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=root"
"compress-force=zstd"
"noatime"
];
};
fileSystems."/var/log" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=log"
"compress-force=zstd"
"noatime"
];
};
fileSystems."/home" = {
device = "/dev/disk/by-uuid/85e2fa30-816f-4457-80a1-9f88b9ab77b3";
fsType = "btrfs";
options = [
"subvol=home"
"compress-force=zstd"
];
};
fileSystems."/tmp" = {
device = "/dev/disk/by-uuid/8e3841fc-9222-443c-af72-075dd8ac07f2";
fsType = "btrfs";
options = [
"compress-force=zstd"
"noatime"
];
};
swapDevices = [
{
device = "/dev/disk/by-id/ata-Samsung_SSD_860_EVO_500GB_S3Z1NW0KA10457X-part2";
randomEncryption.enable = true;
}
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.docker0.useDHCP = lib.mkDefault true;
# networking.interfaces.enp7s0.useDHCP = lib.mkDefault true;
# networking.interfaces.podman0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth0.useDHCP = lib.mkDefault true;
# networking.interfaces.veth1.useDHCP = lib.mkDefault true;
# networking.interfaces.veth2.useDHCP = lib.mkDefault true;
# networking.interfaces.veth3.useDHCP = lib.mkDefault true;
# networking.interfaces.veth4.useDHCP = lib.mkDefault true;
# networking.interfaces.veth5.useDHCP = lib.mkDefault true;
# networking.interfaces.veth6.useDHCP = lib.mkDefault true;
# networking.interfaces.veth7.useDHCP = lib.mkDefault true;
# networking.interfaces.vethd3ca67e.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp6s0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlp7s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

54
systems/x86_64-linux/jallen-nas/networking.nix Executable file
View File

@@ -0,0 +1,54 @@
{ ... }:
let
ports = [
8008 # restic
9000 # authentik
2342 # grafana
51820 # wireguard
1025
1143
10200
10300
8127
9943 # onlyoffice
4000 # netbootxyz
4080 # netbootxyz
3000 # gitea
2222 # gitea ssh
3300
9898
6754 # lubelogger
2283 # immich
4444 # code-server
9012
8192
];
in
{
# Networking configs
networking = {
# useNetworkd = true;
# hostId = "4b501480";
# nat = {
# enable = true;
# internalInterfaces = [ "ve-+" ];
# externalInterface = "wlp6s0";
# # Lazy IPv6 connectivity for the container
# enableIPv6 = true;
# };
firewall = {
# enable = true;
# allowPing = true;
allowedTCPPorts = ports;
allowedUDPPorts = ports;
# # always allow traffic from your Tailscale network
# trustedInterfaces = [ "tailscale0" ];
};
};
}

42
systems/x86_64-linux/jallen-nas/samba.nix Executable file
View File

@@ -0,0 +1,42 @@
{ ... }:
{
nas-samba = {
enable = true;
hostsAllow = "10.0.1.";
enableTimeMachine = true;
timeMachinePath = "/media/nas/main/timemachine";
shares = {
"3d_printer" = {
public = true;
sharePath = "/media/nas/main/3d_printer";
};
Backup = {
public = true;
sharePath = "/media/nas/main/backup";
};
Documents = {
public = true;
sharePath = "/media/nas/main/documents";
};
isos = {
public = true;
sharePath = "/media/nas/main/isos";
};
TimeMachine = {
public = false;
sharePath = "/media/nas/main/timemachine";
enableTimeMachine = true;
timeMachineMaxSize = "1T";
};
app_data = {
public = true;
sharePath = "/media/nas/main/ssd_app_data";
};
nix-config = {
public = true;
sharePath = "/home/matt/nix-config";
};
};
};
}

307
systems/x86_64-linux/jallen-nas/services.nix Executable file
View File

@@ -0,0 +1,307 @@
{ pkgs, config, ... }:
let
enableDisplayManager = false;
in
{
# Services configs
services = {
minecraft-server = {
enable = false;
eula = true;
declarative = true;
openFirewall = true;
dataDir = "/media/nas/main/ssd_app_data/minecraft";
serverProperties = {
enforce-whitelist = true;
white-list = true;
"enable-rcon" = true;
"rcon.password" = config.sops.secrets."jallen-nas/admin_password".path;
};
whitelist = {
mjallen18 = "03d9fba9-4453-4ad1-afa6-c67738685189";
AlpineScent = "76ff084d-2e66-4877-aec2-d6b278431bda";
Fortltude = "61a01913-8b10-4d64-b7ce-7958088cd6d3";
SpicyNick = "8bb5976f-6fd9-4fa5-8697-6ecb4ee38427";
};
jvmOpts = "-Xms4092M -Xmx4092M -XX:+UseG1GC -XX:ParallelGCThreads=2 -XX:MinHeapFreeRatio=5 -XX:MaxHeapFreeRatio=10";
};
udisks2.enable = true;
# Enable the Desktop Environment.
desktopManager.plasma6.enable = enableDisplayManager;
displayManager = {
sddm.enable = enableDisplayManager;
defaultSession = "plasma";
};
gnome.gnome-keyring.enable = true;
# Enable RDP
xrdp = {
enable = true;
openFirewall = true;
};
avahi = {
enable = true;
nssmdns4 = true;
publish = {
enable = true;
addresses = true;
domain = true;
hinfo = true;
userServices = true;
workstation = true;
};
extraServiceFiles = {
# TODO is this needed?
smb = ''
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
</service-group>
'';
};
};
tailscale = {
enable = true;
openFirewall = true;
useRoutingFeatures = "client";
extraUpFlags = [
"--advertise-exit-node"
"--accept-dns=false"
"--advertise-routes=10.0.1.0/24"
"--hostname=jallen-nas"
];
extraSetFlags = [
"--advertise-exit-node"
"--hostname=jallen-nas"
"--webclient"
];
# authKeyFile = "/media/nas/main/nix-app-data/tailscale/auth";
};
btrfs = {
autoScrub.enable = false;
autoScrub.fileSystems = [
"/nix"
"/root"
"/etc"
"/var/log"
"/home"
"/media/nas/main/nix-app-data"
"/media/nas/main/ssd_app_data"
"/media/nas/main/mariadb"
"/media/nas/main/3d_printer"
"/media/nas/main/backup"
"/media/nas/main/documents"
"/media/nas/main/nextcloud"
"/media/nas/main/movies"
"/media/nas/main/tv"
"/media/nas/main/isos"
];
};
# nixai = {
# enable = true;
# mcp = {
# enable = true;
# # Optional: custom socket path
# socketPath = "/run/nixai/mcp.sock";
# };
# };
postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/media/nas/main/nix-app-data/postgresql";
ensureDatabases = [ "authentik" ];
ensureUsers = [
{
name = "authentik";
ensureDBOwnership = true;
}
];
};
redis = {
servers = {
authentik = {
enable = true;
port = 6379;
};
manyfold = {
enable = true;
port = 6380;
};
};
};
};
# TODO move to normal samba settings
services.samba.settings.global = {
"workgroup" = "WORKGROUP";
"server string" = "Jallen-NAS";
"netbios name" = "Jallen-NAS";
"security" = "user";
#"use sendfile" = "yes";
#"max protocol" = "smb2";
# note: localhost is the ipv6 localhost ::1
"hosts allow" = "10.0.1. 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "bad user";
};
systemd.services = {
btrfs-balance = {
description = "BTRFS Balance Service";
# This ensures the service only runs when the filesystem is mounted
requires = [ "local-fs.target" ];
after = [ "local-fs.target" ];
# The actual balance command
script = ''
# Start with lower usage to handle the most fragmented blocks first
${pkgs.btrfs-progs}/bin/btrfs balance start -dusage=5 -musage=5 /mount/point
${pkgs.btrfs-progs}/bin/btrfs balance start -dusage=10 -musage=10 /mount/point
${pkgs.btrfs-progs}/bin/btrfs balance start -dusage=20 -musage=20 /mount/point
'';
serviceConfig = {
Type = "oneshot";
Nice = 19; # Lowest CPU priority
IOSchedulingClass = "idle"; # Lowest I/O priority
# Prevent multiple instances from running simultaneously
ExecStartPre = "${pkgs.coreutils}/bin/rm -f /var/run/btrfs-balance.stamp";
ExecStopPost = "${pkgs.coreutils}/bin/touch /var/run/btrfs-balance.stamp";
};
};
system-update-check = {
description = "Check for system configuration updates";
# Required packages for the service
path = with pkgs; [
git
nixos-rebuild
openssh
];
# Service configuration
serviceConfig = {
Type = "oneshot";
User = "root";
WorkingDirectory = "/etc/nixos"; # Adjust this path to your config location
};
# The script that runs to check for updates
script = ''
# Store the current commit hash
OLD_HASH=$(git rev-parse HEAD)
# Fetch updates from remote
git fetch origin main # Adjust branch name if needed
# Get the new commit hash
NEW_HASH=$(git rev-parse origin/main)
# If there are changes, pull and rebuild
if [ "$OLD_HASH" != "$NEW_HASH" ]; then
echo "Updates found, pulling changes..."
git pull origin main
# Get commit message and timestamp for the tag
COMMIT_MSG=$(git log -1 --pretty=%B | head -n1 | tr -dc '[:alnum:][:space:]-' | tr '[:space:]' '-')
TIMESTAMP=$(date +%Y%m%d-%H%M)
SHORT_HASH=$(git rev-parse --short HEAD)
# Create a profile name using the timestamp, short hash, and commit message
PROFILE_NAME="$TIMESTAMP-$SHORT_HASH-$COMMIT_MSG"
# Rebuild the system
nixos-rebuild boot --profile-name "$PROFILE_NAME"
echo "System rebuilt with profile: $PROFILE_NAME"
else
echo "No updates found"
fi
'';
};
rsync-ssd = {
path = [
pkgs.bash
pkgs.rsync
];
script = ''
rsync -rtpogvPlHzs --ignore-existing /media/nas/main /media/nas/main/backup/ssd
'';
};
hd-idle = {
enable = false;
environment = {
HD_IDLE_OPTS = "-a /dev/disk/by-id/ata-Samsung_SSD_860_EVO_500GB_S3Z1NW0KA10457X,/dev/disk/by-id/ata-SSD2SC240G1SA754D117-820_PNY29140000558890457,/dev/disk/by-id/ata-ST3000DM007-1WY10G_ZFN28XXS,/dev/disk/by-id/ata-ST3000DM007-1WY10G_ZFQ052KN,/dev/disk/by-id/ata-ST3000DM007-1WY10G_ZFQ052NN,/dev/disk/by-id/ata-ST3000VN007-2E4166_Z731JVZJ,/dev/disk/by-id/ata-ST4000VN008-2DR166_ZDHBNBGP,/dev/disk/by-id/ata-ST8000AS0002-1NA17Z_Z8411RMB";
};
path = [
pkgs.bash
pkgs.hd-idle
];
script = ''
hd-idle $HD_IDLE_OPTS
'';
serviceConfig = {
Type = "oneshot";
};
};
};
security.pam.services.login.enableGnomeKeyring = true;
# Configure gpg-agent to cache keys
programs.gnupg.agent = {
enable = true;
enableSSHSupport = true;
# Set how long to cache the passphrase (in seconds)
# defaultCacheTtl = 34560;
# maxCacheTtl = 34560;
};
# Create a timer to run the service periodically
systemd.timers = {
btrfs-balance = {
description = "Timer for BTRFS Balance Service";
wantedBy = [ "timers.target" ];
timerConfig = {
# Run weekly on Sunday at 2am
OnCalendar = "Sun *-*-* 02:00:00";
# Add randomized delay to prevent multiple systems from starting at exactly the same time
RandomizedDelaySec = "1h";
# Ensure we don't start multiple times if the system was off
Persistent = true;
};
};
system-update-check = {
description = "Timer for system configuration updates";
wantedBy = [ "timers.target" ];
# Timer configuration
timerConfig = {
OnCalendar = "daily"; # Check every day
Persistent = true; # Run immediately if last run was missed
Unit = "system-update-check.service";
};
};
};
}

5
systems/x86_64-linux/jallen-nas/settings.nix Normal file
View File

@@ -0,0 +1,5 @@
{
username = "admin";
hostAddress = "10.0.1.3";
hostName = "jallen-nas";
}

278
systems/x86_64-linux/jallen-nas/sops.nix Executable file
View File

@@ -0,0 +1,278 @@
{ config, lib, ... }:
let
user = "nix-apps";
defaultSops = (lib.snowfall.fs.get-file "secrets/nas-secrets.yaml");
in
{
# Permission modes are in octal representation (same as chmod),
# the digits represent: user|group|others
# 7 - full (rwx)
# 6 - read and write (rw-)
# 5 - read and execute (r-x)
# 4 - read only (r--)
# 3 - write and execute (-wx)
# 2 - write only (-w-)
# 1 - execute only (--x)
# 0 - none (---)
# Either a user id or group name representation of the secret owner
# It is recommended to get the user name from `config.users.users.<?name>.name` to avoid misconfiguration
# Either the group id or group name representation of the secret group
# It is recommended to get the group name from `config.users.users.<?name>.group` to avoid misconfiguration
sops = {
age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
# ------------------------------
# Secrets
# ------------------------------
secrets = {
"jallen-nas/admin_password" = {
sopsFile = defaultSops;
neededForUsers = true;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
};
"jallen-nas/nas_pool" = {
sopsFile = defaultSops;
mode = "0600";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
};
# ------------------------------
# ups
# ------------------------------
"jallen-nas/ups_password" = {
sopsFile = defaultSops;
mode = "0777";
restartUnits = [
"upsdrv.service"
"upsd.service"
"ups-killpower.service"
"upsmon.service"
];
};
# ------------------------------
# SSH keys
# ------------------------------
"ssh-keys-public/jallen-nas-root" = {
path = "/root/.ssh/id_ed25519.pub";
mode = "0640";
};
"ssh-keys-private/jallen-nas-root" = {
path = "/root/.ssh/id_ed25519";
mode = "0600";
};
# ------------------------------
# authentik
# ------------------------------
"jallen-nas/authentik-env" = {
sopsFile = defaultSops;
restartUnits = [ "authentik.service" ];
};
# ------------------------------
# attic
# ------------------------------
"jallen-nas/attic-key" = {
sopsFile = defaultSops;
restartUnits = [ "atticd.service" ];
};
# ------------------------------
# collabora # TODO
# ------------------------------
"jallen-nas/collabora" = {
sopsFile = defaultSops;
restartUnits = [ "podman-collabora.service" ];
};
# ------------------------------
# mariadb # TODO
# ------------------------------
"jallen-nas/mariadb/db_pass" = {
sopsFile = defaultSops;
restartUnits = [ "podman-mariadb.service" ];
};
"jallen-nas/mariadb/root_pass" = {
sopsFile = defaultSops;
restartUnits = [ "podman-mariadb.service" ];
};
# ------------------------------
# nextcloud
# ------------------------------
"jallen-nas/nextcloud/dbpassword" = {
sopsFile = defaultSops;
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
"jallen-nas/nextcloud/adminpassword" = {
sopsFile = defaultSops;
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
"jallen-nas/nextcloud/smtp_settings" = {
sopsFile = defaultSops;
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
# ------------------------------
# onlyoffice
# ------------------------------
"jallen-nas/onlyoffice-key" = {
sopsFile = defaultSops;
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@nextcloud.service" ];
};
# ------------------------------
# manyfold
# ------------------------------
"jallen-nas/manyfold/secretkeybase" = {
sopsFile = defaultSops;
restartUnits = [ "podman-manyfold.service" ];
};
# ------------------------------
# immich
# ------------------------------
"jallen-nas/immich/db-password" = {
sopsFile = defaultSops;
mode = "0440";
group = "keys";
restartUnits = [ "container@immich.service" ];
};
# ------------------------------
# open-webui
# ------------------------------
"jallen-nas/open-webui" = {
sopsFile = defaultSops;
restartUnits = [ "open-webui.service" ];
};
# ------------------------------
# paperless
# ------------------------------
"jallen-nas/paperless/secret" = {
sopsFile = defaultSops;
restartUnits = [ "container@paperless.service" ];
};
"jallen-nas/paperless/authentik-client-id" = {
sopsFile = defaultSops;
restartUnits = [ "container@paperless.service" ];
};
"jallen-nas/paperless/authentik-client-secret" = {
sopsFile = defaultSops;
restartUnits = [ "container@paperless.service" ];
};
# ------------------------------
# Gitea
# ------------------------------
"jallen-nas/gitea/mail-key" = {
sopsFile = defaultSops;
owner = "root";
group = "keys";
mode = "0440";
restartUnits = [ "container@gitea.service" ];
};
"jallen-nas/gitea/metrics-key" = {
sopsFile = defaultSops;
owner = "root";
group = "keys";
mode = "0440";
restartUnits = [ "container@gitea.service" ];
};
# ------------------------------
# free-games-claimer
# ------------------------------
"jallen-nas/free-games/eg-email" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/eg-pass" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/eg-otp" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/pg-email" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/pg-pass" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/gog-email" = {
sopsFile = defaultSops;
};
"jallen-nas/free-games/gog-pass" = {
sopsFile = defaultSops;
};
};
# ------------------------------
# Templates
# ------------------------------
templates = {
"fgc.env" = {
content = ''
EG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/eg-email"}
EG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/eg-pass"}
EG_OTPKEY = ${config.sops.placeholder."jallen-nas/free-games/eg-otp"}
PG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/pg-email"}
PG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/pg-pass"}
GOG_EMAIL = ${config.sops.placeholder."jallen-nas/free-games/gog-email"}
GOG_PASSWORD = ${config.sops.placeholder."jallen-nas/free-games/gog-pass"}
'';
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "podman-free-games-claimer.service" ];
};
"paperless.env" = {
content = ''
PAPERLESS_URL = "https://paperless.jallen.dev"
PAPERLESS_SECRET = ${config.sops.placeholder."jallen-nas/paperless/secret"}
PAPERLESS_ENABLE_ALLAUTH = true
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"
PAPERLESS_SOCIALACCOUNT_PROVIDERS = {"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"${
config.sops.placeholder."jallen-nas/paperless/authentik-client-id"
}","secret":"${
config.sops.placeholder."jallen-nas/paperless/authentik-client-secret"
}","settings":{"server_url":"https://authentik.mjallen.dev/application/o/paperless/.well-known/openid-configuration"}}]}}
'';
mode = "0650";
owner = config.users.users."${user}".name;
group = config.users.users."${user}".group;
restartUnits = [ "container@paperless.service" ];
};
};
};
}

52
systems/x86_64-linux/jallen-nas/ups.nix Executable file
View File

@@ -0,0 +1,52 @@
{ config, ... }:
let
enableUps = true;
upsName = "nas-ups";
upsUser = "nas-admin";
in
{
power.ups = {
enable = enableUps;
openFirewall = enableUps;
mode = "netserver";
ups = {
"${upsName}" = {
description = "NAS UPS";
driver = "usbhid-ups";
port = "auto";
};
};
users."${upsUser}" = {
passwordFile = config.sops.secrets."jallen-nas/ups_password".path;
actions = [ "ALL" ];
instcmds = [ "ALL" ];
upsmon = "primary";
};
upsmon = {
enable = enableUps;
monitor."${upsName}" = {
passwordFile = config.sops.secrets."jallen-nas/ups_password".path;
user = upsUser;
};
};
upsd = {
enable = enableUps;
listen = [
{
address = "0.0.0.0";
port = 3493;
}
];
};
};
services = {
apcupsd = {
enable = true;
};
};
}

101
systems/x86_64-linux/jallen-nas/users.nix Executable file
View File

@@ -0,0 +1,101 @@
{
pkgs,
config,
lib,
...
}:
let
user = "admin";
passwordFile = config.sops.secrets."jallen-nas/admin_password".path;
in
{
# Define a user account. Don't forget to set a password with passwd.
users = {
# See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users
mutableUsers = false;
groups.jallen-nas.gid = 1000; # create nas group cause truenas perms
# Admin account
users."${user}" = {
isNormalUser = true;
linger = true;
extraGroups = [
"wheel"
"networkmanager"
"docker"
"podman"
"libvirtd"
"nix-apps"
"jallen-nas"
"media"
"nscd"
"grafana"
"traefik"
"avahi"
"62900"
"1001"
];
hashedPasswordFile = lib.mkForce passwordFile;
shell = pkgs.zsh;
packages = with pkgs; [
cachix
fastfetch
git
parted
aspell
aspellDicts.en
aspellDicts.en-computers
aspellDicts.en-science
aha
papirus-icon-theme
firefox
swtpm
tigervnc
];
openssh.authorizedKeys.keys = [
# macBook
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local"
# desktop windows
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC"
# desktop nixos
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos"
];
};
# Nix app account
users.nix-apps = {
isSystemUser = true;
uid = 911;
group = "jallen-nas";
extraGroups = [
"jallen-nas"
"docker"
"podman"
];
hashedPasswordFile = passwordFile;
};
groups.nut.name = "nut";
users.upsuser = {
group = "nut";
isNormalUser = false;
isSystemUser = true;
createHome = true;
home = "/var/lib/nut";
homeMode = "750";
hashedPasswordFile = passwordFile;
};
users.nextcloud = {
isNormalUser = true;
extraGroups = [
"jallen-nas"
"nix-apps"
];
hashedPasswordFile = passwordFile;
};
users.root.shell = pkgs.zsh;
};
}