{ config, lib, pkgs, namespace, ... }: let inherit (lib.${namespace}) enabled disabled; in { imports = [ ./boot.nix ./apps.nix # ./nas-pool.nix ./users.nix ./services.nix ./sops.nix ]; services.kmscon = disabled; powerManagement.cpuFreqGovernor = "powersave"; ${namespace} = { # ################################################### # # Boot # # # ################################################### bootloader.lanzaboote = enabled; # ################################################### # # Desktop # # # ################################################### desktop.cosmic = enabled; # ################################################### # # Development # # # ################################################### development = { enable = true; includeLanguages = [ "python" "c" ]; includeContainers = true; }; gaming.enable = true; # ################################################### # # Hardware # # # ################################################### hardware = { disko = { enable = true; enableSwap = false; enableLuks = true; }; amd = { enable = true; }; }; headless.enable = true; # ################################################### # # Impermanence # # # ################################################### impermanence = { enable = true; extraDirectories = [ # { # directory = "/var/lib/private/authentik/media"; # user = "authentik"; # group = "authentik"; # mode = "u=rwx,g=,o="; # } { directory = "/var/lib/crowdsec"; user = "crowdsec"; group = "crowdsec"; mode = "u=rwx,g=rwx,o=rx"; } { directory = "/var/lib/nextcloud"; user = "nextcloud"; group = "nextcloud"; mode = "u=rwx,g=rwx,o=rx"; } { directory = "/plugins-storage"; user = "traefik"; group = "traefik"; mode = "u=rwx,g=rwx,o=rx"; } ]; }; # ################################################### # # Monitoring # # # ################################################### monitoring = enabled; # ################################################### # # Network # # # ################################################### network = { hostName = "jallen-nas"; ipv4 = { address = "10.0.1.3"; method = "manual"; gateway = "10.0.1.1"; interface = "enp197s0"; }; hostId = "4b501480"; nat = { enable = true; internalInterfaces = [ "ve-+" ]; externalInterface = "enp197s0"; enableIPv6 = true; }; firewall = { enable = true; allowPing = true; trustedInterfaces = [ "tailscale0" ]; allowedTCPPorts = [ 8008 # restic 9000 # authentik 2342 # grafana 51820 # wireguard 1025 1143 10200 10300 8127 8280 9943 # onlyoffice 4000 # netbootxyz 4080 # netbootxyz 3000 # gitea 2222 # gitea ssh 3300 9898 6754 # lubelogger 2283 # immich 4444 # code-server 9012 9988 8192 3000 2222 8181 5432 3001 3333 5201 # iperf 8400 9200 9233 9980 47984 47989 47990 47998 47999 48000 48010 3493 # nut ]; allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts; }; }; # ################################################### # # Power # # # ################################################### power.ups = enabled; # ################################################### # # Samba # # # ################################################### samba = { enable = true; hostsAllow = "10.0.1."; enableTimeMachine = true; timeMachinePath = "/media/nas/main/timemachine"; shares = { "3d_printer" = { public = true; sharePath = "/media/nas/main/3d_printer"; }; Backup = { public = true; sharePath = "/media/nas/main/backup"; }; Documents = { public = true; sharePath = "/media/nas/main/documents"; }; isos = { public = true; sharePath = "/media/nas/main/isos"; }; TimeMachine = { public = false; sharePath = "/media/nas/main/timemachine"; enableTimeMachine = true; timeMachineMaxSize = "1T"; }; app_data = { public = true; sharePath = "/media/nas/main/ssd_app_data"; }; nix-config = { public = true; sharePath = "/home/matt/nix-config"; }; }; }; # ################################################### # # Security # # # ################################################### security.tpm = enabled; # ################################################### # # Services # # # ################################################### services = { grafana = { enable = true; port = 9999; }; }; # ################################################### # # User # # # ################################################### user = { name = "admin"; hashedPasswordFile = config.sops.secrets."jallen-nas/admin_password".path; linger = true; extraGroups = [ "nix-apps" "jallen-nas" "grafana" "traefik" "62900" "1001" ]; }; }; # ################################################### # # Mounts # # # ################################################### # fileSystems."/media/nas/main" = { # label = "nas_pool"; # # device = "/dev/sde:/dev/sdf:/dev/sdh:/dev/sdi:/dev/sdj:/dev/nmve0n1:/dev/nvme1n1"; # fsType = "bcachefs"; # mountPoint = "/media/nas/main"; # options = [ # # "noauto" # "nofail" # # "x-systemd.mount-timeout=0" # # "x-systemd.device-timeout=0" # ]; # }; fileSystems = { "/media/nas/main/appdata" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=appdata" "x-systemd.device-timeout=180s" ]; }; "/media/nas/main/backup" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=backup" "x-systemd.device-timeout=180s" ]; }; "/media/nas/main/databases" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=databases" "x-systemd.device-timeout=180s" ]; }; "/media/nas/main/documents" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=documents" "x-systemd.device-timeout=180s" ]; }; "/media/nas/games/heroic" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=heroic" "x-systemd.device-timeout=180s" ]; }; "/media/nas/main/movies" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=movies" "x-systemd.device-timeout=180s" ]; }; "/media/nas/main/photos" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=photos" "x-systemd.device-timeout=180s" ]; }; "/media/nas/games/steam" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=steam" "x-systemd.device-timeout=180s" ]; }; "/media/nas/main/tv" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=tv" "x-systemd.device-timeout=180s" ]; }; "/persist" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; options = [ "X-mount.subdir=persist" "x-systemd.device-timeout=180s" ]; }; "/subvolumes" = { device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552"; fsType = "bcachefs"; }; }; environment.etc = { "crypttab".text = '' hdd1-cryptroot UUID="295d4c78-41f0-4792-bd97-ac88b2455cdc" none tpm2-device=auto hdd2-cryptroot UUID="7c9c2179-351c-40a5-9257-e9ee2a1e794a" none tpm2-device=auto ssd1-cryptroot UUID="d78fa862-212c-4d4f-ad86-bfeead5cc054" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue ssd2-cryptroot UUID="1661c173-3809-4517-9ab8-ad94c229048d" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue ssd3-cryptroot UUID="cfea125e-90b1-4248-834d-16dcaf310783" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue ssd4-cryptroot UUID="96055401-6d1a-4308-9e4e-2211e1e23635" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue ssd5-cryptroot UUID="055e27e0-c96a-4899-8ee7-cb1cd5f21476" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue ssd6-cryptroot UUID="6e830abd-2555-4558-81a3-4a990507b5a7" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue ''; }; # boot.initrd.luks.devices.cryptroot.device = "/dev/disk/by-partlabel/disk-main-jallen-nas-cryptroot"; # Configure environment environment = { systemPackages = with pkgs; [ attic-client bcachefs-tools cryptsetup clevis deconz duperemove efibootmgr ffmpeg ipset keyutils nut packagekit pass protonmail-bridge protonvpn-gui qrencode rcon sbctl tigervnc tpm2-tools tpm2-tss ]; persistence."/media/nas/main/persist" = { hideMounts = true; directories = [ # { # directory = "/var/lib/redis-ccache"; # user = "redis-ccache"; # group = "redis-ccache"; # mode = "u=rwx,g=,o="; # } ]; }; }; networking.firewall.checkReversePath = false; # Configure programs programs = { kdeconnect.enable = lib.mkForce false; virt-manager.enable = true; }; }