{ config, lib, pkgs, namespace, ... }: let inherit (lib.${namespace}) enabled disabled; net = lib.${namespace}.network; in { imports = [ ./boot.nix ./nas-defaults.nix ./apps.nix ./disabled.nix # ./nas-pool.nix ./users.nix ./services.nix ./sops.nix ./vpn.nix ]; services.kmscon = disabled; powerManagement.cpuFreqGovernor = "powersave"; ${namespace} = { sops.enable = true; # ################################################### # # Boot # # # ################################################### bootloader.lanzaboote = enabled; # ################################################### # # Desktop # # # ################################################### # Plasma is enabled for occasional local display access. # headless.enable only disables watchdog/emergency mode, not the display server. desktop.plasma = { enable = true; wallpaper.enable = true; }; # ################################################### # # Development # # # ################################################### development = { enable = true; includeLanguages = [ "python" "c" ]; includeContainers = true; }; gaming.enable = true; # ################################################### # # Hardware # # # ################################################### hardware = { disko = { enable = true; enableSwap = false; enableLuks = true; }; amd = { enable = true; }; npu = { enable = false; fastflowlm.enable = true; }; }; headless.enable = false; # ################################################### # # Impermanence # # # ################################################### impermanence = { enable = true; extraDirectories = [ # { # directory = "/var/lib/private/authentik/media"; # user = "authentik"; # group = "authentik"; # mode = "u=rwx,g=,o="; # } { directory = "/var/lib/crowdsec"; user = "crowdsec"; group = "crowdsec"; mode = "u=rwx,g=rwx,o=rx"; } { directory = "/var/lib/nextcloud"; user = "nextcloud"; group = "nextcloud"; mode = "u=rwx,g=rwx,o=rx"; } ]; }; # ################################################### # # Monitoring # # # ################################################### monitoring = enabled; # ################################################### # # Network # # # ################################################### network = { hostName = net.hosts.nas.hostname; ipv4 = { address = net.hosts.nas.lan; method = "manual"; inherit (net.hosts.nas) gateway; dns = "1.1.1.1"; interface = "enp197s0"; }; hostId = "4b501480"; nat = { enable = true; internalInterfaces = [ "ve-+" ]; externalInterface = "enp197s0"; enableIPv6 = true; }; firewall = { enable = true; allowPing = true; trustedInterfaces = [ "tailscale0" ]; allowedTCPPorts = [ 80 # http 443 # https 8080 # traefik dashboard 8008 # restic 9000 # authentik 2342 # grafana 51820 # wireguard 1025 # smtp (protonmail bridge) 1143 # imap (protonmail bridge) 10200 # nebula 10300 8127 # llama.cpp server 8280 9943 # onlyoffice 4000 # netbootxyz tftp/http 4080 # netbootxyz web 3000 # gitea 2222 # gitea ssh 3300 9898 6754 # lubelogger 2283 # immich 4444 # code-server 9012 9988 8192 8181 # crowdsec 3001 3333 5201 # iperf 5432 # postgresql 8400 9200 # elasticsearch / attic 9233 9980 47984 # sunshine (tcp: control) 47989 # sunshine (tcp: https) 47990 # sunshine (tcp: web) 47998 # sunshine (tcp: video) 47999 # sunshine (tcp: control) 48000 # sunshine (tcp: video) 48010 # sunshine (tcp: rtsp) 3493 # nut upsd # removed: 5432 (postgres — internal only, not for external UDP/TCP) ]; allowedUDPPorts = [ 51820 # wireguard 5201 # iperf 47998 # sunshine (udp: video) 47999 # sunshine (udp: control) 48000 # sunshine (udp: video) ]; }; }; # ################################################### # # Power # # # ################################################### power.ups = { enable = true; ntfy = { enable = true; envFile = config.sops.templates."ntfy.env".path; }; }; # ################################################### # # Samba # # # ################################################### samba = { enable = true; # Allow the LAN /24 subnet (strip the last octet from the NAS LAN IP for the prefix) hostsAllow = "10.0.1. 127.0.0.1 localhost"; forceGroup = "jallen-nas"; forceUser = "nix-apps"; enableTimeMachine = true; timeMachinePath = "/media/nas/main/timemachine"; shares = { "3d_printer".sharePath = "/media/nas/main/documents/3d-models"; Backup.sharePath = "/media/nas/main/backup"; Books.sharePath = "/media/nas/main/books"; Documents.sharePath = "/media/nas/main/documents"; isos.sharePath = "/media/nas/main/documents/isos"; app_data.sharePath = "/media/nas/main/appdata"; TimeMachine = { sharePath = "/media/nas/main/timemachine"; guestOk = false; enableTimeMachine = true; timeMachineMaxSize = "1T"; }; }; }; # ################################################### # # Security # # # ################################################### security.tpm = enabled; # ################################################### # # Services # # # ################################################### services = { grafana = { enable = true; port = 9999; }; }; # ################################################### # # User # # # ################################################### user = { name = "admin"; hashedPasswordFile = config.sops.secrets."jallen-nas/admin_password".path; linger = true; extraGroups = [ "nix-apps" "jallen-nas" "grafana" "62900" "1001" ]; }; wallpaper.enable = true; }; # ################################################### # # Mounts # # # ################################################### fileSystems = { "/media/nas/main" = { device = "/dev/disk/by-uuid/d179ff8d-151d-4e62-9890-e13b5e006fdc"; fsType = "bcachefs"; neededForBoot = true; options = [ "version_upgrade=incompatible" "nofail" # Allow bcachefs to self-heal journal errors (e.g. duplicate entries from unclean shutdown) # instead of refusing to mount with fsck_errors_not_fixed. "errors=fix_safe" ]; }; }; # Ensure Samba share root directories are owned by nix-apps:jallen-nas # so that force user = nix-apps can write to them. systemd.tmpfiles.rules = [ "d /media/nas/main 0775 nix-apps jallen-nas - -" ]; boot.initrd = { supportedFilesystems = { bcachefs = true; }; clevis = { enable = lib.mkForce true; devices = { "/dev/disk/by-uuid/d179ff8d-151d-4e62-9890-e13b5e006fdc".secretFile = ../../../secrets/disk.jwe; # config.sops.secrets."disk-key".path; }; }; }; # Configure environment environment = { systemPackages = with pkgs; [ attic-client bcachefs-tools cryptsetup clevis deconz duperemove efibootmgr ffmpeg ipset keyutils nut packagekit pass protonmail-bridge proton-vpn qrencode sbctl systemctl-tui tigervnc tpm2-tools tpm2-tss ] ++ (with pkgs.${namespace}; [ nebula-sign-cert ]); persistence."/media/nas/main/persist" = { hideMounts = true; directories = [ { directory = "/var/lib/sabnzbd"; user = "sabnzbd"; group = "sabnzbd"; mode = "u=rwx,g=rx,o=rx"; } ]; }; }; networking.firewall.checkReversePath = false; # Configure programs programs = { kdeconnect.enable = lib.mkForce false; virt-manager.enable = config.virtualisation.libvirtd.enable; steam.gamescopeSession.enable = lib.mkForce false; }; }