# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { inputs, outputs, config, lib, pkgs, ... }: let user = "admin"; password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"; hostname = "jallen-nas"; allowedPorts = [ 2342 3493 61208 9090 # config.services.tailscale.port # 22 ]; enableDisplayManager = false; # adding a flag cause nixos cant figure itself out and broke shit that cant be fixed enableUps = false; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ../default.nix ]; # Cockpit services.cockpit = { enable = true; port = 9090; settings = { WebService = { AllowUnencrypted = true; }; }; }; nix.settings.trusted-users = [ "@wheel" ]; powerManagement.cpuFreqGovernor = "powersave"; nas-apps = { collabora.enable = true; deluge.enable = true; homarr.enable = true; homepage.enable = false; jackett.enable = true; jellyfin.enable = true; jellyseerr.enable = true; mariadb.enable = true; mealie = { enable = true; baseUrl = "https://mealie.mjallen.dev"; maxConcurrency = "4"; maxWorkers = "4"; allowSignup = "false"; }; nextcloud = { enable = true; httpPort = "9981"; httpsPort = "9443"; }; ollama.enable = true; onlyoffice.enable = false; open-webui.enable = true; orca-slicer.enable = true; radarr.enable = true; sabnzbd.enable = true; sonarr.enable = true; swag.enable = true; tdarr.enable = true; vscode.enable = true; }; nas-samba = { enable = true; hostsAllow = "10.0.1."; enableTimeMachine = true; timeMachinePath = "/media/nas/main/timemachine"; shares = { "3d_printer" = { public = true; sharePath = "/media/nas/main/3d_printer"; }; Backup = { public = true; sharePath = "/media/nas/main/backup"; }; Documents = { public = true; sharePath = "/media/nas/main/documents"; }; isos = { public = true; sharePath = "/media/nas/main/isos"; }; TimeMachine = { public = false; sharePath = "/media/nas/main/timemachine"; enableTimeMachine = true; timeMachineMaxSize = "1T"; }; app_data = { public = true; sharePath = "/media/nas/ssd/ssd_app_data"; }; nix-config = { public = true; sharePath = "/home/matt/nix-config"; }; }; }; share.hardware.nvidia = { enable = true; enableBeta = false; nvidiaSettings = true; enableNvidiaDocker = true; }; # Configure bootloader with lanzaboot and secureboot boot = { loader = { systemd-boot = { enable = true; configurationLimit = 5; }; efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; }; }; # Override kernel to latest kernelPackages = pkgs.linuxPackages_latest; kernelParams = [ "nohibernate" "amd_pstate=active" ]; consoleLogLevel = 3; bootspec.enable = true; initrd = { kernelModules = [ "tpm" "tpm_tis" "tpm_crb" "tpm_infineon" ]; systemd = { enable = true; enableTpm2 = true; }; }; }; security.tpm2 = { enable = true; }; # Services configs services = { udisks2.enable = true; # Enable the X11 windowing system. xserver = { enable = enableDisplayManager; # Enable the Plasma 6 Desktop Environment. desktopManager.plasma5.enable = enableDisplayManager; }; displayManager = { sddm.enable = enableDisplayManager; #defaultSession = "plasma"; }; # Set to enable Flatpak flatpak.enable = false; # Enable RDP xrdp = { enable = enableDisplayManager; defaultWindowManager = "startplasma-x11"; openFirewall = enableDisplayManager; }; avahi = { enable = true; nssmdns4 = true; publish = { enable = true; addresses = true; domain = true; hinfo = true; userServices = true; workstation = true; }; extraServiceFiles = { # TODO is this needed? smb = '' %h _smb._tcp 445 ''; }; }; apcupsd = { enable = true; }; grafana = { enable = true; settings.server = { http_port = 2342; domain = hostname; serve_from_sub_path = true; http_addr = ""; }; dataDir = "/media/nas/ssd/nix-app-data/grafana"; }; prometheus = { enable = true; port = 9001; exporters = { node = { enable = true; enabledCollectors = [ "diskstats" "systemd" ]; port = 9002; }; smartctl = { enable = true; group = "disk"; devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" "/dev/sde" "/dev/sdf" "/dev/sdg" "/dev/sdh" "/dev/sdi" "/dev/nvme0n1" "/dev/nvme1n1" ]; }; }; scrapeConfigs = [ { job_name = hostname; static_configs = [ { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}" ]; } ]; } ]; }; tailscale = { enable = true; openFirewall = true; useRoutingFeatures = "client"; extraUpFlags = [ "--advertise-exit-node" ]; }; btrfs = { autoScrub.enable = true; autoScrub.fileSystems = [ "/nix" "/root" "/etc" "/var/log" "/home" "/media/nas/ssd/nix-app-data" "/media/nas/ssd/ssd_app_data" "/media/nas/ssd/mariadb" "/media/nas/main/3d_printer" "/media/nas/main/backup" "/media/nas/main/documents" "/media/nas/main/nextcloud" "/media/nas/main/movies" "/media/nas/main/tv" "/media/nas/main/isos" ]; }; }; systemd.services = { tailscale-autoconnect = { description = "Automatic connection to Tailscale"; # make sure tailscale is running before trying to connect to tailscale after = [ "network-pre.target" "tailscale.service" ]; wants = [ "network-pre.target" "tailscale.service" ]; wantedBy = [ "multi-user.target" ]; # set this service as a oneshot job serviceConfig.Type = "oneshot"; # have the job run this shell script script = with pkgs; '' # wait for tailscaled to settle sleep 2 # check if we are already authenticated to tailscale status="$(${tailscale}/bin/tailscale status -json | ${jq}/bin/jq -r .BackendState)" if [ $status = "Running" ]; then # if so, then do nothing exit 0 fi # otherwise authenticate with tailscale ${tailscale}/bin/tailscale up -authkey tskey-auth-kVqyntEixG11CNTRL-kKAYioBRVBHKa4rCqUmv9HVGMnvQiwBZh ''; }; glances-server = { path = [ pkgs.bash pkgs.glances ]; script = '' glances -w ''; wantedBy = [ "multi-user.target" ]; }; }; # Networking configs enp7s0 networking = { hostName = hostname; hostId = "4b501480"; # Enable Network Manager networkmanager.enable = false; interfaces = { wlp6s0.ipv4.addresses = [ { address = "10.0.1.18"; prefixLength = 24; } ]; }; defaultGateway.address = "10.0.1.1"; nameservers = [ "10.0.1.1" ]; wireless = { enable = true; networks = { "Joey’s Jungle" = { psk = "kR8v&3Qd"; }; }; }; firewall = { enable = true; allowPing = true; extraCommands = "iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns"; # TODO is this needed? allowedTCPPorts = allowedPorts; allowedUDPPorts = allowedPorts; # always allow traffic from your Tailscale network trustedInterfaces = [ "tailscale0" ]; }; }; # Configure environment environment = { # etc."nut/upsd.conf".source = /home/matt/upsd.conf; # etc."nut/upsd.users".source = /home/matt/upsd.users; # etc."nut/upsmon.conf".source = /home/matt/upsmon.conf; etc.crypttab.text = '' ssd1 UUID=eff4b19c-aba7-41ab-b452-a8c6654d8754 none tpm2-device=auto ssd2 UUID=c8640e19-6cd9-49d0-a355-bac09d17ea0d none tpm2-device=auto hdd1 UUID=8d7dd657-d9b0-47ed-97e1-a9d1eba12b56 none tpm2-device=auto hdd2 UUID=11ee92b0-6334-4be7-bb2d-d85f5a3f51a6 none tpm2-device=auto hdd3 UUID=4463ea6f-3fcf-4e49-80c8-ba7f424471f0 none tpm2-device=auto hdd4 UUID=13fe7737-b72b-4d5f-a79d-1ca0d438f8f0 none tpm2-device=auto hdd5 UUID=2b4be219-613d-4512-8277-0260989d5377 none tpm2-device=auto ''; # List packages installed in system profile. To search, run: # $ nix search wget sessionVariables = rec { CACHIX_AGENT_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJlY2RjYjJiNi05YWQ4LTRiYmMtYWEwYS1mNGU5Yzk1ODM2OTMiLCJzY29wZXMiOiJhZ2VudCJ9.8SENqsNZ-UIFV4atm-cZnMT6LR08Iz_raAZi5QVsppo"; }; systemPackages = with pkgs; [ vim wget nano efibootmgr sbctl pciutils vulkan-tools clinfo glances python3 nix-ld binutils gcc cmake ffmpeg ninja nodejs-18_x nut nmon protonvpn-cli protonmail-bridge pass cockpit packagekit gnome.gnome-packagekit unstable.nix-inspect unstable.gpt4all lm_sensors htop tailscale tpm2-tools tpm2-tss cryptsetup duperemove ]; }; # Configure programs programs = { fish.enable = false; virt-manager.enable = true; nix-ld.enable = true; screen.enable = true; }; power.ups = { ups = { enable = enableUps; mode = "netserver"; ups."nasups" = { driver = "usbhid-ups"; port = "auto"; description = "NAS UPS"; }; upsmon = { monitor = "nasups@localhost 1 upsuser BogieDudie1 primary"; }; upsd = { enable = enableUps; listen = { address = 0.0 0.0 0.0; port = 3493; }; }; # users = { # actions = [ "SET" ]; # instcmds = [ "ALL" ]; ##* upsmon = "primary"; # passwordFile = "/home/matt/ups.conf"; # }; }; # Add UPS monitoring service upsmon = { enable = true; # Configure UPS device device = "/dev/usb/hiddev1"; # Change this to your UPS device driver = "usbhid-ups"; # Change this if your UPS uses a different driver # Set UPS monitoring options options = { # NOTIFYCMD = "/path/to/notify-script.sh"; # Path to your notification script POLLFREQ = 5; POLLFREQALERT = 5; HOSTSYNC = "on"; DEADTIME = 15; FINALDELAY = 5; }; }; }; # Configure nixpkgs nixpkgs = { overlays = [ outputs.overlays.nixpkgs-unstable ]; config = { # Enable non free allowUnfree = true; permittedInsecurePackages = [ # ... ]; }; }; # Define a user account. Don't forget to set a password with ‘passwd’. users = { # See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users mutableUsers = false; groups.jallen-nas.gid = 1000; # create nas group cause truenas perms # Admin account users."${user}" = { isNormalUser = true; extraGroups = [ "wheel" "networkmanager" "docker" "podman" "libvirtd" "nix-apps" "jallen-nas" ]; # Enable ‘sudo’ for the user. initialHashedPassword = password; shell = pkgs.zsh; openssh.authorizedKeys.keys = [ # macBook "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local" # desktop windows "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC" # desktop nixos "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos" ]; packages = with pkgs; [ fastfetch git parted aspell aspellDicts.en aspellDicts.en-computers aspellDicts.en-science aha papirus-icon-theme firefox ]; }; # Nix app account users.nix-apps = { isSystemUser = true; uid = 911; group = "jallen-nas"; extraGroups = [ "jallen-nas" "docker" "podman" ]; # Enable ‘sudo’ for the user. hashedPassword = password; }; groups.nut.name = "nut"; users.upsuser = { group = "nut"; isNormalUser = false; isSystemUser = true; createHome = true; home = "/var/lib/nut"; hashedPassword = password; }; }; # Virtualisation virtualisation = { docker = { enable = true; enableOnBoot = true; }; libvirtd.enable = true; }; fileSystems."/media/nas/ssd/nix-app-data" = { device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c"; fsType = "btrfs"; options = [ "subvol=nix-app-data" "compress=zstd" ]; }; fileSystems."/media/nas/ssd/ssd_app_data" = { device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c"; fsType = "btrfs"; options = [ "subvol=ssd_app_data" "compress=zstd" ]; }; fileSystems."/media/nas/ssd/mariadb" = { device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c"; fsType = "btrfs"; options = [ "subvol=mariadb" "compress=zstd" ]; }; fileSystems."/media/nas/ssd/VMs" = { device = "/dev/disk/by-uuid/09ac8b6b-e553-4cd8-ae62-8d8c17fe8b0c"; fsType = "btrfs"; options = [ "subvol=VMs" "compress=zstd" ]; }; fileSystems."/media/nas/main/3d_printer" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=3d_printer" "compress=zstd" ]; }; fileSystems."/media/nas/main/backup" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=backup" "compress=zstd" ]; }; fileSystems."/media/nas/main/books" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=books" "compress=zstd" ]; }; fileSystems."/media/nas/main/documents" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=documents" "compress=zstd" ]; }; fileSystems."/media/nas/main/homeassistant" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=homeassistant" "compress=zstd" ]; }; fileSystems."/media/nas/main/isos" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=isos" "compress=zstd" ]; }; fileSystems."/media/nas/main/movies" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=movies" "compress=zstd" ]; }; fileSystems."/media/nas/main/nextcloud" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=nextcloud" "compress=zstd" ]; }; fileSystems."/media/nas/main/photos" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=photos" "compress=zstd" ]; }; fileSystems."/media/nas/main/switch" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=switch" "compress=zstd" ]; }; fileSystems."/media/nas/main/tv" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=tv" "compress=zstd" ]; }; fileSystems."/media/nas/main/timemachine" = { device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; fsType = "btrfs"; options = [ "subvol=timemachine" "compress=zstd" ]; }; # fileSystems."/media/nas/main/vms" = { # device = "/dev/disk/by-uuid/76e7cd98-3145-4cff-b78d-bab0206aae28"; # fsType = "btrfs"; # options = [ # "subvol=vms" # "compress=zstd" # ]; # }; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # # Most users should NEVER change this value after the initial install, for any reason, # even if you've upgraded your system to a new NixOS release. # # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, # so changing it will NOT upgrade your system. # # This value being lower than the current NixOS release does NOT mean your system is # out of date, out of support, or vulnerable. # # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "23.11"; # Did you read the comment? }