# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { inputs, outputs, config, lib, pkgs, ... }: let user = "admin"; password = "$y$j9T$EkPXmsmIMFFZ.WRrBYCxS1$P0kwo6e4.WM5DsqUcEqWC3MrZp5KfCjxffraMFZWu06"; hostname = "jallen-nas"; allowedPorts = [ 2342 3493 61208 9090 ]; enableDisplayManager = false; # adding a flag cause nixos cant figure itself out and broke shit that cant be fixed enableUps = true; in { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ../default.nix ]; # Cockpit services.cockpit = { enable = true; port = 9090; settings = { WebService = { AllowUnencrypted = true; }; }; }; nix.settings.trusted-users = [ "@wheel" ]; powerManagement.cpuFreqGovernor = "powersave"; nas-apps = { collabora.enable = true; deluge.enable = true; homarr.enable = true; homepage.enable = false; jackett.enable = true; jellyfin.enable = true; jellyseerr.enable = true; mariadb.enable = true; nextcloud = { enable = true; httpPort = "9980"; httpsPort = "9443"; }; ollama.enable = true; open-webui.enable = true; orca-slicer.enable = true; radarr.enable = true; sabnzbd.enable = true; sonarr.enable = true; swag.enable = true; vscode.enable = true; }; nas-samba = { enable = true; hostsAllow = "10.0.1."; enableTimeMachine = true; timeMachinePath = "/home/admin/mainpool/TimeMachine"; shares = { "3d_printer" = { public = true; sharePath = "/home/admin/mainpool/3d_printer"; }; Backup = { public = true; sharePath = "/home/admin/mainpool/Backup"; }; Documents = { public = true; sharePath = "/home/admin/mainpool/Documents"; }; isos = { public = true; sharePath = "/home/admin/mainpool/isos"; }; TimeMachine = { public = false; sharePath = "/home/admin/mainpool/TimeMachine"; enableTimeMachine = true; timeMachineMaxSize = "1T"; }; app_data = { public = true; sharePath = "/home/admin/ssd/ssd_app_data"; }; nix-config = { public = true; sharePath = "/home/matt/nix-config"; }; }; }; share.hardware.nvidia = { enable = true; enableBeta = true; nvidiaSettings = true; enableNvidiaDocker = true; }; # Configure bootloader with lanzaboot and secureboot boot = { loader = { systemd-boot = { enable = true; configurationLimit = 5; }; efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; }; }; # Override kernel to latest kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; kernelParams = [ "nohibernate" "amd_pstate=active" ]; consoleLogLevel = 3; bootspec.enable = true; supportedFilesystems = [ "zfs" ]; zfs.extraPools = [ "junk" "MainPool" "SSD" ]; zfs.requestEncryptionCredentials = false; }; security.tpm2 = { enable = true; }; # Services configs services = { udisks2.enable = true; # Enable the X11 windowing system. xserver = { enable = enableDisplayManager; # Enable the Plasma 6 Desktop Environment. desktopManager.plasma5.enable = enableDisplayManager; }; displayManager = { sddm.enable = enableDisplayManager; #defaultSession = "plasma"; }; # Set to enable Flatpak flatpak.enable = false; # Enable RDP xrdp = { enable = enableDisplayManager; defaultWindowManager = "startplasma-x11"; openFirewall = enableDisplayManager; }; avahi = { enable = true; nssmdns4 = true; publish = { enable = true; addresses = true; domain = true; hinfo = true; userServices = true; workstation = true; }; extraServiceFiles = { # TODO is this needed? smb = '' %h _smb._tcp 445 ''; }; }; apcupsd = { enable = true; }; grafana = { enable = true; settings.server = { http_port = 2342; domain = hostname; serve_from_sub_path = true; http_addr = ""; }; dataDir = "/home/admin/ssd/nix-app-data/grafana"; }; prometheus = { enable = true; port = 9001; exporters = { node = { enable = true; enabledCollectors = [ "diskstats" "systemd" ]; port = 9002; }; smartctl = { enable = true; group = "disk"; devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" "/dev/sde" "/dev/sdf" "/dev/sdg" "/dev/sdh" "/dev/sdi" "/dev/nvme0n1" "/dev/nvme1n1" ]; }; }; scrapeConfigs = [ { job_name = hostname; static_configs = [ { targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" "127.0.0.1:${toString config.services.prometheus.exporters.smartctl.port}" ]; } ]; } ]; }; }; systemd.services = { nas-mounts = { path = [ pkgs.zfs pkgs.bash pkgs.tpm2-tools ]; wantedBy = [ "multi-user.target" ]; script = '' tpm2_nvread 0x1500016 -C o -s 65 > /tmp/mainpool tpm2_nvread 0x1600016 -C o -s 65 > /tmp/ssd zfs load-key -L file:///tmp/mainpool "MainPool" zfs load-key -L file:///tmp/ssd "SSD" rm /tmp/mainpool rm /tmp/ssd ''; description = "Unlock ZFS pool using fTPM"; requires = [ "zfs-import-MainPool.service" "zfs-import-SSD.service" ]; after = [ "zfs-import-MainPool.service" "zfs-import-SSD.service" ]; before = [ "zfs-mount.service" ]; serviceConfig.Type = "oneshot"; serviceConfig.RemainAfterExit = true; }; glances-server = { path = [ pkgs.bash pkgs.glances ]; script = '' glances -w ''; wantedBy = [ "multi-user.target" ]; }; }; # Networking configs enp7s0 networking = { hostName = hostname; hostId = "4b501480"; # Enable Network Manager networkmanager.enable = false; interfaces = { wlp6s0.ipv4.addresses = [ { address = "10.0.1.18"; prefixLength = 24; } ]; }; defaultGateway.address = "10.0.1.1"; nameservers = [ "10.0.1.1" ]; wireless = { enable = true; networks = { "Joey’s Jungle" = { psk = "kR8v&3Qd"; }; }; }; firewall = { enable = true; allowPing = true; extraCommands = "iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns"; # TODO is this needed? allowedTCPPorts = allowedPorts; allowedUDPPorts = allowedPorts; }; }; # Configure environment environment = { etc."nut/upsd.conf".source = /home/matt/upsd.conf; etc."nut/upsd.users".source = /home/matt/upsd.users; etc."nut/upsmon.conf".source = /home/matt/upsmon.conf; # List packages installed in system profile. To search, run: # $ nix search wget sessionVariables = rec { CACHIX_AGENT_TOKEN = "eyJhbGciOiJIUzI1NiJ9.eyJqdGkiOiJlY2RjYjJiNi05YWQ4LTRiYmMtYWEwYS1mNGU5Yzk1ODM2OTMiLCJzY29wZXMiOiJhZ2VudCJ9.8SENqsNZ-UIFV4atm-cZnMT6LR08Iz_raAZi5QVsppo"; }; systemPackages = with pkgs; [ vim wget nano efibootmgr sbctl pciutils vulkan-tools clinfo glances python3 nix-ld binutils gcc cmake ffmpeg ninja nodejs-18_x nut protonvpn-cli protonmail-bridge pass cockpit packagekit gnome.gnome-packagekit unstable.nix-inspect unstable.gpt4all lm_sensors htop ]; }; # Configure programs programs = { fish.enable = true; virt-manager.enable = true; nix-ld.enable = true; }; power.ups = { ups = { enable = enableUps; mode = "netserver"; ups."nasups" = { driver = "usbhid-ups"; port = "auto"; description = "NAS UPS"; }; upsmon = { monitor = "nasups@localhost 1 upsuser BogieDudie1 primary"; }; upsd = { enable = true; listen = { address = 0.0 0.0 0.0; port = 3493; }; }; users = { actions = [ "SET" ]; instcmds = [ "ALL" ]; upsmon = "primary"; passwordFile = "/home/matt/ups.conf"; }; }; # Add UPS monitoring service upsmon = { enable = true; # Configure UPS device device = "/dev/usb/hiddev1"; # Change this to your UPS device driver = "usbhid-ups"; # Change this if your UPS uses a different driver # Set UPS monitoring options options = { # NOTIFYCMD = "/path/to/notify-script.sh"; # Path to your notification script POLLFREQ = 5; POLLFREQALERT = 5; HOSTSYNC = "on"; DEADTIME = 15; FINALDELAY = 5; }; }; }; # Configure nixpkgs nixpkgs = { overlays = [ outputs.overlays.nixpkgs-unstable ]; config = { # Enable non free allowUnfree = true; permittedInsecurePackages = [ # ... ]; }; }; # Define a user account. Don't forget to set a password with ‘passwd’. users = { # See https://search.nixos.org/options?channel=unstable&show=users.mutableUsers&from=0&size=50&sort=relevance&type=packages&query=users.users mutableUsers = false; groups.jallen-nas.gid = 1000; # create nas group cause truenas perms # Admin account users."${user}" = { isNormalUser = true; extraGroups = [ "wheel" "networkmanager" "docker" "podman" "libvirtd" "nas-apps" "jallen-nas" ]; # Enable ‘sudo’ for the user. initialHashedPassword = password; shell = pkgs.fish; openssh.authorizedKeys.keys = [ # macBook "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw9zq8DLGByI5v2gAn95hKNyOsm3g61a2buxu2BBMFysQJgmZPCCLUqRJKhSM5Vm/JOgsAmdpRBRZQoHD+6S844CJHb4v4VIbjkyQgYCuM7Rst2IOZ5QybvsA2/D0nwytZ+HXQqDj2AagUYDbz0gyyIHkDQ5YGBMkvkWz/h1Vci6aoBM7VihEDM4KlWoTVuPeASGM8r5IZ2FS83Djbqo4ov6AYvLMrKB9Z7hmFgH6R3LE0gxOkzbGVXtSuvJyrjvgytoT22UhATjjxSQ9D+YJXXkQoB3lUdg8OoIquUPjMZpl4mR8ffvseWPfcvD1XlD5t+TOHFqKpESO547tlOBYhdpew+NSgAXpamCU6oyV8tDCywLQu2ucxHRn78u6WXzWHkDtffdhzmk6TZaPhWqVHuTGjR4higBgGqUfSaKOMszt+FDRZAr3HtuQ2+zJ8bowK9fW5OqilTtK2HtQqroD9ApegDNbqOz6kGy5IycSXvqPURy/M4lxZxbtBPuemcJs= mattjallen@MacBook-Pro.local" # desktop windows "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZ2PYPjZddOzR8OJj16G88KcUhCDLkvrEmpUQP0wKHDUuA27HQQ2ORo66asadwGHY3k1VDZ1ei9l9H++SIIeKOaaUr5yZdktvj4POUNtbd9ZhcS7sZU7BSF+NMDM+h3tImh6z0S7mWvRQOUv3ZM+ZER+5xTWJVG1OOJEpb1drxJk6Qz0wbZKSR7TPNFBLLXlVy7hkNYf07RtDyhCCxNB3hJfa8c+oztnWumwDhDQWLqiUXWIU2QH6iRLGl/WYnujtNvVVaV/Hn3JJkS6MM9dnV3cpoIO0+J7+WfsN9rZ0wXt5yY3GhiGXwmcO5eYVli8lHlLWtK7aYSETyry6CBsLbojzOQO5rSqhpwfF2njAAFAQU0UjLc8PahisIuFKCwHH4iyXXOagiv5K1Mc/0Ak+WhhMPee6vV2p7NTyNpXRvouDbWy5cSRH31WgQ9fK5mIGe5v8nGGqtEhUubUkiOgP+H3UbT2V/nTv/TFKdJcKw+WmizvTrxBmaMjWALlkYl+s= mattl@Jallen-PC" # desktop nixos "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPTBMydhOc6SnOdB5WrEd7X07DrboAtagCUgXiOJjLov matt@matt-nixos" ]; packages = with pkgs; [ neofetch git parted aspell aspellDicts.en aspellDicts.en-computers aspellDicts.en-science aha papirus-icon-theme firefox tpm2-tools tpm2-tss ]; }; # Nix app account users.nix-apps = { isSystemUser = true; uid = 911; group = "jallen-nas"; extraGroups = [ "jallen-nas" "docker" "podman" ]; # Enable ‘sudo’ for the user. hashedPassword = password; }; groups.nut.name = "nut"; users.upsuser = { group = "nut"; isNormalUser = false; isSystemUser = true; createHome = true; home = "/var/lib/nut"; hashedPassword = password; }; }; # Virtualisation virtualisation = { docker = { enable = true; enableOnBoot = true; }; libvirtd.enable = true; }; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # # Most users should NEVER change this value after the initial install, for any reason, # even if you've upgraded your system to a new NixOS release. # # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, # so changing it will NOT upgrade your system. # # This value being lower than the current NixOS release does NOT mean your system is # out of date, out of support, or vulnerable. # # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "23.11"; # Did you read the comment? }