# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config, pkgs, namespace, ... }: { imports = [ ./boot.nix ./apps.nix ./users.nix ./services.nix ./sops.nix ]; services.kmscon.enable = true; powerManagement.cpuFreqGovernor = "powersave"; ${namespace} = { # ################################################### # # Boot # # # ################################################### bootloader.lanzaboote.enable = true; # ################################################### # # Desktop # # # ################################################### desktop.cosmic.enable = false; # ################################################### # # Development # # # ################################################### development = { enable = true; includeLanguages = [ "python" "c" ]; includeContainers = true; }; # ################################################### # # Hardware # # # ################################################### hardware = { disko = { enable = true; enableSwap = true; }; nvidia = { enable = true; enableBeta = true; enableOpen = true; nvidiaSettings = true; enableNvidiaDocker = true; }; }; # ################################################### # # Impermanence # # # ################################################### impermanence = { enable = true; extraDirectories = [ { directory = "/var/lib/private/authentik/media"; user = "authentik"; group = "authentik"; mode = "u=rwx,g=,o="; } { directory = "/var/lib/crowdsec"; user = "crowdsec"; group = "crowdsec"; mode = "u=rwx,g=rwx,o=rx"; } { directory = "/plugins-storage"; user = "traefik"; group = "traefik"; mode = "u=rwx,g=rwx,o=rx"; } ]; }; # ################################################### # # Monitoring # # # ################################################### monitoring.enable = true; # ################################################### # # Network # # # ################################################### network = { hostName = "jallen-nas"; ipv4 = { address = "10.0.1.3/24"; method = "manual"; gateway = "10.0.1.1"; interface = "wlp6s0"; }; hostId = "4b501480"; nat = { enable = true; internalInterfaces = [ "ve-+" ]; externalInterface = "wlp6s0"; enableIPv6 = true; }; firewall = { enable = true; allowPing = true; trustedInterfaces = [ "tailscale0" ]; allowedTCPPorts = [ 8008 # restic 9000 # authentik 2342 # grafana 51820 # wireguard 1025 1143 10200 10300 8127 9943 # onlyoffice 4000 # netbootxyz 4080 # netbootxyz 3000 # gitea 2222 # gitea ssh 3300 9898 6754 # lubelogger 2283 # immich 4444 # code-server 9012 8192 ]; allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts; }; }; # ################################################### # # Power # # # ################################################### power.ups.enable = true; # ################################################### # # Samba # # # ################################################### samba = { enable = true; hostsAllow = "10.0.1."; enableTimeMachine = true; timeMachinePath = "/media/nas/main/timemachine"; shares = { "3d_printer" = { public = true; sharePath = "/media/nas/main/3d_printer"; }; Backup = { public = true; sharePath = "/media/nas/main/backup"; }; Documents = { public = true; sharePath = "/media/nas/main/documents"; }; isos = { public = true; sharePath = "/media/nas/main/isos"; }; TimeMachine = { public = false; sharePath = "/media/nas/main/timemachine"; enableTimeMachine = true; timeMachineMaxSize = "1T"; }; app_data = { public = true; sharePath = "/media/nas/main/ssd_app_data"; }; nix-config = { public = true; sharePath = "/home/matt/nix-config"; }; }; }; # ################################################### # # Security # # # ################################################### security.tpm.enable = true; # ################################################### # # Services # # # ################################################### services = { grafana.enable = true; }; # ################################################### # # User # # # ################################################### user = { name = "admin"; hashedPasswordFile = config.sops.secrets."jallen-nas/admin_password".path; linger = true; extraGroups = [ "nix-apps" "jallen-nas" "grafana" "traefik" "62900" "1001" ]; }; }; # ################################################### # # Mounts # # # ################################################### fileSystems."/media/nas/main" = { label = "nas_pool"; # device = "/dev/sde:/dev/sdf:/dev/sdh:/dev/sdi:/dev/sdj:/dev/nmve0n1:/dev/nvme1n1"; fsType = "bcachefs"; mountPoint = "/media/nas/main"; }; # Configure environment environment = { systemPackages = with pkgs; [ attic-client bcachefs-tools cryptsetup clevis deconz duperemove efibootmgr ffmpeg ipset keyutils llama-cpp networkmanagerapplet nut packagekit pass protonmail-bridge protonvpn-cli python3Packages.llama-cpp-python qrencode rcon sbctl tigervnc tpm2-tools tpm2-tss ]; }; # Configure programs programs = { virt-manager.enable = true; coolercontrol = { enable = true; nvidiaSupport = true; }; }; }