nix-config/systems/x86_64-linux/nas/default.nix

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).

{
  config,
  pkgs,
  namespace,
  ...
}:
{
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
    ./filesystems.nix
    ./boot.nix
    ./apps.nix
    ./grafana.nix
    # ./networking.nix - moved to modules/nixos/network
    ./ups.nix
    ./users.nix
    ./samba.nix
    ./services.nix
    ./sops.nix
  ];

  services.kmscon.enable = true;

  powerManagement.cpuFreqGovernor = "powersave";

  ${namespace} = {
    bootloader.lanzaboote.enable = true;
    desktop.cosmic.enable = false;
    development = {
      enable = true;
      includeLanguages = [
        "python"
        "c"
      ];
      includeContainers = true;
    };
    monitoring.enable = true;
    hardware.nvidia = {
      enable = true;
      enableBeta = true;
      enableOpen = true;
      nvidiaSettings = true;
      enableNvidiaDocker = true;
    };
    network = {
      hostName = "jallen-nas";
      ipv4 = {
        address = "10.0.1.3/24";
        method = "manual";
        gateway = "10.0.1.1";
        interface = "wlp6s0";
      };
      useNetworkd = true;
      hostId = "4b501480";
      nat = {
        enable = true;
        internalInterfaces = [ "ve-+" ];
        externalInterface = "wlp6s0";
        enableIPv6 = true;
      };
      firewall = {
        enable = true;
        allowPing = true;
        allowedTCPPorts = [
          8008 # restic
          9000 # authentik
          2342 # grafana
          51820 # wireguard
          1025
          1143
          10200
          10300
          8127
          9980 # onlyoffice
          4000 # netbootxyz
          4080 # netbootxyz
          3000 # gitea
          2222 # gitea ssh
          3300
          9898
          6754 # lubelogger
          2283 # immich
          4444 # code-server
          9012
          8192
        ];
        allowedUDPPorts = [
          8008 # restic
          9000 # authentik
          2342 # grafana
          51820 # wireguard
          1025
          1143
          10200
          10300
          8127
          9980 # onlyoffice
          4000 # netbootxyz
          4080 # netbootxyz
          3000 # gitea
          2222 # gitea ssh
          3300
          9898
          6754 # lubelogger
          2283 # immich
          4444 # code-server
          9012
          8192
        ];
        trustedInterfaces = [ "tailscale0" ];
      };
    };
    user = {
      name = "admin";
      linger = true;
    };
  };

  security.tpm2 = {
    enable = true;
  };

  # Configure environment
  environment = {
    etc.machine-id.text = ''
      57cdf5fc27f3469f80d0a339f1238aeb
    '';

    systemPackages = with pkgs; [
      attic-client
      bcachefs-tools
      cryptsetup
      clevis
      deconz
      duperemove
      efibootmgr
      ffmpeg
      ipset
      llama-cpp
      # inputs.nas-nixai.packages.x86_64-linux.nixai
      networkmanagerapplet
      nut
      packagekit
      pass
      protonmail-bridge
      protonvpn-cli
      python3Packages.llama-cpp-python
      qrencode
      rcon
      sbctl
      tigervnc
      tpm2-tools
      tpm2-tss
    ];
  };

  # Configure programs
  programs = {
    virt-manager.enable = true;
    coolercontrol = {
      enable = true;
      nvidiaSupport = true;
    };

    msmtp = {
      enable = false;
      accounts = {
        default = {
          auth = true;
          tls_starttls = false;
          host = "smtp.gmail.com";
          user = "matt.l.jallen";
          from = "matt.l.jallen@gmail.com";
          passwordeval = "cat ${config.sops.secrets."jallen-nas/gitea/mail-key".path}";
        };
      };
      defaults = {
        port = 465;
        tls = true;
      };
    };
  };

  hardware.fancontrol = {
    enable = false;
    config = ''
      # Configuration file generated by pwmconfig, changes will be lost
      # hwmon6/temp9_input -- chipset temp?
      # hwmon2/temp1_input -- cpu temp?
      # hwmon6/pwm5 -- chipset fan?
      # hwmon6/pwm2, hwmon6/pwm3 -- cpu fans?
      # hwmon6/pwm4 -- case fans?

      INTERVAL=10
      DEVPATH=hwmon2=devices/pci0000:00/0000:00:18.3 hwmon6=devices/platform/nct6775.656
      DEVNAME=hwmon2=k10temp hwmon6=nct6798
      FCTEMPS=hwmon6/pwm5=hwmon6/temp9_input hwmon6/pwm2=hwmon2/temp1_input hwmon6/pwm3=hwmon2/temp1_input hwmon6/pwm4=hwmon2/temp1_input
      FCFANS=hwmon6/pwm5=hwmon6/fan5_input hwmon6/pwm2=hwmon6/fan2_input hwmon6/pwm3=hwmon6/fan3_input hwmon6/pwm4=hwmon6/fan4_input
      MINTEMP=hwmon6/pwm5=20 hwmon6/pwm2=20 hwmon6/pwm3=20 hwmon6/pwm4=20
      MAXTEMP=hwmon6/pwm5=60 hwmon6/pwm2=90 hwmon6/pwm3=90 hwmon6/pwm4=90
      MINSTART=hwmon6/pwm5=16 hwmon6/pwm2=90 hwmon6/pwm3=45 hwmon6/pwm4=60
      MINSTOP=hwmon6/pwm5=14 hwmon6/pwm2=0 hwmon6/pwm3=30 hwmon6/pwm4=45
      MINPWM=hwmon6/pwm5=14 hwmon6/pwm2=0 hwmon6/pwm3=0 hwmon6/pwm4=0
      MAXPWM=hwmon6/pwm5=255 hwmon6/pwm2=255 hwmon6/pwm3=255 hwmon6/pwm4=255
    '';
  };

  # Additional virtualization beyond what's in development module
  virtualisation.libvirtd.enable = true;
}