mjallen/nix-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
Files
1767debfd8543beafe6eabc90524540cb0667eb4
nix-config/systems/x86_64-linux/jallen-nas/default.nix
mjallen18 1767debfd8 upd
2026-04-16 12:38:07 -05:00

368 lines
9.4 KiB
Nix
Executable File
Raw Blame History

{
config,
lib,
pkgs,
namespace,
...
}:
let
inherit (lib.${namespace}) enabled disabled;
net = lib.${namespace}.network;
in
{
imports = [
./boot.nix
./nas-defaults.nix
./apps.nix
./disabled.nix
# ./nas-pool.nix
./users.nix
./services.nix
./sops.nix
./vpn.nix
];
services.kmscon = disabled;
powerManagement.cpuFreqGovernor = "powersave";
${namespace} = {
sops.enable = true;
# ###################################################
# # Boot # #
# ###################################################
bootloader.lanzaboote = enabled;
# ###################################################
# # Desktop # #
# ###################################################
# Plasma is enabled for occasional local display access.
# headless.enable only disables watchdog/emergency mode, not the display server.
desktop.plasma = {
enable = true;
wallpaper.enable = true;
};
# ###################################################
# # Development # #
# ###################################################
development = {
enable = true;
includeLanguages = [
"python"
"c"
];
includeContainers = true;
};
gaming.enable = true;
# ###################################################
# # Hardware # #
# ###################################################
hardware = {
disko = {
enable = true;
enableSwap = false;
enableLuks = true;
};
amd = {
enable = true;
};
npu = {
enable = false;
fastflowlm.enable = true;
};
};
headless.enable = false;
# ###################################################
# # Impermanence # #
# ###################################################
impermanence = {
enable = true;
extraDirectories = [
# {
# directory = "/var/lib/private/authentik/media";
# user = "authentik";
# group = "authentik";
# mode = "u=rwx,g=,o=";
# }
{
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
mode = "u=rwx,g=rwx,o=rx";
}
{
directory = "/var/lib/nextcloud";
user = "nextcloud";
group = "nextcloud";
mode = "u=rwx,g=rwx,o=rx";
}
];
};
# ###################################################
# # Monitoring # #
# ###################################################
monitoring = enabled;
# ###################################################
# # Network # #
# ###################################################
network = {
hostName = net.hosts.nas.hostname;
ipv4 = {
address = net.hosts.nas.lan;
method = "manual";
inherit (net.hosts.nas) gateway;
dns = "1.1.1.1";
interface = "enp197s0";
};
hostId = "4b501480";
nat = {
enable = true;
internalInterfaces = [ "ve-+" ];
externalInterface = "enp197s0";
enableIPv6 = true;
};
firewall = {
enable = true;
allowPing = true;
trustedInterfaces = [ "tailscale0" ];
allowedTCPPorts = [
80 # http
443 # https
8080 # traefik dashboard
8008 # restic
9000 # authentik
2342 # grafana
51820 # wireguard
1025 # smtp (protonmail bridge)
1143 # imap (protonmail bridge)
10200 # nebula
10300
8127 # llama.cpp server
8280
9943 # onlyoffice
4000 # netbootxyz tftp/http
4080 # netbootxyz web
3000 # gitea
2222 # gitea ssh
3300
9898
6754 # lubelogger
2283 # immich
4444 # code-server
9012
9988
8192
8181 # crowdsec
3001
3333
5201 # iperf
5432 # postgresql
8400
9200 # elasticsearch / attic
9233
9980
47984 # sunshine (tcp: control)
47989 # sunshine (tcp: https)
47990 # sunshine (tcp: web)
47998 # sunshine (tcp: video)
47999 # sunshine (tcp: control)
48000 # sunshine (tcp: video)
48010 # sunshine (tcp: rtsp)
3493 # nut upsd
# removed: 5432 (postgres — internal only, not for external UDP/TCP)
];
allowedUDPPorts = [
51820 # wireguard
5201 # iperf
47998 # sunshine (udp: video)
47999 # sunshine (udp: control)
48000 # sunshine (udp: video)
];
};
};
# ###################################################
# # Power # #
# ###################################################
power.ups = {
enable = true;
ntfy = {
enable = true;
envFile = config.sops.templates."ntfy.env".path;
};
};
# ###################################################
# # Samba # #
# ###################################################
samba = {
enable = true;
# Allow the LAN /24 subnet (strip the last octet from the NAS LAN IP for the prefix)
hostsAllow = "10.0.1. 127.0.0.1 localhost";
forceGroup = "jallen-nas";
forceUser = "nix-apps";
enableTimeMachine = true;
timeMachinePath = "/media/nas/main/timemachine";
shares = {
"3d_printer".sharePath = "/media/nas/main/documents/3d-models";
Backup.sharePath = "/media/nas/main/backup";
Books.sharePath = "/media/nas/main/books";
Documents.sharePath = "/media/nas/main/documents";
isos.sharePath = "/media/nas/main/documents/isos";
app_data.sharePath = "/media/nas/main/appdata";
TimeMachine = {
sharePath = "/media/nas/main/timemachine";
guestOk = false;
enableTimeMachine = true;
timeMachineMaxSize = "1T";
};
};
};
# ###################################################
# # Security # #
# ###################################################
security.tpm = enabled;
# ###################################################
# # Services # #
# ###################################################
services = {
grafana = {
enable = true;
port = 9999;
};
};
# ###################################################
# # User # #
# ###################################################
user = {
name = "admin";
hashedPasswordFile = config.sops.secrets."jallen-nas/admin_password".path;
linger = true;
extraGroups = [
"nix-apps"
"jallen-nas"
"grafana"
"62900"
"1001"
];
};
wallpaper.enable = true;
};
# ###################################################
# # Mounts # #
# ###################################################
fileSystems = {
"/media/nas/main" = {
device = "/dev/disk/by-uuid/d179ff8d-151d-4e62-9890-e13b5e006fdc";
fsType = "bcachefs";
neededForBoot = true;
options = [
"version_upgrade=incompatible"
"nofail"
# Allow bcachefs to self-heal journal errors (e.g. duplicate entries from unclean shutdown)
# instead of refusing to mount with fsck_errors_not_fixed.
"errors=fix_safe"
];
};
};
# Ensure Samba share root directories are owned by nix-apps:jallen-nas
# so that force user = nix-apps can write to them.
systemd.tmpfiles.rules = [
"d /media/nas/main 0775 nix-apps jallen-nas - -"
];
boot.initrd = {
supportedFilesystems = {
bcachefs = true;
};
clevis = {
enable = lib.mkForce true;
devices = {
"/dev/disk/by-uuid/d179ff8d-151d-4e62-9890-e13b5e006fdc".secretFile = ../../../secrets/disk.jwe; # config.sops.secrets."disk-key".path;
};
};
};
# Configure environment
environment = {
systemPackages =
with pkgs;
[
attic-client
bcachefs-tools
cryptsetup
clevis
deconz
duperemove
efibootmgr
ffmpeg
ipset
keyutils
nut
packagekit
pass
protonmail-bridge
proton-vpn
qrencode
sbctl
systemctl-tui
tigervnc
tpm2-tools
tpm2-tss
]
++ (with pkgs.${namespace}; [
nebula-sign-cert
]);
persistence."/media/nas/main/persist" = {
hideMounts = true;
directories = [
{
directory = "/var/lib/sabnzbd";
user = "sabnzbd";
group = "sabnzbd";
mode = "u=rwx,g=rx,o=rx";
}
];
};
};
networking.firewall.checkReversePath = false;
# Configure programs
programs = {
kdeconnect.enable = lib.mkForce false;
virt-manager.enable = config.virtualisation.libvirtd.enable;
steam.gamescopeSession.enable = lib.mkForce false;
};
}
Reference in New Issue View Git Blame Copy Permalink