407 lines
11 KiB
Nix
Executable File
407 lines
11 KiB
Nix
Executable File
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
namespace,
|
|
...
|
|
}:
|
|
let
|
|
inherit (lib.${namespace}) enabled disabled;
|
|
in
|
|
{
|
|
imports = [
|
|
./boot.nix
|
|
./apps.nix
|
|
./disabled.nix
|
|
# ./nas-pool.nix
|
|
./users.nix
|
|
./services.nix
|
|
./sops.nix
|
|
];
|
|
|
|
services.kmscon = disabled;
|
|
|
|
powerManagement.cpuFreqGovernor = "powersave";
|
|
|
|
${namespace} = {
|
|
# ###################################################
|
|
# # Boot # #
|
|
# ###################################################
|
|
|
|
bootloader.lanzaboote = enabled;
|
|
|
|
# ###################################################
|
|
# # Desktop # #
|
|
# ###################################################
|
|
|
|
desktop.cosmic = enabled;
|
|
|
|
# ###################################################
|
|
# # Development # #
|
|
# ###################################################
|
|
|
|
development = {
|
|
enable = true;
|
|
includeLanguages = [
|
|
"python"
|
|
"c"
|
|
];
|
|
includeContainers = true;
|
|
};
|
|
|
|
gaming.enable = true;
|
|
|
|
# ###################################################
|
|
# # Hardware # #
|
|
# ###################################################
|
|
|
|
hardware = {
|
|
disko = {
|
|
enable = true;
|
|
enableSwap = false;
|
|
enableLuks = true;
|
|
};
|
|
|
|
amd = {
|
|
enable = true;
|
|
};
|
|
};
|
|
|
|
headless.enable = true;
|
|
|
|
# ###################################################
|
|
# # Impermanence # #
|
|
# ###################################################
|
|
|
|
impermanence = {
|
|
enable = true;
|
|
extraDirectories = [
|
|
# {
|
|
# directory = "/var/lib/private/authentik/media";
|
|
# user = "authentik";
|
|
# group = "authentik";
|
|
# mode = "u=rwx,g=,o=";
|
|
# }
|
|
{
|
|
directory = "/var/lib/crowdsec";
|
|
user = "crowdsec";
|
|
group = "crowdsec";
|
|
mode = "u=rwx,g=rwx,o=rx";
|
|
}
|
|
{
|
|
directory = "/var/lib/nextcloud";
|
|
user = "nextcloud";
|
|
group = "nextcloud";
|
|
mode = "u=rwx,g=rwx,o=rx";
|
|
}
|
|
{
|
|
directory = "/plugins-storage";
|
|
user = "traefik";
|
|
group = "traefik";
|
|
mode = "u=rwx,g=rwx,o=rx";
|
|
}
|
|
];
|
|
};
|
|
|
|
# ###################################################
|
|
# # Monitoring # #
|
|
# ###################################################
|
|
|
|
monitoring = enabled;
|
|
|
|
# ###################################################
|
|
# # Network # #
|
|
# ###################################################
|
|
|
|
network = {
|
|
hostName = "jallen-nas";
|
|
ipv4 = {
|
|
address = "10.0.1.3";
|
|
method = "manual";
|
|
gateway = "10.0.1.1";
|
|
interface = "enp197s0";
|
|
};
|
|
hostId = "4b501480";
|
|
nat = {
|
|
enable = true;
|
|
internalInterfaces = [ "ve-+" ];
|
|
externalInterface = "enp197s0";
|
|
enableIPv6 = true;
|
|
};
|
|
firewall = {
|
|
enable = true;
|
|
allowPing = true;
|
|
trustedInterfaces = [ "tailscale0" ];
|
|
allowedTCPPorts = [
|
|
8008 # restic
|
|
9000 # authentik
|
|
2342 # grafana
|
|
51820 # wireguard
|
|
1025
|
|
1143
|
|
10200
|
|
10300
|
|
8127
|
|
8280
|
|
9943 # onlyoffice
|
|
4000 # netbootxyz
|
|
4080 # netbootxyz
|
|
3000 # gitea
|
|
2222 # gitea ssh
|
|
3300
|
|
9898
|
|
6754 # lubelogger
|
|
2283 # immich
|
|
4444 # code-server
|
|
9012
|
|
9988
|
|
8192
|
|
3000
|
|
2222
|
|
8181
|
|
5432
|
|
3001
|
|
3333
|
|
5201 # iperf
|
|
8400
|
|
9200
|
|
9233
|
|
9980
|
|
47984
|
|
47989
|
|
47990
|
|
47998
|
|
47999
|
|
48000
|
|
48010
|
|
3493 # nut
|
|
];
|
|
allowedUDPPorts = config.${namespace}.network.firewall.allowedTCPPorts;
|
|
};
|
|
};
|
|
|
|
# ###################################################
|
|
# # Power # #
|
|
# ###################################################
|
|
|
|
power.ups = enabled;
|
|
|
|
# ###################################################
|
|
# # Samba # #
|
|
# ###################################################
|
|
|
|
samba = {
|
|
enable = true;
|
|
hostsAllow = "10.0.1.";
|
|
enableTimeMachine = true;
|
|
timeMachinePath = "/media/nas/main/timemachine";
|
|
|
|
shares = {
|
|
"3d_printer" = {
|
|
public = true;
|
|
sharePath = "/media/nas/main/3d_printer";
|
|
};
|
|
Backup = {
|
|
public = true;
|
|
sharePath = "/media/nas/main/backup";
|
|
};
|
|
Documents = {
|
|
public = true;
|
|
sharePath = "/media/nas/main/documents";
|
|
};
|
|
isos = {
|
|
public = true;
|
|
sharePath = "/media/nas/main/isos";
|
|
};
|
|
TimeMachine = {
|
|
public = false;
|
|
sharePath = "/media/nas/main/timemachine";
|
|
enableTimeMachine = true;
|
|
timeMachineMaxSize = "1T";
|
|
};
|
|
app_data = {
|
|
public = true;
|
|
sharePath = "/media/nas/main/ssd_app_data";
|
|
};
|
|
nix-config = {
|
|
public = true;
|
|
sharePath = "/home/matt/nix-config";
|
|
};
|
|
};
|
|
};
|
|
|
|
# ###################################################
|
|
# # Security # #
|
|
# ###################################################
|
|
|
|
security.tpm = enabled;
|
|
|
|
# ###################################################
|
|
# # Services # #
|
|
# ###################################################
|
|
|
|
services = {
|
|
grafana = {
|
|
enable = false;
|
|
port = 9999;
|
|
};
|
|
};
|
|
|
|
# ###################################################
|
|
# # User # #
|
|
# ###################################################
|
|
|
|
user = {
|
|
name = "admin";
|
|
hashedPasswordFile = config.sops.secrets."jallen-nas/admin_password".path;
|
|
linger = true;
|
|
extraGroups = [
|
|
"nix-apps"
|
|
"jallen-nas"
|
|
"grafana"
|
|
"traefik"
|
|
"62900"
|
|
"1001"
|
|
];
|
|
};
|
|
};
|
|
|
|
# ###################################################
|
|
# # Mounts # #
|
|
# ###################################################
|
|
# fileSystems."/media/nas/main" = {
|
|
# label = "nas_pool";
|
|
# # device = "/dev/sde:/dev/sdf:/dev/sdh:/dev/sdi:/dev/sdj:/dev/nmve0n1:/dev/nvme1n1";
|
|
# fsType = "bcachefs";
|
|
# mountPoint = "/media/nas/main";
|
|
# options = [
|
|
# # "noauto"
|
|
# "nofail"
|
|
# # "x-systemd.mount-timeout=0"
|
|
# # "x-systemd.device-timeout=0"
|
|
# ];
|
|
# };
|
|
fileSystems = {
|
|
"/media/nas/main" = {
|
|
device = "UUID=adf7b4e1-dfed-4c10-a9ab-2741c1055552";
|
|
fsType = "bcachefs";
|
|
};
|
|
# "/media/nas/test" = {
|
|
# device = "UUID=621706d6-e3a8-48d6-9560-58b01129a846";
|
|
# fsType = "bcachefs";
|
|
# };
|
|
};
|
|
fileSystems."/etc".neededForBoot = true;
|
|
|
|
environment.etc = {
|
|
"crypttab".text = ''
|
|
hdd1-cryptroot UUID="295d4c78-41f0-4792-bd97-ac88b2455cdc" none tpm2-device=auto
|
|
hdd2-cryptroot UUID="7c9c2179-351c-40a5-9257-e9ee2a1e794a" none tpm2-device=auto
|
|
ssd1-cryptroot UUID="d78fa862-212c-4d4f-ad86-bfeead5cc054" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
|
|
ssd2-cryptroot UUID="1661c173-3809-4517-9ab8-ad94c229048d" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
|
|
ssd3-cryptroot UUID="cfea125e-90b1-4248-834d-16dcaf310783" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
|
|
ssd4-cryptroot UUID="96055401-6d1a-4308-9e4e-2211e1e23635" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
|
|
ssd5-cryptroot UUID="055e27e0-c96a-4899-8ee7-cb1cd5f21476" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
|
|
ssd6-cryptroot UUID="6e830abd-2555-4558-81a3-4a990507b5a7" none tpm2-device=auto,allow-discards,perf-no_read_workqueue,perf-no_write_workqueue
|
|
'';
|
|
};
|
|
|
|
boot.initrd = {
|
|
luks.devices = {
|
|
# "621706d6-e3a8-48d6-9560-58b01129a846" = {
|
|
# device = "/dev/disk/by-uuid/621706d6-e3a8-48d6-9560-58b01129a846";
|
|
# };
|
|
hdd1-cryptroot = {
|
|
device = "/dev/disk/by-uuid/295d4c78-41f0-4792-bd97-ac88b2455cdc";
|
|
};
|
|
hdd2-cryptroot = {
|
|
device = "/dev/disk/by-uuid/7c9c2179-351c-40a5-9257-e9ee2a1e794a";
|
|
};
|
|
ssd1-cryptroot = {
|
|
device = "/dev/disk/by-uuid/d78fa862-212c-4d4f-ad86-bfeead5cc054";
|
|
allowDiscards = true;
|
|
bypassWorkqueues = true;
|
|
};
|
|
ssd2-cryptroot = {
|
|
device = "/dev/disk/by-uuid/1661c173-3809-4517-9ab8-ad94c229048d";
|
|
allowDiscards = true;
|
|
bypassWorkqueues = true;
|
|
};
|
|
ssd3-cryptroot = {
|
|
device = "/dev/disk/by-uuid/cfea125e-90b1-4248-834d-16dcaf310783";
|
|
allowDiscards = true;
|
|
bypassWorkqueues = true;
|
|
};
|
|
ssd4-cryptroot = {
|
|
device = "/dev/disk/by-uuid/96055401-6d1a-4308-9e4e-2211e1e23635";
|
|
allowDiscards = true;
|
|
bypassWorkqueues = true;
|
|
};
|
|
ssd5-cryptroot = {
|
|
device = "/dev/disk/by-uuid/055e27e0-c96a-4899-8ee7-cb1cd5f21476";
|
|
allowDiscards = true;
|
|
bypassWorkqueues = true;
|
|
};
|
|
ssd6-cryptroot = {
|
|
device = "/dev/disk/by-uuid/6e830abd-2555-4558-81a3-4a990507b5a7";
|
|
allowDiscards = true;
|
|
bypassWorkqueues = true;
|
|
};
|
|
};
|
|
|
|
# clevis = {
|
|
# enable = true;
|
|
# devices = {
|
|
# "621706d6-e3a8-48d6-9560-58b01129a846".secretFile = ../../../test.jwe;
|
|
# };
|
|
# };
|
|
};
|
|
|
|
# boot.initrd.luks.devices.cryptroot.device = "/dev/disk/by-partlabel/disk-main-jallen-nas-cryptroot";
|
|
|
|
# Configure environment
|
|
environment = {
|
|
systemPackages = with pkgs; [
|
|
attic-client
|
|
bcachefs-tools
|
|
cryptsetup
|
|
clevis
|
|
deconz
|
|
duperemove
|
|
efibootmgr
|
|
ffmpeg
|
|
ipset
|
|
keyutils
|
|
nut
|
|
packagekit
|
|
pass
|
|
protonmail-bridge
|
|
protonvpn-gui
|
|
qrencode
|
|
sbctl
|
|
tigervnc
|
|
tpm2-tools
|
|
tpm2-tss
|
|
];
|
|
persistence."/media/nas/main/persist" = {
|
|
hideMounts = true;
|
|
directories = [
|
|
# {
|
|
# directory = "/var/lib/redis-ccache";
|
|
# user = "redis-ccache";
|
|
# group = "redis-ccache";
|
|
# mode = "u=rwx,g=,o=";
|
|
# }
|
|
];
|
|
};
|
|
};
|
|
|
|
networking.firewall.checkReversePath = false;
|
|
|
|
# Configure programs
|
|
programs = {
|
|
kdeconnect.enable = lib.mkForce false;
|
|
virt-manager.enable = true;
|
|
};
|
|
}
|