bluh

2026-04-01 22:30:48 +01:00 · 2026-04-01 22:30:48 +01:00 · 22c2fbf629
commit 22c2fbf629
parent bf9ed72841
4 changed files with 474 additions and 375 deletions
--- a/config/common.nix
+++ b/config/common.nix
@ -102,4 +102,5 @@
    tree
  ];

+  powerManagement.powertop.enable = true;
 }
--- a/home/podman.nix
+++ b/home/podman.nix
--- a/hosts/server/hardware.nix
+++ b/hosts/server/hardware.nix
@ -5,21 +5,27 @@

 {
  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];

-  boot.initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "virtio_pci" "mpt3sas" "xhci_pci" "sd_mod" "sr_mod" "virtio_blk" ];
+  boot.initrd.availableKernelModules = [ "mpt3sas" "xhci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ "kvm-intel" ];
+  boot.kernelModules = [ "kvm-amd" ];
  boot.extraModulePackages = [ ];

  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/54d867b3-a9cf-42cd-bc1a-56fbd758ecc4";
+    { device = "/dev/disk/by-uuid/b9cc7972-36ae-4cb4-a6f4-e342eaca679e";
      fsType = "ext4";
    };

+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/542D-865C";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
  swapDevices =
-    [ { device = "/dev/disk/by-uuid/b5e77330-ad8c-4c5b-99fc-aedfb6e0b145"; }
+    [ { device = "/dev/disk/by-uuid/1032bbd9-0124-419f-a696-a977755aaf17"; }
    ];

  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
@ -27,7 +33,8 @@
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.enp6s18.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp6s0.useDHCP = lib.mkDefault true;

  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/hosts/server/settings.nix
+++ b/hosts/server/settings.nix
@ -11,10 +11,8 @@

  age.identityPaths = [ "${config.users.users.admin.home}/.ssh/id_ed25519" ];

-  boot.loader.grub.enable = true;
-  boot.loader.grub.device = "/dev/vda";
-  boot.loader.grub.useOSProber = true;
-
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
  #boot.loader.limine.biosDevice = "/dev/vda";
  #boot.loader.efi.efiSysMountPoint = "/boot";

@ -43,7 +41,7 @@ systemd.services.podman-network-vlan50 = {
    vlans = {
      vlan50 = {
        id = 50;
-        interface = "ens18";
+        interface = "enp7s0";
      };
    };
    hostName = "nixos-server";
@ -57,7 +55,7 @@ systemd.services.podman-network-vlan50 = {
        }
      ];
    };
-    interfaces.ens18 = {
+    interfaces.enp7s0 = {
      ipv4.addresses = [
        {
          address = "192.168.0.30";
@ -85,6 +83,16 @@ systemd.services.podman-network-vlan50 = {
  #   nvidia-container-toolkit.enable = true;
  # };

+  hardware.graphics = {
+    enable = true;
+    enable32Bit = true;  # only needed if you run 32-bit apps
+    extraPackages = with pkgs; [
+      mesa.drivers
+      libva
+      libva-utils  # provides vainfo
+    ];
+  };
+
  boot.kernel.sysctl = {
    "net.ipv4.ip_unprivileged_port_start" = 0;
    "net.ipv4.conf.all.src_valid_mark" = 1;
@ -105,28 +113,28 @@ systemd.services.podman-network-vlan50 = {
    };
  };

- # services.restic.backups.backup = {
- #   initialize = true;
- #   environmentFile = config.age.secrets."restic/environmentFile".path;
- #   repositoryFile = config.age.secrets."restic/repositoryFile".path;
- #   passwordFile = config.age.secrets."restic/passwordFile".path;
-#
- #   paths = [
-   #   "/pool/services"
-  #    "/pool/data"
- #   ];
-#
- #   exclude = [
- #     "/pool/services/cctv"
- #   ];
-#
- #   pruneOpts = [
- #     "--keep-daily 7"
- #     "--keep-weekly 5"
- #     "--keep-monthly 12"
-  #  ];
-#
- # };
+  services.restic.backups.backup = {
+    initialize = true;
+    environmentFile = "/pool/services/secrets/restic/environmentFile";
+    repositoryFile = "/pool/services/secrets/restic/repositoryFile";
+    passwordFile = "/pool/services/secrets/restic/passwordFile";
+
+    paths = [
+      "/pool/services"
+      "/pool/data"
+    ];
+
+    exclude = [
+      "/pool/services/cctv"
+    ];
+
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+    ];
+
+  };

  # systemd.timers."prune-podman" = {
  #   wantedBy = [ "timers.target" ];
@ -158,10 +166,8 @@ systemd.services.podman-network-vlan50 = {
  
  services.zfs.autoScrub = {
    enable = true;
-    interval = "weekly";
  };
  services.zfs.autoSnapshot.enable = true;
-  services.zfs.trim.enable = true;

  services.smartd = {
    enable = true;
@ -172,16 +178,53 @@ systemd.services.podman-network-vlan50 = {
    #devices = [ "DEVICESCAN -a" ]; # autodetect all drives
  };

+
+  programs.msmtp = {
+    enable = true;
+    accounts.default = {
+      auth = true;
+      tls = true;
+      host = "smtp.protonmail.ch";
+      port = 587;
+      from = "faris@mektem.com";
+      user = "faris@mektem.com";
+      passwordeval = "cat /pool/services/secrets/mail.txt";
+    };
+  };
+  environment.etc."zfs/zed-notify.sh" = {
+    mode = "0755";
+    text = ''
+      #!/bin/sh
+      # ZED calls: ZED_EMAIL_PROG "subject" "recipient"
+      SUBJECT="$1"
+      TO="$2"
+      (echo "Subject: $SUBJECT"; echo "To: $TO"; echo ""; cat) | \
+        ${pkgs.msmtp}/bin/msmtp "$TO"
+    '';
+  };
+
+  services.zfs.zed = {
+    enableMail = true;
+    settings = {
+      ZED_EMAIL_ADDR = [ "faris@mektem.com" ];
+      ZED_EMAIL_PROG = "/etc/zfs/zed-notify.sh"; # Or ssmtp
+	  ZED_EMAIL_OPTS = "";
+      ZED_NOTIFY_INTERVAL_SECS = 3600;
+      ZED_NOTIFY_VERBOSE = true; # Set to false to only get alerts on degradation
+    };
+  };
+
  services.samba = {
    enable = true;
    openFirewall = true;
    settings = {
      global = {
+      "server min protocol" = "SMB2_10";
      "workgroup" = "WORKGROUP";
      "server string" = "smbnix";
      "netbios name" = "smbnix";
      "security" = "user";
-      "hosts allow" = "192.168.0. 127.0.0.1 localhost";
+      "hosts allow" = "192.168.0. 192.168.30. 192.168.40.10 127.0.0.1 localhost";
      "hosts deny" = "0.0.0.0/0";
      "guest account" = "nobody";
      "map to guest" = "never";
@ -368,28 +411,6 @@ systemd.services.podman-network-vlan50 = {
      # };
    };

-    vaultwarden = {
-      image = "docker.io/vaultwarden/server:latest";
-      autoStart = true;
-      #autoUpdate = "registry";
-      networks = [ "vlan50" ];
-      environmentFiles = [
-        "/pool/services/secrets/default"
-        "/pool/services/secrets/vaultwarden"
-      ];
-      volumes = [
-        "/pool/services/podman/vaultwarden:/data/"
-      ];
-      extraOptions = [
-        "--ip=192.168.50.37"
-      ];
-      # extraConfig = {
-      #   Service = {
-      #     TimeoutStartSec = 900;
-      #   };
-      # };
-    };
-
  };

  system.stateVersion = "24.11";