From f71e9df93f42dc0506840d202ea2b378f3282ff9 Mon Sep 17 00:00:00 2001 From: Faris Date: Wed, 16 Jul 2025 12:10:32 +0100 Subject: [PATCH] creds --- config/common.nix | 39 +++-- config/desktop.nix | 144 ++++++++++++++---- flake.lock | 24 +-- home/desktop.nix | 8 +- home/podman.nix | 299 +++++++++++++++++-------------------- hosts/desktop/settings.nix | 42 ++++-- hosts/laptop/settings.nix | 40 +++++ hosts/server/settings.nix | 177 ++++++++++++++-------- secrets/secrets.nix | 2 + 9 files changed, 483 insertions(+), 292 deletions(-) create mode 100644 hosts/laptop/settings.nix diff --git a/config/common.nix b/config/common.nix index d59517f..2bcd47a 100644 --- a/config/common.nix +++ b/config/common.nix @@ -10,6 +10,10 @@ }: { + # Bootloader + boot.loader.limine.enable = true; + #boot.loader.limine.secureBoot.enable = true; + # Enable networking networking.networkmanager.enable = true; @@ -69,22 +73,31 @@ zsh.enable = true; }; - fileSystems."/mnt/media" = { - device = "192.168.0.20:/mnt/pool/media"; - fsType = "nfs"; - }; - fileSystems."/mnt/services" = { - device = "192.168.0.20:/mnt/pool/services"; - fsType = "nfs"; - }; - fileSystems."/mnt/data" = { - device = "192.168.0.20:/mnt/pool/data"; - fsType = "nfs"; - }; - nix = { + extraOptions = '' + keep-outputs = true + keep-derivations = true + ''; gc.automatic = true; optimise.automatic = true; }; + # unfree + nixpkgs.config.allowUnfree = true; + + environment.systemPackages = with pkgs; [ + zsh + htop + fastfetch + restic + nixpkgs-fmt + nixfmt-rfc-style + rsync + lm_sensors + pciutils # lspci + usbutils # lsusb + nmap + tree + ]; + } diff --git a/config/desktop.nix b/config/desktop.nix index 32f9aac..dffba19 100644 --- a/config/desktop.nix +++ b/config/desktop.nix @@ -2,7 +2,7 @@ { - powerManagement.powertop.enable = true; + #system.includeBuildDependencies = true; # THIS CAN'T BE INCLUDED IN COMMON YET BECAUSE SERVER DOES NOT HAVE ENOUGH STORAGE hardware.graphics = { enable = true; @@ -14,6 +14,7 @@ # Enable the GNOME Desktop Environment. services.xserver.displayManager.gdm.enable = true; services.xserver.desktopManager.gnome.enable = true; + services.gnome.gnome-keyring.enable = true; # Configure keymap in X11 services.xserver.xkb = { @@ -26,6 +27,26 @@ # Enable CUPS to print documents. services.printing.enable = true; + services.avahi = { + enable = true; + nssmdns4 = true; + openFirewall = true; + }; + # services.printing.drivers = [ pkgs.brgenml1lpr pkgs.brgenml1cupswrapper ]; + # hardware.printers = { + # ensurePrinters = [ + # { + # name = "DCP-L8410CDWW"; + # location = "Home"; + # deviceUri = "http://192.168.0.177:631/ipp/print"; + # model = "drv:///cupsfilters.drv/pwgrast.ppd"; + # ppdOptions = { + # PageSize = "A4"; + # }; + # } + # ]; + # ensureDefaultPrinter = "DCP-L8410CDWW"; + # }; # Enable sound with pipewire. hardware.pulseaudio.enable = false; @@ -45,8 +66,16 @@ systemd.services."getty@tty1".enable = false; systemd.services."autovt@tty1".enable = false; - # Allow unfree packages - nixpkgs.config.allowUnfree = true; + services.ollama = { + enable = true; + acceleration = "cuda"; + openFirewall = true; + host = "0.0.0.0"; + # Optional: preload models, see https://ollama.com/library + loadModels = [ "deepseek-r1" ]; + }; + + hardware.keyboard.qmk.enable = true; boot = { # Graphical boot @@ -55,9 +84,12 @@ kernel.sysctl."vm.max_map_count" = 2147483642; }; + #services.udev.packages = [ pkgs.via ]; + environment.gnome.excludePackages = with pkgs; [ epiphany # web browser geary # email + decibels #audio player gnome-calendar gnome-music gnome-software @@ -77,48 +109,59 @@ gnomeExtensions.caffeine gnomeExtensions.dash-to-dock inkscape - joplin-desktop kiwix libreoffice obs-studio - ollama protonmail-desktop prismlauncher - ungoogled-chromium signal-desktop tor-browser wireshark monero-gui vscodium - zsh - brave dconf-editor - localsend + via + kdePackages.kdenlive - #gaymig? + # games heroic lutris cataclysm-dda + runelite + zeroad + unciv + endless-sky + wesnoth + mindustry + openrct2 + openttd + xonotic + + # game utils + mangohud + umu-launcher - #TUI - fastfetch - nixfmt-rfc-style + # emu + ryubing + xemu + retroarch-full + rpcs3 + cemu + + # media yt-dlp exiftool - #tree? - #ntfs-3g? - ffmpeg-full - htop - lm_sensors - mangohud mediainfo - pciutils # lspci - usbutils # lsusb + ffmpeg-full - nmap - umu-launcher + # barcodes qrencode - smartmontools + zbar + barcode + ghostscript + + # backup + keepassxc ]; fonts.packages = with pkgs; [ @@ -130,8 +173,20 @@ fantasque-sans-mono ]; + services.sunshine = { + enable = true; + autoStart = true; + capSysAdmin = true; + openFirewall = true; + }; + programs = { adb.enable = true; + + localsend = { + enable = true; + openFirewall = true; + }; coolercontrol = { enable = true; @@ -202,11 +257,12 @@ default-folder-viewer = "list-view"; }; "org/gnome/shell/extensions/dash-to-dock" = { - click-action = "focus-minimize-or-previews"; + click-action = "minimize-or-previews"; dock-fixed = true; multi-monitor = true; show-mounts = false; - show-show-apps-button = false; + show-show-apps-button = true; + apply-custom-theme = true; }; "org/gnome/shell/keybindings" = { show-screenshot-ui = ["s"]; @@ -216,4 +272,40 @@ }; }; + fileSystems."/mnt/media" = { + device = "//192.168.0.30/media"; + fsType = "cifs"; + options = let + # this line prevents hanging on network split + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + + in ["${automount_opts},username=admin,password=Ch19blizz9,uid=1000,gid=1000"]; + }; + fileSystems."/mnt/services" = { + device = "//192.168.0.30/services"; + fsType = "cifs"; + options = let + # this line prevents hanging on network split + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + + in ["${automount_opts},username=admin,password=Ch19blizz9,uid=1000,gid=1000"]; + }; + fileSystems."/mnt/data" = { + device = "//192.168.0.30/data"; + fsType = "cifs"; + options = let + # this line prevents hanging on network split + automount_opts = "x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; + + in ["${automount_opts},username=admin,password=Ch19blizz9,uid=1000,gid=1000"]; + }; + + programs.virt-manager.enable = true; + users.groups.libvirtd.members = ["admin"]; + virtualisation.libvirtd = { + enable = true; + qemu.swtpm.enable = true; + }; + virtualisation.spiceUSBRedirection.enable = true; + } diff --git a/flake.lock b/flake.lock index 1645f36..54ce92b 100644 --- a/flake.lock +++ b/flake.lock @@ -8,11 +8,11 @@ "systems": "systems" }, "locked": { - "lastModified": 1747575206, - "narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=", + "lastModified": 1750173260, + "narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=", "owner": "ryantm", "repo": "agenix", - "rev": "4835b1dc898959d8547a871ef484930675cb47f1", + "rev": "531beac616433bac6f9e2a19feb8e99a22a66baf", "type": "github" }, "original": { @@ -71,11 +71,11 @@ ] }, "locked": { - "lastModified": 1747556831, - "narHash": "sha256-Qb84nbYFFk0DzFeqVoHltS2RodAYY5/HZQKE8WnBDsc=", + "lastModified": 1752208517, + "narHash": "sha256-aRY1cYOdVdXdNjcL/Twpa27CknO7pVHxooPsBizDraE=", "owner": "nix-community", "repo": "home-manager", - "rev": "d0bbd221482c2713cccb80220f3c9d16a6e20a33", + "rev": "c6a01e54af81b381695db796a43360bf6db5702f", "type": "github" }, "original": { @@ -87,11 +87,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1747129300, - "narHash": "sha256-L3clA5YGeYCF47ghsI7Tcex+DnaaN/BbQ4dR2wzoiKg=", + "lastModified": 1752048960, + "narHash": "sha256-gATnkOe37eeVwKKYCsL+OnS2gU4MmLuZFzzWCtaKLI8=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "e81fd167b33121269149c57806599045fd33eeed", + "rev": "7ced9122cff2163c6a0212b8d1ec8c33a1660806", "type": "github" }, "original": { @@ -119,11 +119,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1747825515, - "narHash": "sha256-BWpMQymVI73QoKZdcVCxUCCK3GNvr/xa2Dc4DM1o2BE=", + "lastModified": 1751943650, + "narHash": "sha256-7orTnNqkGGru8Je6Un6mq1T8YVVU/O5kyW4+f9C1mZQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "cd2812de55cf87df88a9e09bf3be1ce63d50c1a6", + "rev": "88983d4b665fb491861005137ce2b11a9f89f203", "type": "github" }, "original": { diff --git a/home/desktop.nix b/home/desktop.nix index 9c64bc9..b6b4603 100644 --- a/home/desktop.nix +++ b/home/desktop.nix @@ -2,6 +2,13 @@ { programs = { + chromium = { + enable = true; + package = pkgs.brave; + commandLineArgs = [ + #"--sync-url='http://192.168.0.30:8295/v2'" + ]; + }; mpv = { enable = true; @@ -9,7 +16,6 @@ package = ( pkgs.mpv-unwrapped.wrapper { scripts = with pkgs.mpvScripts; [ - #uosc sponsorblock ]; diff --git a/home/podman.nix b/home/podman.nix index b3353e2..32b8105 100644 --- a/home/podman.nix +++ b/home/podman.nix @@ -17,10 +17,10 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/actual:/data" + "/pool/services/podman/actual:/data" ]; ports = [ "5006:5006" @@ -38,11 +38,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/archivebox" + "/pool/services/secrets/default" + "/pool/services/secrets/archivebox" ]; volumes = [ - "/mnt/services/podman/archivebox:/data" + "/pool/services/podman/archivebox:/data" ]; ports = [ "8002:8000" @@ -60,12 +60,12 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/bazarr:/config" - "/mnt/media/video/movies:/movies" - "/mnt/media/video/tv:/tv" + "/pool/services/podman/bazarr:/config" + "/pool/media/video/movies:/movies" + "/pool/media/video/tv:/tv" ]; ports = [ "6767:6767" @@ -83,10 +83,10 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/ddclient:/config" + "/pool/services/podman/ddclient:/config" ]; extraConfig = { Service = { @@ -101,10 +101,10 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/eclipse-mosquitto:/mosquitto" + "/pool/services/podman/eclipse-mosquitto:/mosquitto" ]; ports = [ "1883:1883" @@ -123,10 +123,10 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/home/admin/podman/freshrss:/config" + "/pool/services/podman/freshrss:/config" ]; ports = [ "8555:80" @@ -145,13 +145,13 @@ network = "bridge"; devices = [ "nvidia.com/gpu=all" ]; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/frigate" + "/pool/services/secrets/default" + "/pool/services/secrets/frigate" ]; volumes = [ "/etc/localtime:/etc/localtime:ro" - "/mnt/services/podman/frigate:/config" - "/mnt/services/cctv:/media/frigate" + "/pool/services/podman/frigate:/config" + "/pool/services/cctv:/media/frigate" ]; ports = [ "5005:5000" @@ -172,11 +172,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/gitea" + "/pool/services/secrets/default" + "/pool/services/secrets/gitea" ]; volumes = [ - "/mnt/services/podman/gitea:/data" + "/pool/services/podman/gitea:/data" ]; ports = [ "3001:3000" @@ -195,11 +195,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ "/etc/localtime:/etc/localtime:ro" - "/mnt/services/podman/homeassistant:/config" + "/pool/services/podman/homeassistant:/config" ]; ports = [ "8123:8123" @@ -217,11 +217,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/immich" + "/pool/services/secrets/default" + "/pool/services/secrets/immich" ]; volumes = [ - "/mnt/services/podman/immich/db:/var/lib/postgresql/data:z" + "/pool/services/podman/immich/db:/var/lib/postgresql/data:z" ]; ports = [ "5433:5432" @@ -240,11 +240,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/immich" + "/pool/services/secrets/default" + "/pool/services/secrets/immich" ]; volumes = [ - "/mnt/services/podman/immich/cache:/cache" + "/pool/services/podman/immich/cache:/cache" ]; ports = [ "3003:3003" @@ -262,8 +262,8 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/immich" + "/pool/services/secrets/default" + "/pool/services/secrets/immich" ]; ports = [ "6379:6379" @@ -281,11 +281,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/immich" + "/pool/services/secrets/default" + "/pool/services/secrets/immich" ]; volumes = [ - "/mnt/services/immich:/usr/src/app/upload" + "/pool/services/immich:/usr/src/app/upload" "/etc/localtime:/etc/localtime:ro" ]; ports = [ @@ -304,15 +304,15 @@ network = "bridge"; devices = [ "nvidia.com/gpu=all" ]; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/jellyfin:/config" - "/mnt/media/video/movies:/movies" - "/mnt/media/video/tv:/tv" - "/mnt/media/audio/music/flac:/music" - "/mnt/media/video/family:/family" - "/mnt/media/video/livetv:/livetv" + "/pool/services/podman/jellyfin:/config" + "/pool/media/video/movies:/movies" + "/pool/media/video/tv:/tv" + "/pool/media/audio/music/flac:/music" + "/pool/media/video/family:/family" + "/pool/media/video/livetv:/livetv" ]; ports = [ "8096:8096" @@ -330,10 +330,10 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/jellyseerr:/app/config" + "/pool/services/podman/jellyseerr:/app/config" ]; ports = [ "5055:5055" @@ -351,8 +351,8 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/joplin" + "/pool/services/secrets/default" + "/pool/services/secrets/joplin" ]; ports = [ "22300:22300" @@ -370,11 +370,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/joplin" + "/pool/services/secrets/default" + "/pool/services/secrets/joplin" ]; volumes = [ - "/home/admin/podman/joplin-db:/var/lib/postgresql/data" + "/pool/services/podman/joplin-db:/var/lib/postgresql/data" ]; ports = [ "5432:5432" @@ -393,10 +393,10 @@ network = "bridge"; exec = "*.zim"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/media/kiwix:/data" + "/pool/media/kiwix:/data" ]; ports = [ "8088:8080" @@ -414,12 +414,12 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/lidarr:/config" - "/mnt/media/audio/music/flac:/music" - "/mnt/media/torrents:/downloads" + "/pool/services/podman/lidarr:/config" + "/pool/media/audio/music/flac:/music" + "/pool/media/torrents:/downloads" ]; ports = [ "8686:8686" @@ -437,11 +437,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/media/youtube-dl:/downloads" - "/mnt/media/audio/music/flac:/music" + "/pool/media/youtube-dl:/downloads" + "/pool/media/audio/music/flac:/music" ]; ports = [ "8081:8081" @@ -459,12 +459,12 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/nginx" + "/pool/services/secrets/default" + "/pool/services/secrets/nginx" ]; volumes = [ - "/mnt/services/podman/nginx/nginx.conf:/etc/nginx/nginx.conf:ro" - "/mnt/services/podman/nginx/html:/usr/share/nginx/html" + "/pool/services/podman/nginx/nginx.conf:/etc/nginx/nginx.conf:ro" + "/pool/services/podman/nginx/html:/usr/share/nginx/html" ]; ports = [ "888:80" @@ -482,11 +482,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/nginx-proxy-manager:/data" - "/mnt/services/podman/letsencrypt:/etc/letsencrypt" + "/pool/services/podman/nginx-proxy-manager:/data" + "/pool/services/podman/letsencrypt:/etc/letsencrypt" ]; ports = [ "80:80" @@ -500,6 +500,24 @@ }; }; + ntp = { + image = "docker.io/cturra/ntp"; + autoStart = true; + autoUpdate = "registry"; + network = "bridge"; + environmentFile = [ + "/pool/services/secrets/default" + ]; + ports = [ + "123:123/udp" + ]; + extraConfig = { + Service = { + TimeoutStartSec = 900; + }; + }; + }; + ollama = { image = "docker.io/ollama/ollama:latest"; autoStart = true; @@ -507,11 +525,11 @@ network = "bridge"; devices = [ "nvidia.com/gpu=all" ]; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/ollama" + "/pool/services/secrets/default" + "/pool/services/secrets/ollama" ]; volumes = [ - "/mnt/services/podman/ollama:/root/.ollama" + "/pool/services/podman/ollama:/root/.ollama" ]; ports = [ "11434:11434" @@ -529,11 +547,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/open-webui" + "/pool/services/secrets/default" + "/pool/services/secrets/open-webui" ]; volumes = [ - "/mnt/services/podman/open-webui:/app/backend/data" + "/pool/services/podman/open-webui:/app/backend/data" ]; ports = [ "3000:8080" @@ -551,14 +569,14 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/paperless-ngx" + "/pool/services/secrets/default" + "/pool/services/secrets/paperless-ngx" ]; volumes = [ - "/mnt/services/podman/paperless-ngx/data:/usr/src/paperless/data" - "/mnt/services/podman/paperless-ngx/media:/usr/src/paperless/media" - "/mnt/services/podman/paperless-ngx/export:/usr/src/paperless/export" - "/mnt/data/scans:/usr/src/paperless/consume" + "/pool/services/podman/paperless-ngx/data:/usr/src/paperless/data" + "/pool/services/podman/paperless-ngx/media:/usr/src/paperless/media" + "/pool/services/podman/paperless-ngx/export:/usr/src/paperless/export" + "/pool/data/scans:/usr/src/paperless/consume" ]; ports = [ "8010:8000" @@ -576,7 +594,7 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; ports = [ "6380:6379" @@ -594,10 +612,10 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/prowlarr:/config" + "/pool/services/podman/prowlarr:/config" ]; ports = [ "9696:9696" @@ -615,12 +633,12 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/radarr:/config" - "/mnt/media/video/movies:/movies" - "/mnt/media/torrents:/downloads" + "/pool/services/podman/radarr:/config" + "/pool/media/video/movies:/movies" + "/pool/media/torrents:/downloads" ]; ports = [ "7878:7878" @@ -638,12 +656,12 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/readarr:/config" - "/mnt/media/books:/books" - "/mnt/media/torrents:/downloads" + "/pool/services/podman/readarr:/config" + "/pool/media/books:/books" + "/pool/media/torrents:/downloads" ]; ports = [ "8787:8787" @@ -661,12 +679,12 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/home/admin/podman/rutorrent/passwd:/passwd" - "/home/admin/podman/rutorrent/data:/data" - "/mnt/media/torrents:/downloads" + "/pool/services/podman/rutorrent/passwd:/passwd" + "/pool/services/podman/rutorrent/data:/data" + "/pool/media/torrents:/downloads" ]; ports = [ "8888:8080" @@ -686,10 +704,10 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/searxng:/etc/searxng" + "/pool/services/podman/searxng:/etc/searxng" ]; ports = [ "8880:8080" @@ -707,12 +725,12 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/sonarr:/config" - "/mnt/media/video/tv:/tv" - "/mnt/media/torrents:/downloads" + "/pool/services/podman/sonarr:/config" + "/pool/media/video/tv:/tv" + "/pool/media/torrents:/downloads" ]; ports = [ "8989:8989" @@ -730,12 +748,12 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/tandoor" + "/pool/services/secrets/default" + "/pool/services/secrets/tandoor" ]; volumes = [ - "/mnt/services/podman/tandoor/staticfiles:/opt/recipes/staticfiles" - "/mnt/services/podman/tandoor/mediafiles:/opt/recipes/mediafiles" + "/pool/services/podman/tandoor/staticfiles:/opt/recipes/staticfiles" + "/pool/services/podman/tandoor/mediafiles:/opt/recipes/mediafiles" ]; ports = [ "9092:8080" @@ -753,11 +771,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/tandoor" + "/pool/services/secrets/default" + "/pool/services/secrets/tandoor" ]; volumes = [ - "/home/admin/podman/tandoor/db:/var/lib/postgresql/data" + "/pool/services/podman/tandoor/db:/var/lib/postgresql/data" ]; ports = [ "5434:5432" @@ -775,10 +793,10 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/thelounge:/config" + "/pool/services/podman/thelounge:/config" ]; ports = [ "9000:9000" @@ -790,62 +808,17 @@ }; }; - unifi-network-application = { - image = "lscr.io/linuxserver/unifi-network-application:latest"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/unifi-network-application" - ]; - volumes = [ - "/mnt/services/podman/unifi-network-application:/config" - ]; - ports = [ - "8443:8443" - "10001:10001/udp" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; - - unifi-network-application-db = { - image = "docker.io/mongo:7.0"; - autoStart = true; - autoUpdate = "registry"; - network = "bridge"; - environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/unifi-network-application" - ]; - volumes = [ - "/mnt/services/podman/unifi-network-application-db" - ]; - ports = [ - "27017:27017" - ]; - extraConfig = { - Service = { - TimeoutStartSec = 900; - }; - }; - }; - vaultwarden = { image = "docker.io/vaultwarden/server:latest"; autoStart = true; autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/vaultwarden" + "/pool/services/secrets/default" + "/pool/services/secrets/vaultwarden" ]; volumes = [ - "/mnt/services/podman/vaultwarden:/data/" + "/pool/services/podman/vaultwarden:/data/" ]; ports = [ "8000:80" @@ -864,11 +837,11 @@ autoUpdate = "registry"; network = "bridge"; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/webdav" + "/pool/services/secrets/default" + "/pool/services/secrets/webdav" ]; volumes = [ - "/mnt/services/webdav:/var/lib/dav" + "/pool/services/webdav:/var/lib/dav" ]; ports = [ "8009:80" @@ -891,11 +864,11 @@ "SYS_MODULE" ]; environmentFile = [ - "/mnt/services/secrets/default" - "/mnt/services/secrets/wireguard" + "/pool/services/secrets/default" + "/pool/services/secrets/wireguard" ]; volumes = [ - "/mnt/services/podman/wireguard:/config" + "/pool/services/podman/wireguard:/config" #"/lib/modules:/lib/modules" ]; ports = [ @@ -915,10 +888,10 @@ network = "bridge"; devices = [ "/dev/ttyACM0:/dev/ttyACM0" ]; environmentFile = [ - "/mnt/services/secrets/default" + "/pool/services/secrets/default" ]; volumes = [ - "/mnt/services/podman/zigbee2mqtt:/app/data" + "/pool/services/podman/zigbee2mqtt:/app/data" ]; ports = [ "8808:8080" diff --git a/hosts/desktop/settings.nix b/hosts/desktop/settings.nix index 80cb1d4..fef378b 100644 --- a/hosts/desktop/settings.nix +++ b/hosts/desktop/settings.nix @@ -1,21 +1,37 @@ { config, ... }: { - boot.kernelParams = [ - "nvidia_drm.modeset=1" - "nvidia_drm.fbdev=1" - "nvidia.NVreg_PreserveVideoMemoryAllocations=1" - "module_blacklist=amdgpu" - ]; - networking.hostName = "nixos-desktop"; - # Bootloader. - boot.loader.systemd-boot.enable = true; - boot.loader.efi.canTouchEfiVariables = true; - boot.initrd.luks.devices."luks-d6ea38c1-693a-4aa1-b844-24f005b321ab".device = - "/dev/disk/by-uuid/d6ea38c1-693a-4aa1-b844-24f005b321ab"; + boot = { + initrd.luks.devices."luks-d6ea38c1-693a-4aa1-b844-24f005b321ab".device = + "/dev/disk/by-uuid/d6ea38c1-693a-4aa1-b844-24f005b321ab"; + kernelParams = [ + "nvidia_drm.modeset=1" + "nvidia_drm.fbdev=1" + "nvidia.NVreg_PreserveVideoMemoryAllocations=1" + "module_blacklist=amdgpu" + ]; + }; - services.xserver.videoDrivers = [ "nvidia" ]; + networking = { + hostName = "nixos-desktop"; + interfaces.enp7s0 = { + wakeOnLan.enable = true; + ipv4.addresses = [ + { + address = "192.168.0.40"; + prefixLength = 24; + } + ]; + }; + defaultGateway = "192.168.0.1"; + nameservers = [ "192.168.0.1" "1.1.1.1" ]; + }; + + services = { + ollama.loadModels = [ "deepseek-r1:14b" ]; + xserver.videoDrivers = [ "nvidia" ]; + }; hardware.nvidia = { modesetting.enable = true; diff --git a/hosts/laptop/settings.nix b/hosts/laptop/settings.nix new file mode 100644 index 0000000..d221ce8 --- /dev/null +++ b/hosts/laptop/settings.nix @@ -0,0 +1,40 @@ +{ + + networking = { + hostName = "nixos-laptop"; + interfaces.enp7s0 = { + ipv4.addresses = [ + { + address = "192.168.0.41"; + prefixLength = 24; + } + ]; + }; + defaultGateway = "192.168.0.1"; + nameservers = [ "192.168.0.1" "1.1.1.1" ]; + networkmanager.wifi.powersave = true; + }; + + services = { + auto-cpufreq = { + enable = true; + settings = { + battery = { + governor = "powersave"; + turbo = "never"; + }; + charger = { + governor = "performance"; + turbo = "auto"; + }; + }; + }; + # fwupdmgr update (bios updates) + fwupd.enable = true; + thermald.enable = true; + }; + + powerManagement.powertop.enable = true; + + system.stateVersion = "24.11"; +} \ No newline at end of file diff --git a/hosts/server/settings.nix b/hosts/server/settings.nix index d7a811f..128b6bc 100644 --- a/hosts/server/settings.nix +++ b/hosts/server/settings.nix @@ -1,50 +1,48 @@ { config, pkgs, ... }: { + + networking = { + hostName = "nixos-server"; + hostId = "bbe3b289"; + firewall.enable = false; + interfaces.ens18 = { + ipv4.addresses = [ + { + address = "192.168.0.40"; + prefixLength = 24; + } + ]; + }; + defaultGateway = "192.168.0.1"; + nameservers = [ "192.168.0.1" "1.1.1.1" ]; + }; + + age.secrets = { + "restic/environmentFile".file = ../../secrets/restic/environmentFile.age; + "restic/repositoryFile".file = ../../secrets/restic/repositoryFile.age; + "restic/passwordFile".file = ../../secrets/restic/passwordFile.age; + "zfs/pool.key".file = ../../secrets/zfs/pool.key.age + }; + users.users.admin.linger = true; age.identityPaths = [ "${config.users.users.admin.home}/.ssh/id_ed25519" ]; - nixpkgs.config.allowUnfree = true; - hardware.nvidia-container-toolkit.enable = true; - services.xserver.videoDrivers = [ "nvidia" ]; - hardware.graphics.enable = true; - - hardware.nvidia = { - modesetting.enable = true; - powerManagement.enable = true; - powerManagement.finegrained = false; - open = false; - nvidiaSettings = false; - package = config.boot.kernelPackages.nvidiaPackages.stable; + hardware = { + graphics.enable = true; + nvidia = { + modesetting.enable = true; + powerManagement.enable = true; + powerManagement.finegrained = false; + open = false; + nvidiaSettings = false; + package = config.boot.kernelPackages.nvidiaPackages.stable; + }; + nvidia-container-toolkit.enable = true; }; - networking.hostName = "nixos-server"; - - boot.loader.grub.enable = true; - boot.loader.grub.device = "/dev/vda"; - boot.loader.grub.useOSProber = true; - - environment.systemPackages = with pkgs; [ - zsh - htop - fastfetch - restic - nixpkgs-fmt - nixfmt-rfc-style - ]; - - networking.firewall.enable = false; - networking.interfaces.ens18.ipv4.addresses = [ - { - address = "192.168.0.30"; - prefixLength = 24; - } - ]; - networking.defaultGateway = "192.168.0.1"; - networking.nameservers = [ "1.1.1.1" ]; - boot.kernel.sysctl = { "net.ipv4.ip_unprivileged_port_start" = 80; "net.ipv4.conf.all.src_valid_mark" = 1; @@ -64,12 +62,6 @@ }; }; - age.secrets = { - "restic/environmentFile".file = ../../secrets/restic/environmentFile.age; - "restic/repositoryFile".file = ../../secrets/restic/repositoryFile.age; - "restic/passwordFile".file = ../../secrets/restic/passwordFile.age; - }; - services.restic.backups.backup = { initialize = true; environmentFile = config.age.secrets."restic/environmentFile".path; @@ -77,12 +69,12 @@ passwordFile = config.age.secrets."restic/passwordFile".path; paths = [ - "/mnt/services" - "/mnt/data" + "/pool/services" + "/pool/data" ]; exclude = [ - "/mnt/services/cctv" + "/pool/services/cctv" ]; pruneOpts = [ @@ -93,29 +85,86 @@ }; - systemd.timers."prune-podman" = { - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "weekly"; - Persistent = true; - Unit = "podman-prune.service"; + # systemd.timers."prune-podman" = { + # wantedBy = [ "timers.target" ]; + # timerConfig = { + # OnCalendar = "weekly"; + # Persistent = true; + # Unit = "podman-prune.service"; + # }; + # }; + + # systemd.services."prune-podman" = { + # script = '' + # set -eu + # ${pkgs.podman}/bin/podman system prune -af + # ''; + # serviceConfig = { + # Type = "oneshot"; + # User = "admin"; + # }; + # }; + + # give permissions for zigbee USB transceiver + system.activationScripts.script.text = ''chmod o+rw /dev/ttyACM0''; + + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.forceImportRoot = false; + boot.zfs.extraPools = [ "pool" ]; + environment.etc."zfs/keys/pool.key".source = config.age.secrets."zfs/pool.key".path; + + services.zfs.autoScrub = { + enable = true; + interval = "weekly"; + }; + services.zfs.autoSnapshot.enable = true; + services.zfs.trim.enable = true; + + services.smartd = { + enable = true; + notifications = { + mail.enable = true; + mail.recipient = "accelarion@protonmail.com"; }; + devices = [ "DEVICESCAN -a" ]; # autodetect all drives }; - systemd.services."prune-podman" = { - script = '' - set -eu - ${pkgs.coreutils}/bin/echo "heeeeelpppppp" - ${pkgs.podman}/bin/podman system prune -af - ''; - serviceConfig = { - Type = "oneshot"; - User = "admin"; + services.samba = { + enable = true; + openFirewall = true; + settings = { + global = { + "workgroup" = "WORKGROUP"; + "server string" = "smbnix"; + "netbios name" = "smbnix"; + "security" = "user"; + "hosts allow" = "192.168.0. 127.0.0.1 localhost"; + "hosts deny" = "0.0.0.0/0"; + "guest account" = "nobody"; + "map to guest" = "never"; + }; + "data" = { + "path" = "/pool/data"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + }; + + "media" = { + "path" = "/pool/media"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + }; + + "services" = { + "path" = "/pool/services"; + "browseable" = "yes"; + "read only" = "no"; + "guest ok" = "no"; + }; }; }; system.stateVersion = "24.11"; - - # give permissions for zigbee USB transceiver - system.activationScripts.script.text = ''chmod o+rw /dev/ttyACM0''; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1e3de5d..78bf398 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,4 +19,6 @@ in "restic/environmentFile.age".publicKeys = [ agenix ]; "restic/passwordFile.age".publicKeys = [ agenix ]; "restic/repositoryFile.age".publicKeys = [ agenix ]; + + "zfs/pool.key.age".publicKeys = [ agenix ]; }