{ config, pkgs, ... }: { # age.secrets = { # "restic/environmentFile".file = ../../secrets/restic/environmentFile.age; # "restic/repositoryFile".file = ../../secrets/restic/repositoryFile.age; # "restic/passwordFile".file = ../../secrets/restic/passwordFile.age; # "zfs/pool.key".file = ../../secrets/zfs/pool.key.age; # }; age.identityPaths = [ "${config.users.users.admin.home}/.ssh/id_ed25519" ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; #boot.loader.limine.biosDevice = "/dev/vda"; #boot.loader.efi.efiSysMountPoint = "/boot"; systemd.services.podman-network-vlan50 = { description = "Create podman vlan50 network"; after = [ "network.target" ]; before = [ "podman-nginx.service" ]; wantedBy = [ "multi-user.target" ]; serviceConfig = { Type = "oneshot"; RemainAfterExit = true; }; script = '' if ! ${pkgs.podman}/bin/podman network exists vlan50; then ${pkgs.podman}/bin/podman network create \ --driver macvlan \ --opt parent=vlan50 \ --subnet 192.168.50.0/24 \ --gateway 192.168.50.1 \ vlan50 fi ''; }; networking = { vlans = { vlan50 = { id = 50; interface = "enp7s0"; }; }; hostName = "nixos-server"; hostId = "bbe3b289"; firewall.enable = false; interfaces.vlan50 = { ipv4.addresses = [ { address = "192.168.50.30"; prefixLength = 24; } ]; }; interfaces.enp7s0 = { ipv4.addresses = [ { address = "192.168.0.30"; prefixLength = 24; } ]; }; defaultGateway = "192.168.0.1"; nameservers = [ "192.168.0.1" "1.1.1.1" ]; }; users.users.admin.linger = true; #services.xserver.videoDrivers = [ "nvidia" ]; # hardware = { # graphics.enable = true; # nvidia = { # modesetting.enable = true; # powerManagement.enable = true; # powerManagement.finegrained = false; # open = false; # nvidiaSettings = false; # package = config.boot.kernelPackages.nvidiaPackages.stable; # }; # nvidia-container-toolkit.enable = true; # }; hardware.graphics = { enable = true; enable32Bit = true; # only needed if you run 32-bit apps extraPackages = with pkgs; [ mesa.drivers libva libva-utils # provides vainfo ]; }; boot.kernel.sysctl = { "net.ipv4.ip_unprivileged_port_start" = 0; "net.ipv4.conf.all.src_valid_mark" = 1; "net.ipv4.conf.all.forwarding" = 1; "net.ipv4.ip_forward" = 1; }; virtualisation = { containers.enable = true; podman = { enable = true; autoPrune.enable = true; autoPrune.flags = [ "--all" ]; # Create a `docker` alias for podman, to use it as a drop-in replacement dockerCompat = true; # Required for containers under podman-compose to be able to talk to each other. defaultNetwork.settings.dns_enabled = true; }; }; services.restic.backups.backup = { initialize = true; environmentFile = "/pool/services/secrets/restic/environmentFile"; repositoryFile = "/pool/services/secrets/restic/repositoryFile"; passwordFile = "/pool/services/secrets/restic/passwordFile"; paths = [ "/pool/services" "/pool/data" ]; exclude = [ "/pool/services/cctv" ]; pruneOpts = [ "--keep-daily 7" "--keep-weekly 5" "--keep-monthly 12" ]; }; # systemd.timers."prune-podman" = { # wantedBy = [ "timers.target" ]; # timerConfig = { # OnCalendar = "weekly"; # Persistent = true; # Unit = "podman-prune.service"; # }; # }; # systemd.services."prune-podman" = { # script = '' # set -eu # ${pkgs.podman}/bin/podman system prune -af # ''; # serviceConfig = { # Type = "oneshot"; # User = "admin"; # }; # }; # give permissions for zigbee USB transceiver system.activationScripts.script.text = ''chmod o+rw /dev/ttyACM0''; boot.supportedFilesystems = [ "zfs" ]; boot.zfs.forceImportRoot = false; boot.zfs.extraPools = [ "pool" ]; #environment.etc."zfs/keys/pool.key".source = config.age.secrets."zfs/pool.key".path; services.zfs.autoScrub = { enable = true; }; services.zfs.autoSnapshot.enable = true; services.smartd = { enable = true; notifications = { mail.enable = true; mail.recipient = "accelarion@protonmail.com"; }; #devices = [ "DEVICESCAN -a" ]; # autodetect all drives }; programs.msmtp = { enable = true; accounts.default = { auth = true; tls = true; host = "smtp.protonmail.ch"; port = 587; from = "faris@mektem.com"; user = "faris@mektem.com"; passwordeval = "cat /pool/services/secrets/mail.txt"; }; }; environment.etc."zfs/zed-notify.sh" = { mode = "0755"; text = '' #!/bin/sh # ZED calls: ZED_EMAIL_PROG "subject" "recipient" SUBJECT="$1" TO="$2" (echo "Subject: $SUBJECT"; echo "To: $TO"; echo ""; cat) | \ ${pkgs.msmtp}/bin/msmtp "$TO" ''; }; services.zfs.zed = { enableMail = true; settings = { ZED_EMAIL_ADDR = [ "faris@mektem.com" ]; ZED_EMAIL_PROG = "/etc/zfs/zed-notify.sh"; # Or ssmtp ZED_EMAIL_OPTS = ""; ZED_NOTIFY_INTERVAL_SECS = 3600; ZED_NOTIFY_VERBOSE = true; # Set to false to only get alerts on degradation }; }; services.samba = { enable = true; openFirewall = true; settings = { global = { "server min protocol" = "SMB2_10"; "workgroup" = "WORKGROUP"; "server string" = "smbnix"; "netbios name" = "smbnix"; "security" = "user"; "hosts allow" = "192.168.0. 192.168.30. 192.168.40.10 127.0.0.1 localhost"; "hosts deny" = "0.0.0.0/0"; "guest account" = "nobody"; "map to guest" = "never"; }; "data" = { "path" = "/pool/data"; "browseable" = "yes"; "read only" = "no"; "guest ok" = "no"; }; "media" = { "path" = "/pool/media"; "browseable" = "yes"; "read only" = "no"; "guest ok" = "no"; }; "services" = { "path" = "/pool/services"; "browseable" = "yes"; "read only" = "no"; "guest ok" = "no"; }; }; }; virtualisation.oci-containers.containers = { caddy = { image = "docker.io/caddy"; autoStart = true; #autoUpdate = "registry"; networks = [ "vlan50" ]; environmentFiles = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/caddy/conf:/etc/caddy" "/pool/services/podman/caddy/site:/srv" "/pool/services/podman/caddy/data:/data" "/pool/services/podman/caddy/config:/config" ]; extraOptions = [ "--ip=192.168.50.31" ]; # extraConfig = { # Service = { # TimeoutStartSec = 900; # }; # }; }; gitea = { image = "docker.gitea.com/gitea:1.23.7"; autoStart = true; #autoUpdate = "registry"; networks = [ "vlan50" ]; environmentFiles = [ "/pool/services/secrets/default" "/pool/services/secrets/gitea" ]; volumes = [ "/pool/services/podman/gitea:/data" ]; extraOptions = [ "--ip=192.168.50.32" ]; # extraConfig = { # Service = { # TimeoutStartSec = 900; # }; # }; }; headscale = { image = "docker.io/headscale/headscale:stable"; autoStart = true; #utoUpdate = "registry"; networks = [ "vlan50" ]; cmd = [ "serve" ]; environmentFiles = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/services/podman/headscale/config:/etc/headscale:ro" "/pool/services/podman/headscale/lib:/var/lib/headscale" ]; extraOptions = [ "--ip=192.168.50.38" ]; #extraConfig = { # Service = { # TimeoutStartSec = 900; # }; ##}; }; matrix = { image = "ghcr.io/element-hq/synapse"; autoStart = true; #autoUpdate = "registry"; networks = [ "vlan50" ]; environmentFiles = [ "/pool/services/secrets/default" "/pool/services/secrets/synapse" ]; volumes = [ "/pool/services/podman/synapse:/data" ]; extraOptions = [ "--ip=192.168.50.33" ]; # extraConfig = { # Service = { # TimeoutStartSec = 900; # }; # }; }; nginx = { image = "docker.io/nginx:latest"; autoStart = true; #autoUpdate = "registry"; networks = [ "vlan50" ]; environmentFiles = [ "/pool/services/secrets/default" "/pool/services/secrets/nginx" ]; volumes = [ "/pool/services/podman/nginx/nginx.conf:/etc/nginx/nginx.conf:ro" "/pool/services/podman/hugo/src/mektem.com/public:/usr/share/nginx/html" ]; extraOptions = [ "--ip=192.168.50.34" ]; # extraConfig = { # Service = { # TimeoutStartSec = 900; # }; # }; }; ntfy = { image = "docker.io/binwiederhier/ntfy"; autoStart = true; #autoUpdate = "registry"; networks = [ "vlan50" ]; cmd = [ "serve" ]; environmentFiles = [ "/pool/services/secrets/default" "/pool/services/secrets/ntfy" ]; volumes = [ "/pool/services/podman/ntfy:/var/lib/ntfy" ]; extraOptions = [ "--ip=192.168.50.35" ]; # extraConfig = { # Service = { # TimeoutStartSec = 900; # }; # }; }; privatebin = { image = "docker.io/privatebin/nginx-fpm-alpine:latest"; autoStart = true; #autoUpdate = "registry"; networks = [ "vlan50" ]; environmentFiles = [ "/pool/services/secrets/default" ]; volumes = [ "/pool/media/privatebin:/srv/data" ]; extraOptions = [ "--ip=192.168.50.36" ]; # extraConfig = { # Service = { # TimeoutStartSec = 900; # }; # }; }; }; system.stateVersion = "24.11"; }