Faris/nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
nixos/hosts/server/settings.nix
Faris 1628fed5e0 blud
2026-04-01 22:31:48 +01:00

421 lines
10 KiB
Nix
Raw Blame History

{ config, pkgs, ... }:
{
# age.secrets = {
# "restic/environmentFile".file = ../../secrets/restic/environmentFile.age;
# "restic/repositoryFile".file = ../../secrets/restic/repositoryFile.age;
# "restic/passwordFile".file = ../../secrets/restic/passwordFile.age;
# "zfs/pool.key".file = ../../secrets/zfs/pool.key.age;
# };
age.identityPaths = [ "${config.users.users.admin.home}/.ssh/id_ed25519" ];
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
#boot.loader.limine.biosDevice = "/dev/vda";
#boot.loader.efi.efiSysMountPoint = "/boot";
systemd.services.podman-network-vlan50 = {
description = "Create podman vlan50 network";
after = [ "network.target" ];
before = [ "podman-nginx.service" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
};
script = ''
if ! ${pkgs.podman}/bin/podman network exists vlan50; then
${pkgs.podman}/bin/podman network create \
--driver macvlan \
--opt parent=vlan50 \
--subnet 192.168.50.0/24 \
--gateway 192.168.50.1 \
vlan50
fi
'';
};
networking = {
vlans = {
vlan50 = {
id = 50;
interface = "enp7s0";
};
};
hostName = "nixos-server";
hostId = "bbe3b289";
firewall.enable = false;
interfaces.vlan50 = {
ipv4.addresses = [
{
address = "192.168.50.30";
prefixLength = 24;
}
];
};
interfaces.enp7s0 = {
ipv4.addresses = [
{
address = "192.168.0.30";
prefixLength = 24;
}
];
};
defaultGateway = "192.168.0.1";
nameservers = [ "192.168.0.1" "1.1.1.1" ];
};
users.users.admin.linger = true;
#services.xserver.videoDrivers = [ "nvidia" ];
# hardware = {
# graphics.enable = true;
# nvidia = {
# modesetting.enable = true;
# powerManagement.enable = true;
# powerManagement.finegrained = false;
# open = false;
# nvidiaSettings = false;
# package = config.boot.kernelPackages.nvidiaPackages.stable;
# };
# nvidia-container-toolkit.enable = true;
# };
hardware.graphics = {
enable = true;
enable32Bit = true; # only needed if you run 32-bit apps
extraPackages = with pkgs; [
mesa.drivers
libva
libva-utils # provides vainfo
];
};
boot.kernel.sysctl = {
"net.ipv4.ip_unprivileged_port_start" = 0;
"net.ipv4.conf.all.src_valid_mark" = 1;
"net.ipv4.conf.all.forwarding" = 1;
"net.ipv4.ip_forward" = 1;
};
virtualisation = {
containers.enable = true;
podman = {
enable = true;
autoPrune.enable = true;
autoPrune.flags = [ "--all" ];
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
services.restic.backups.backup = {
initialize = true;
environmentFile = "/pool/services/secrets/restic/environmentFile";
repositoryFile = "/pool/services/secrets/restic/repositoryFile";
passwordFile = "/pool/services/secrets/restic/passwordFile";
paths = [
"/pool/services"
"/pool/data"
];
exclude = [
"/pool/services/cctv"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
];
};
# systemd.timers."prune-podman" = {
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnCalendar = "weekly";
# Persistent = true;
# Unit = "podman-prune.service";
# };
# };
# systemd.services."prune-podman" = {
# script = ''
# set -eu
# ${pkgs.podman}/bin/podman system prune -af
# '';
# serviceConfig = {
# Type = "oneshot";
# User = "admin";
# };
# };
# give permissions for zigbee USB transceiver
system.activationScripts.script.text = ''chmod o+rw /dev/ttyACM0'';
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.forceImportRoot = false;
boot.zfs.extraPools = [ "pool" ];
#environment.etc."zfs/keys/pool.key".source = config.age.secrets."zfs/pool.key".path;
services.zfs.autoScrub = {
enable = true;
};
services.zfs.autoSnapshot.enable = true;
services.smartd = {
enable = true;
notifications = {
mail.enable = true;
mail.recipient = "accelarion@protonmail.com";
};
#devices = [ "DEVICESCAN -a" ]; # autodetect all drives
};
programs.msmtp = {
enable = true;
accounts.default = {
auth = true;
tls = true;
host = "smtp.protonmail.ch";
port = 587;
from = "faris@mektem.com";
user = "faris@mektem.com";
passwordeval = "cat /pool/services/secrets/mail.txt";
};
};
environment.etc."zfs/zed-notify.sh" = {
mode = "0755";
text = ''
#!/bin/sh
# ZED calls: ZED_EMAIL_PROG "subject" "recipient"
SUBJECT="$1"
TO="$2"
(echo "Subject: $SUBJECT"; echo "To: $TO"; echo ""; cat) | \
${pkgs.msmtp}/bin/msmtp "$TO"
'';
};
services.zfs.zed = {
enableMail = true;
settings = {
ZED_EMAIL_ADDR = [ "faris@mektem.com" ];
ZED_EMAIL_PROG = "/etc/zfs/zed-notify.sh"; # Or ssmtp
ZED_EMAIL_OPTS = "";
ZED_NOTIFY_INTERVAL_SECS = 3600;
ZED_NOTIFY_VERBOSE = true; # Set to false to only get alerts on degradation
};
};
services.samba = {
enable = true;
openFirewall = true;
extraConfig = ''
server min protocol = SMB2
'';
settings = {
global = {
"server min protocol" = "SMB2_10";
"workgroup" = "WORKGROUP";
"server string" = "smbnix";
"netbios name" = "smbnix";
"security" = "user";
"hosts allow" = "192.168.0. 192.168.30. 192.168.40.10 127.0.0.1 localhost";
"hosts deny" = "0.0.0.0/0";
"guest account" = "nobody";
"map to guest" = "never";
};
"data" = {
"path" = "/pool/data";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
};
"media" = {
"path" = "/pool/media";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
};
"services" = {
"path" = "/pool/services";
"browseable" = "yes";
"read only" = "no";
"guest ok" = "no";
};
};
};
virtualisation.oci-containers.containers = {
caddy = {
image = "docker.io/caddy";
autoStart = true;
#autoUpdate = "registry";
networks = [ "vlan50" ];
environmentFiles = [
"/pool/services/secrets/default"
];
volumes = [
"/pool/services/podman/caddy/conf:/etc/caddy"
"/pool/services/podman/caddy/site:/srv"
"/pool/services/podman/caddy/data:/data"
"/pool/services/podman/caddy/config:/config"
];
extraOptions = [
"--ip=192.168.50.31"
];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
};
gitea = {
image = "docker.gitea.com/gitea:1.23.7";
autoStart = true;
#autoUpdate = "registry";
networks = [ "vlan50" ];
environmentFiles = [
"/pool/services/secrets/default"
"/pool/services/secrets/gitea"
];
volumes = [
"/pool/services/podman/gitea:/data"
];
extraOptions = [
"--ip=192.168.50.32"
];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
};
headscale = {
image = "docker.io/headscale/headscale:stable";
autoStart = true;
#utoUpdate = "registry";
networks = [ "vlan50" ];
cmd = [ "serve" ];
environmentFiles = [
"/pool/services/secrets/default"
];
volumes = [
"/pool/services/podman/headscale/config:/etc/headscale:ro"
"/pool/services/podman/headscale/lib:/var/lib/headscale"
];
extraOptions = [
"--ip=192.168.50.38"
];
#extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
##};
};
matrix = {
image = "ghcr.io/element-hq/synapse";
autoStart = true;
#autoUpdate = "registry";
networks = [ "vlan50" ];
environmentFiles = [
"/pool/services/secrets/default"
"/pool/services/secrets/synapse"
];
volumes = [
"/pool/services/podman/synapse:/data"
];
extraOptions = [
"--ip=192.168.50.33"
];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
};
nginx = {
image = "docker.io/nginx:latest";
autoStart = true;
#autoUpdate = "registry";
networks = [ "vlan50" ];
environmentFiles = [
"/pool/services/secrets/default"
"/pool/services/secrets/nginx"
];
volumes = [
"/pool/services/podman/nginx/nginx.conf:/etc/nginx/nginx.conf:ro"
"/pool/services/podman/hugo/src/mektem.com/public:/usr/share/nginx/html"
];
extraOptions = [
"--ip=192.168.50.34"
];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
};
ntfy = {
image = "docker.io/binwiederhier/ntfy";
autoStart = true;
#autoUpdate = "registry";
networks = [ "vlan50" ];
cmd = [ "serve" ];
environmentFiles = [
"/pool/services/secrets/default"
"/pool/services/secrets/ntfy"
];
volumes = [
"/pool/services/podman/ntfy:/var/lib/ntfy"
];
extraOptions = [
"--ip=192.168.50.35"
];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
};
privatebin = {
image = "docker.io/privatebin/nginx-fpm-alpine:latest";
autoStart = true;
#autoUpdate = "registry";
networks = [ "vlan50" ];
environmentFiles = [
"/pool/services/secrets/default"
];
volumes = [
"/pool/media/privatebin:/srv/data"
];
extraOptions = [
"--ip=192.168.50.36"
];
# extraConfig = {
# Service = {
# TimeoutStartSec = 900;
# };
# };
};
};
system.stateVersion = "24.11";
}
Reference in New Issue View Git Blame Copy Permalink