nixos/hosts/server/settings.nix

{ config, pkgs, ... }:

{

  age.secrets = {
    "restic/environmentFile".file = ../../secrets/restic/environmentFile.age;
    "restic/repositoryFile".file = ../../secrets/restic/repositoryFile.age;
    "restic/passwordFile".file = ../../secrets/restic/passwordFile.age;
    "zfs/pool.key".file = ../../secrets/zfs/pool.key.age;
  };

  age.identityPaths = [ "${config.users.users.admin.home}/.ssh/id_ed25519" ];

  boot.loader.limine.biosDevice = "/dev/vda";
  #boot.loader.efi.efiSysMountPoint = "/boot";

  networking = {
    hostName = "nixos-server";
    hostId = "bbe3b289";
    firewall.enable = false;
    interfaces.ens18 = {
      ipv4.addresses = [
        {
          address = "192.168.0.30";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = "192.168.0.1";
    nameservers = [ "192.168.0.1" "1.1.1.1" ];
  };
  users.users.admin.linger = true;

  services.xserver.videoDrivers = [ "nvidia" ];

  hardware = {
    graphics.enable = true;
    nvidia = {
      modesetting.enable = true;
      powerManagement.enable = true;
      powerManagement.finegrained = false;
      open = false;
      nvidiaSettings = false;
      package = config.boot.kernelPackages.nvidiaPackages.stable;
    };
    nvidia-container-toolkit.enable = true;
  };

  boot.kernel.sysctl = {
    "net.ipv4.ip_unprivileged_port_start" = 0;
    "net.ipv4.conf.all.src_valid_mark" = 1;
    "net.ipv4.conf.all.forwarding" = 1;
    "net.ipv4.ip_forward" = 1;
  };

  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;
      autoPrune.enable = true;
      autoPrune.flags = [ "--all" ];
      # Create a `docker` alias for podman, to use it as a drop-in replacement
      dockerCompat = true;
      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };

  services.restic.backups.backup = {
    initialize = true;
    environmentFile = config.age.secrets."restic/environmentFile".path;
    repositoryFile = config.age.secrets."restic/repositoryFile".path;
    passwordFile = config.age.secrets."restic/passwordFile".path;

    paths = [
      "/pool/services"
      "/pool/data"
    ];

    exclude = [
      "/pool/services/cctv"
    ];

    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
    ];

  };

  # systemd.timers."prune-podman" = {
  #   wantedBy = [ "timers.target" ];
  #   timerConfig = {
  #     OnCalendar = "weekly";
  #     Persistent = true;
  #     Unit = "podman-prune.service";
  #   };
  # };

  # systemd.services."prune-podman" = {
  #   script = ''
  #     set -eu
  #     ${pkgs.podman}/bin/podman system prune -af
  #   '';
  #   serviceConfig = {
  #     Type = "oneshot";
  #     User = "admin";
  #   };
  # };

  # give permissions for zigbee USB transceiver
  system.activationScripts.script.text = ''chmod o+rw /dev/ttyACM0'';

  boot.supportedFilesystems = [ "zfs" ];
  boot.zfs.forceImportRoot = false;
  boot.zfs.extraPools = [ "pool" ];
  environment.etc."zfs/keys/pool.key".source = config.age.secrets."zfs/pool.key".path;
  
  services.zfs.autoScrub = {
    enable = true;
    interval = "weekly";
  };
  services.zfs.autoSnapshot.enable = true;
  services.zfs.trim.enable = true;

  services.smartd = {
    enable = true;
    notifications = {
      mail.enable = true;
      mail.recipient = "accelarion@protonmail.com";
    };
    #devices = [ "DEVICESCAN -a" ]; # autodetect all drives
  };

  services.samba = {
    enable = true;
    openFirewall = true;
    settings = {
      global = {
      "workgroup" = "WORKGROUP";
      "server string" = "smbnix";
      "netbios name" = "smbnix";
      "security" = "user";
      "hosts allow" = "192.168.0. 127.0.0.1 localhost";
      "hosts deny" = "0.0.0.0/0";
      "guest account" = "nobody";
      "map to guest" = "never";
    };
      "data" = {
        "path" = "/pool/data";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
      };

      "media" = {
        "path" = "/pool/media";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
      };

      "services" = {
        "path" = "/pool/services";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
      };
    };
  };

  services.anki-sync-server = {
    enable = true;
    address = "127.0.0.1";
    #baseDirectory = "/pool/services/podman/anki-sync-server";
    openFirewall = true;
    users = [
      {
         username = "faris";
         passwordFile = "/pool/services/secrets/anki";
      }
    ];
  };

  system.stateVersion = "24.11";
}