nixos/hosts/server/settings.nix

{ config, pkgs, ... }:

{

  age.secrets = {
    "restic/environmentFile".file = ../../secrets/restic/environmentFile.age;
    "restic/repositoryFile".file = ../../secrets/restic/repositoryFile.age;
    "restic/passwordFile".file = ../../secrets/restic/passwordFile.age;
    "zfs/pool.key".file = ../../secrets/zfs/pool.key.age;
  };

  age.identityPaths = [ "${config.users.users.admin.home}/.ssh/id_ed25519" ];

  boot.loader.grub.enable = true;
  boot.loader.grub.device = "/dev/vda";
  boot.loader.grub.useOSProber = true;

  #boot.loader.limine.biosDevice = "/dev/vda";
  #boot.loader.efi.efiSysMountPoint = "/boot";

systemd.services.podman-network-vlan50 = {
  description = "Create podman vlan50 network";
  after = [ "network.target" ];
  before = [ "podman-nginx.service" ];
  wantedBy = [ "multi-user.target" ];
  serviceConfig = {
    Type = "oneshot";
    RemainAfterExit = true;
  };
  script = ''
    if ! ${pkgs.podman}/bin/podman network exists vlan50; then
      ${pkgs.podman}/bin/podman network create \
        --driver macvlan \
        --opt parent=vlan50 \
        --subnet 192.168.50.0/24 \
        --gateway 192.168.50.1 \
        vlan50
    fi
  '';
};

  networking = {
    vlans = {
      vlan50 = {
        id = 50;
        interface = "ens18";
      };
    };
    hostName = "nixos-server";
    hostId = "bbe3b289";
    firewall.enable = false;
    interfaces.vlan50 = {
      ipv4.addresses = [
        {
          address = "192.168.50.30";
          prefixLength = 24;
        }
      ];
    };
    interfaces.ens18 = {
      ipv4.addresses = [
        {
          address = "192.168.0.30";
          prefixLength = 24;
        }
      ];
    };
    defaultGateway = "192.168.0.1";
    nameservers = [ "192.168.0.1" "1.1.1.1" ];
  };
  users.users.admin.linger = true;

  services.xserver.videoDrivers = [ "nvidia" ];

  hardware = {
    graphics.enable = true;
    nvidia = {
      modesetting.enable = true;
      powerManagement.enable = true;
      powerManagement.finegrained = false;
      open = false;
      nvidiaSettings = false;
      package = config.boot.kernelPackages.nvidiaPackages.stable;
    };
    nvidia-container-toolkit.enable = true;
  };

  boot.kernel.sysctl = {
    "net.ipv4.ip_unprivileged_port_start" = 0;
    "net.ipv4.conf.all.src_valid_mark" = 1;
    "net.ipv4.conf.all.forwarding" = 1;
    "net.ipv4.ip_forward" = 1;
  };

  virtualisation = {
    containers.enable = true;
    podman = {
      enable = true;
      autoPrune.enable = true;
      autoPrune.flags = [ "--all" ];
      # Create a `docker` alias for podman, to use it as a drop-in replacement
      dockerCompat = true;
      # Required for containers under podman-compose to be able to talk to each other.
      defaultNetwork.settings.dns_enabled = true;
    };
  };

  services.restic.backups.backup = {
    initialize = true;
    environmentFile = config.age.secrets."restic/environmentFile".path;
    repositoryFile = config.age.secrets."restic/repositoryFile".path;
    passwordFile = config.age.secrets."restic/passwordFile".path;

    paths = [
      "/pool/services"
      "/pool/data"
    ];

    exclude = [
      "/pool/services/cctv"
    ];

    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
    ];

  };

  # systemd.timers."prune-podman" = {
  #   wantedBy = [ "timers.target" ];
  #   timerConfig = {
  #     OnCalendar = "weekly";
  #     Persistent = true;
  #     Unit = "podman-prune.service";
  #   };
  # };

  # systemd.services."prune-podman" = {
  #   script = ''
  #     set -eu
  #     ${pkgs.podman}/bin/podman system prune -af
  #   '';
  #   serviceConfig = {
  #     Type = "oneshot";
  #     User = "admin";
  #   };
  # };

  # give permissions for zigbee USB transceiver
  system.activationScripts.script.text = ''chmod o+rw /dev/ttyACM0'';

  boot.supportedFilesystems = [ "zfs" ];
  boot.zfs.forceImportRoot = false;
  boot.zfs.extraPools = [ "pool" ];
  #environment.etc."zfs/keys/pool.key".source = config.age.secrets."zfs/pool.key".path;
  
  services.zfs.autoScrub = {
    enable = true;
    interval = "weekly";
  };
  services.zfs.autoSnapshot.enable = true;
  services.zfs.trim.enable = true;

  services.smartd = {
    enable = true;
    notifications = {
      mail.enable = true;
      mail.recipient = "accelarion@protonmail.com";
    };
    #devices = [ "DEVICESCAN -a" ]; # autodetect all drives
  };

  services.samba = {
    enable = true;
    openFirewall = true;
    settings = {
      global = {
      "workgroup" = "WORKGROUP";
      "server string" = "smbnix";
      "netbios name" = "smbnix";
      "security" = "user";
      "hosts allow" = "192.168.0. 127.0.0.1 localhost";
      "hosts deny" = "0.0.0.0/0";
      "guest account" = "nobody";
      "map to guest" = "never";
    };
      "data" = {
        "path" = "/pool/data";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
      };

      "media" = {
        "path" = "/pool/media";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
      };

      "services" = {
        "path" = "/pool/services";
        "browseable" = "yes";
        "read only" = "no";
        "guest ok" = "no";
      };
    };
  };

  virtualisation.oci-containers.containers = {
    caddy = {
      image = "docker.io/caddy";
      autoStart = true;
      #autoUpdate = "registry";
      network = [ "vlan50" ];
      environmentFile = [
        "/pool/services/secrets/default"
      ];
      volumes = [
        "/pool/services/podman/caddy/conf:/etc/caddy"
        "/pool/services/podman/caddy/site:/srv"
        "/pool/services/podman/caddy/data:/data"
        "/pool/services/podman/caddy/config:/config"
      ];
      extraOptions = [
        "--ip=192.168.50.31"
      ];
      # extraConfig = {
      #   Service = {
      #     TimeoutStartSec = 900;
      #   };
      # };
    };

    gitea = {
      image = "docker.gitea.com/gitea:1.23.7";
      autoStart = true;
      #autoUpdate = "registry";
      networks = [ "vlan50" ];
      environmentFiles = [
        "/pool/services/secrets/default"
        "/pool/services/secrets/gitea"
      ];
      volumes = [
        "/pool/services/podman/gitea:/data"
      ];
      extraOptions = [
        "--ip=192.168.50.32"
      ];
      # extraConfig = {
      #   Service = {
      #     TimeoutStartSec = 900;
      #   };
      # };
    };


    matrix = {
      image = "ghcr.io/element-hq/synapse";
      autoStart = true;
      #autoUpdate = "registry";
      networks = [ "vlan50" ];
      environmentFiles = [
        "/pool/services/secrets/default"
        "/pool/services/secrets/synapse"
      ];
      volumes = [
        "/pool/services/podman/synapse:/data"
      ];
      extraOptions = [
        "--ip=192.168.50.33"
      ];
      # extraConfig = {
      #   Service = {
      #     TimeoutStartSec = 900;
      #   };
      # };
    };

    nginx = {
      image = "docker.io/nginx:latest";
      autoStart = true;
      #autoUpdate = "registry";
      networks = [ "vlan50" ];
      environmentFiles = [
        "/pool/services/secrets/default"
        "/pool/services/secrets/nginx"
      ];
      volumes = [
        "/pool/services/podman/nginx/nginx.conf:/etc/nginx/nginx.conf:ro"
        "/pool/services/podman/hugo/src/mektem.com/public:/usr/share/nginx/html"
      ];
      extraOptions = [
        "--ip=192.168.50.34"
      ];
      # extraConfig = {
      #   Service = {
      #     TimeoutStartSec = 900;
      #   };
      # };
    };

    ntfy = {
      image = "docker.io/binwiederhier/ntfy";
      autoStart = true;
      #autoUpdate = "registry";
      networks = [ "vlan50" ];
      exec = "serve";
      environmentFiles = [
        "/pool/services/secrets/default"
        "/pool/services/secrets/ntfy"
      ];
      volumes = [
        "/pool/services/podman/ntfy:/var/lib/ntfy"
      ];
      extraOptions = [
        "--ip=192.168.50.35"
      ];
      # extraConfig = {
      #   Service = {
      #     TimeoutStartSec = 900;
      #   };
      # };
    };

    privatebin = {
      image = "docker.io/privatebin/nginx-fpm-alpine:latest";
      autoStart = true;
      #autoUpdate = "registry";
      networks = [ "vlan50" ];
      environmentFile = [
        "/pool/services/secrets/default"
      ];
      volumes = [
        "/pool/media/privatebin:/srv/data"
      ];
      extraOptions = [
        "--ip=192.168.50.36"
      ];
      # extraConfig = {
      #   Service = {
      #     TimeoutStartSec = 900;
      #   };
      # };
    };

    vaultwarden = {
      image = "docker.io/vaultwarden/server:latest";
      autoStart = true;
      #autoUpdate = "registry";
      networks = [ "vlan50" ];
      environmentFile = [
        "/pool/services/secrets/default"
        "/pool/services/secrets/vaultwarden"
      ];
      volumes = [
        "/pool/services/podman/vaultwarden:/data/"
      ];
      extraOptions = [
        "--ip=192.168.50.37"
      ];
      # extraConfig = {
      #   Service = {
      #     TimeoutStartSec = 900;
      #   };
      # };
    };

  };

  system.stateVersion = "24.11";
}