2022-05-27 18:11:47 +02:00
|
|
|
|
{
|
|
|
|
|
|
pkgs,
|
|
|
|
|
|
lib,
|
|
|
|
|
|
config,
|
2023-04-19 01:01:07 +02:00
|
|
|
|
inputs,
|
2022-05-27 18:11:47 +02:00
|
|
|
|
...
|
2022-06-05 11:50:44 +02:00
|
|
|
|
}: let
|
|
|
|
|
|
sopsPath = key: config.sops.secrets.${key}.path;
|
|
|
|
|
|
in {
|
2023-04-19 01:01:07 +02:00
|
|
|
|
imports = [
|
|
|
|
|
|
inputs.nixos-hardware.nixosModules.common-cpu-intel #-cpu-only
|
2024-01-15 15:59:54 +01:00
|
|
|
|
../../modules/nginx-reverse-proxy.nix
|
|
|
|
|
|
../../hardware/asrock-z370-i3-black-box.nix
|
2024-01-15 21:14:54 +01:00
|
|
|
|
./modules/forgejo.nix
|
2024-01-15 15:59:54 +01:00
|
|
|
|
./modules/home-assistant.nix
|
|
|
|
|
|
./modules/hydra.nix
|
|
|
|
|
|
./modules/komga.nix
|
|
|
|
|
|
./modules/mealie.nix
|
2024-01-15 21:14:54 +01:00
|
|
|
|
./modules/nix-serve.nix
|
2024-01-15 15:59:54 +01:00
|
|
|
|
./modules/paperless.nix
|
|
|
|
|
|
./modules/photoprism.nix
|
2024-01-15 21:14:54 +01:00
|
|
|
|
./modules/restic.nix
|
2024-02-03 23:05:42 +01:00
|
|
|
|
./modules/seaweedfs.nix
|
2024-01-15 15:59:54 +01:00
|
|
|
|
./modules/timetagger.nix
|
|
|
|
|
|
./modules/trilium.nix
|
2023-04-19 01:01:07 +02:00
|
|
|
|
];
|
|
|
|
|
|
config = {
|
|
|
|
|
|
networking.hostName = "faunus-ater";
|
|
|
|
|
|
networking.hostId = "a4d7bec4";
|
|
|
|
|
|
networking.interfaces.eno1.useDHCP = true;
|
2022-05-27 18:11:47 +02:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# === Make sure ZFS works ===
|
2024-02-01 11:09:29 +01:00
|
|
|
|
# Source: https://nixos.wiki/wiki/ZFS
|
|
|
|
|
|
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
2022-06-16 11:14:07 +02:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# === Can't handle this ===
|
|
|
|
|
|
systemd.enableEmergencyMode = false;
|
2022-06-08 23:31:35 +02:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# === Settings ===
|
|
|
|
|
|
settings.ssh.openOutsideVPN = true;
|
2022-05-27 18:11:47 +02:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# === ZFS services ===
|
|
|
|
|
|
services.zfs.trim.enable = true;
|
|
|
|
|
|
services.zfs.autoScrub.enable = true;
|
|
|
|
|
|
services.zfs.autoScrub.pools = ["rpool"];
|
2022-05-27 18:11:47 +02:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
services.fwupd.enable = true;
|
|
|
|
|
|
powerManagement = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
powertop.enable = true;
|
|
|
|
|
|
cpuFreqGovernor = "powersave";
|
|
|
|
|
|
};
|
2022-05-27 22:33:35 +02:00
|
|
|
|
|
2024-01-15 15:59:54 +01:00
|
|
|
|
# === PODMAN ===
|
2023-04-19 01:01:07 +02:00
|
|
|
|
virtualisation.oci-containers.backend = "podman";
|
|
|
|
|
|
virtualisation.podman = {
|
|
|
|
|
|
enable = true;
|
|
|
|
|
|
dockerCompat = true;
|
|
|
|
|
|
extraPackages = with pkgs; [zfs];
|
|
|
|
|
|
};
|
|
|
|
|
|
# Override storage driver
|
|
|
|
|
|
virtualisation.containers.storage.settings = {
|
|
|
|
|
|
storage = {
|
|
|
|
|
|
driver = "zfs";
|
|
|
|
|
|
graphroot = "/var/lib/containers/storage";
|
|
|
|
|
|
runroot = "/run/containers/storage";
|
|
|
|
|
|
};
|
2022-06-01 19:18:08 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
2022-06-05 11:50:44 +02:00
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# === BACKUPS ===
|
|
|
|
|
|
services.restic.backups = {
|
|
|
|
|
|
# Make sure my 'active IO' disk get's saved once a day
|
|
|
|
|
|
zdirty = {
|
|
|
|
|
|
initialize = true;
|
|
|
|
|
|
repository = "/data/archive/dirty.bak";
|
|
|
|
|
|
timerConfig.OnCalendar = "daily";
|
|
|
|
|
|
paths = lib.singleton "/data/dirty";
|
|
|
|
|
|
pruneOpts = [
|
|
|
|
|
|
"--keep-daily 1"
|
|
|
|
|
|
"--keep-weekly 1"
|
|
|
|
|
|
"--keep-monthly 1"
|
|
|
|
|
|
"--keep-yearly 5"
|
|
|
|
|
|
];
|
|
|
|
|
|
passwordFile = sopsPath "internal-restic-password";
|
|
|
|
|
|
};
|
2022-06-13 14:48:38 +02:00
|
|
|
|
};
|
|
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# === RUNTIME SECRETS ===
|
2024-01-15 15:59:54 +01:00
|
|
|
|
sops.defaultSopsFile = ../../secrets/hosts/faunus-ater/secrets.yaml;
|
2023-04-19 01:01:07 +02:00
|
|
|
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
2024-01-15 14:57:13 +01:00
|
|
|
|
sops.secrets = {
|
2023-04-19 01:01:07 +02:00
|
|
|
|
"internal-restic-password" = {};
|
2022-06-13 22:35:28 +02:00
|
|
|
|
};
|
2022-06-18 15:02:13 +02:00
|
|
|
|
|
2024-01-15 15:59:54 +01:00
|
|
|
|
# === SERVICE EXPOSURE ===
|
2023-10-30 15:35:55 +01:00
|
|
|
|
# All services that run here, that should be exposed need to be exposed on the VPN
|
|
|
|
|
|
networking.firewall.interfaces.${config.services.tailscale.interfaceName}.allowedTCPPorts = let
|
2023-11-13 12:25:22 +01:00
|
|
|
|
selectPort = _: config: config.port;
|
|
|
|
|
|
filterRunningHereAndExposed = lib.attrsets.filterAttrs (_: conf: conf.host == config.networking.hostName && conf ? external && conf.external);
|
2023-10-30 15:35:55 +01:00
|
|
|
|
in
|
|
|
|
|
|
lib.attrsets.mapAttrsToList selectPort (filterRunningHereAndExposed config.state.services);
|
|
|
|
|
|
|
2023-04-19 01:01:07 +02:00
|
|
|
|
# This value determines the NixOS release from which the default
|
|
|
|
|
|
# settings for stateful data, like file locations and database versions
|
|
|
|
|
|
# on your system were taken. It‘s perfectly fine and recommended to leave
|
|
|
|
|
|
# this value at the release version of the first install of this system.
|
|
|
|
|
|
# Before changing this value read the documentation for this option
|
|
|
|
|
|
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
|
|
|
|
|
system.stateVersion = "22.05"; # Did you read the comment?
|
|
|
|
|
|
};
|
2022-05-27 18:11:47 +02:00
|
|
|
|
}
|
