{ config, lib, pkgs, ... }: let ports = [ 22 # SSH 22000 # syncthing 2222 # Gitea SSH 2377 25565 # Minecraft 3001 # Gitea(->3000) 443 # HTTPS 445 7359 # jellyfin (dlna?) 7946 80 # HTTP 8080 # qbittorrent 8089 # traefik (->8080) 8096 # Jellyfin 8191 # flaresolverr 8420 # Website (->4321) 8842 # Crowdsec (-> 8842) 8888 # Kodi 9000 # Portainer (-> 9443) 2049 # NFS 4001 # Lockd 4002 # Mountd ]; in { imports = [ # Include the results of the hardware scan. # ./hardware-configuration.nix ]; nixpkgs = { config = { kodi.enableAdvancedLauncher = true; pulseaudio = true; }; }; networking = { # hostName = "auxin"; # Define your hostname. nameservers = ["192.168.1.207"]; firewall = { enable = true; allowedUDPPorts = ports; allowedTCPPorts = ports; }; bridges = { "br0" = { interfaces = [ "enp9s0" "enp0s20f0u4" ]; }; }; interfaces.br0.ipv4.addresses = [ { address = "192.168.1.153"; prefixLength = 24; } ]; defaultGateway = { address = "192.168.1.1"; }; }; environment.systemPackages = with pkgs; [ alacritty czkawka gcc go hyperfine sof-firmware jellyfin-media-player lazydocker gamescope lazygit nil nodePackages.nodejs nodePackages.pnpm ]; # Define a user account. Don't forget to set a password with ‘passwd’. users = { users = { dockremap = { isSystemUser = true; uid = 100000; group = "dockremap"; subUidRanges = [ { startUid = 100000; count = 65536; } ]; subGidRanges = [ { startGid = 100000; count = 65536; } ]; }; }; }; programs = { steam = { gamescopeSession.enable = true; enable = true; remotePlay.openFirewall = true; dedicatedServer.openFirewall = true; localNetworkGameTransfers.openFirewall = true; }; nh = { enable = true; clean.enable = true; clean.extraArgs = "--keep-since 4d --keep 3"; flake = "/etc/nixos/"; }; gnupg.agent = { enable = true; enableSSHSupport = true; }; zsh.enable = true; neovim = { enable = true; configure = { customRC = '' set number relativenumber ''; }; defaultEditor = true; }; }; services = { nfs.server = { enable = true; mountdPort = 4002; lockdPort = 4001; exports = '' /raid/swarm 192.168.1.0/24(rw) ''; }; gvfs.enable = true; xrdp = { enable = true; openFirewall = true; }; x2goserver.enable = true; k3s = { enable = false; role = "server"; token = "uwubernetes"; # TODO: change this extraFlags = toString [ "--write-kubeconfig-mode \"0644\"" "--cluster-init" # "--disable localstorage" ]; }; # Enable the X11 windowing system. xserver = { enable = true; desktopManager.xfce.enable = false; # Kodi desktopManager.kodi = { enable = true; package = pkgs.kodi.withPackages (pkgs: with pkgs; [ jellyfin jellycon sendtokodi sponsorblock steam-library youtube libretro libretro-mgba steam-controller steam-launcher visualization-matrix visualization-spectrum visualization-waveform inputstream-adaptive ]); }; }; displayManager.sddm = { enable = true; settings = { Autologin = { Session = "kodi.desktop"; User = "mira"; }; }; }; btrbk = {}; # TODO: caddy = {}; # TODO: ceph = {}; # TODO: fail2ban = { enable = true; ignoreIP = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; bantime-increment.enable = true; }; samba-wsdd = { enable = true; openFirewall = true; }; # TODO: check security settings samba = { enable = true; shares = { public = { path = "/"; browseable = "yes"; "guest ok" = "yes"; }; }; }; pipewire = { enable = false; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; audio.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; }; }; virtualisation.docker = { storageDriver = "overlay2"; enableOnBoot = true; enable = true; autoPrune.enable = true; extraOptions = "--userns-remap=default"; liveRestore = false; # NOTE: Incompatible with swarm }; # TODO: powerManagement.enable = lib.mkForce false; systemd = { targets = { sleep.enable = false; suspend.enable = false; }; timers."qbittorrent-healthcheck" = { wantedBy = ["timers.target"]; timerConfig = { OnCalendar = "*/5 * * * *"; Unit = "qbittorrent-healthcheck"; }; }; services = { "qbittorrent-healthcheck" = { script = '' ${pkgs.docker}/bin/docker exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker}/bin/docker restart qbittorrent ''; serviceConfig = { Type = "oneshot"; User = "root"; }; }; docker = { unitConfig = { RequiresMountsFor = "/raid"; }; wantedBy = ["graphical.target"]; }; sshdAlert = { enable = true; unitConfig = { Requires = "sshd.service"; }; serviceConfig = { ExecStart = '' ${pkgs.curl}/bin/curl --request POST --url https://discord.com/api/webhooks/1235751608046846012/CU7tz271Z3Rbq9mPV0_rB5RBCRDhLKhGH14ebBm-TePpWFqKKJaCRYVMHYTJsIaSq2H- --header 'Content-Type: application/json' --data '{"username": "Auxin SSH status","avatar_url": "https://pbs.twimg.com/media/GMPtuovaQAAQ7Qr?format=png&name=large","content": "SSHD is Running!"}' ''; }; wantedBy = ["multi-user.target"]; }; }; }; # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. system = { # copySystemConfiguration = true; # NOTE: Doesn't work with flakes stateVersion = "23.11"; # NOTE: Don't fuck with this }; }