{ config , lib , pkgs , ... }: let ports = [ 111 # RPC? 2049 # NFS 22 # SSH 22000 # syncthing 2222 # Gitea SSH 2377 25565 # Minecraft 3001 # Gitea(->3000) 4001 # Lockd 4002 # Mountd 443 # HTTPS 445 # SMB 7359 # jellyfin (dlna?) 7946 80 # HTTP 8080 # qbittorrent 8089 # traefik (->8080) 8096 # Jellyfin 8191 # flaresolverr 8420 # Website (->4321) 8842 # Crowdsec (-> 8842) 8888 # Kodi 9000 # Portainer (-> 9443) 3300 # Ceph monitors 6789 # Ceph monitors 6800 # Ceph OSD ]; in { imports = [ # Include the results of the hardware scan. # ./hardware-configuration.nix ]; nixpkgs = { config = { kodi.enableAdvancedLauncher = true; pulseaudio = true; }; }; networking = { # hostName = "auxin"; # Define your hostname. nameservers = [ "192.168.1.1" ]; firewall = { enable = true; allowedUDPPorts = ports; allowedTCPPorts = ports; }; defaultGateway = { address = "192.168.1.1"; }; }; environment.systemPackages = with pkgs; [ alacritty czkawka gcc go hyperfine sof-firmware jellyfin-media-player lazydocker gamescope lazygit nil dig nmap seaweedfs nodePackages.nodejs nodePackages.pnpm ]; # Define a user account. Don't forget to set a password with ‘passwd’. users = { groups.ceph = { }; users = { # mesh = { isNormalUser = true; extraGroups = [ "wheel" "docker" ]; }; ceph = { isNormalUser = true; extraGroups = [ "wheel" "ceph" ]; }; dockremap = { isSystemUser = true; uid = 100000; group = "dockremap"; subUidRanges = [ { startUid = 100000; count = 65536; } ]; subGidRanges = [ { startGid = 100000; count = 65536; } ]; }; }; }; programs = { fuse.userAllowOther = true; steam = { gamescopeSession.enable = true; enable = true; remotePlay.openFirewall = true; dedicatedServer.openFirewall = true; localNetworkGameTransfers.openFirewall = true; }; nh = { enable = true; clean.enable = true; clean.extraArgs = "--keep-since 4d --keep 3"; flake = "/etc/nixos/"; }; gnupg.agent = { enable = true; enableSSHSupport = true; }; zsh.enable = true; neovim = { enable = true; configure = { customRC = '' set number relativenumber ''; }; defaultEditor = true; }; }; services = { # ceph = { # global.fsid = "7c57bbc5-fdbf-4023-bc45-2e708ebc8e3e"; # osd = { # enable = true; # daemons = [ "0" ]; # }; # mon = { # enable = false; # extraConfig = { # "mon initial members" = "auxin"; # "mon host" = "192.168.1.153"; # }; # }; # }; nfs = { idmapd.settings = { Mapping = { "Nobody-User" = lib.mkForce "dockremap"; "Nobody-Group" = lib.mkForce "dockremap"; }; }; server = { enable = true; mountdPort = 4002; lockdPort = 4001; exports = '' /raid/swarm 192.168.1.0/24(rw,sync,all_squash,anonuid=100000,anongid=100000) ''; }; }; gvfs.enable = true; xrdp = { enable = true; openFirewall = true; }; x2goserver.enable = true; k3s = { enable = false; role = "server"; token = "uwubernetes"; # TODO: change this extraFlags = toString [ "--write-kubeconfig-mode \"0644\"" "--cluster-init" # "--disable localstorage" ]; }; # Enable the X11 windowing system. xserver = { enable = true; desktopManager.xfce.enable = false; # Kodi desktopManager.kodi = { enable = true; package = pkgs.kodi.withPackages (pkgs: with pkgs; [ jellyfin jellycon sendtokodi sponsorblock steam-library youtube libretro libretro-mgba steam-controller steam-launcher visualization-matrix visualization-spectrum visualization-waveform inputstream-adaptive ]); }; }; displayManager.sddm = { enable = true; settings = { Autologin = { Session = "kodi.desktop"; User = "mira"; }; }; }; btrbk = { }; # TODO: caddy = { }; # TODO: ceph = { }; # TODO: fail2ban = { enable = true; ignoreIP = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; bantime-increment.enable = true; }; samba-wsdd = { enable = true; openFirewall = true; }; # TODO: check security settings samba = { enable = true; settings = { public = { path = "/"; browseable = "yes"; "guest ok" = "yes"; "read only" = "no"; "create mask" = "0644"; "directory mask" = "0755"; "force user" = "dockremap"; "force group" = "dockremap"; }; }; }; pipewire = { enable = false; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; audio.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; }; }; virtualisation.docker = { storageDriver = "overlay2"; enableOnBoot = true; enable = true; autoPrune.enable = true; extraOptions = "--userns-remap=default"; liveRestore = false; # NOTE: Incompatible with swarm }; # TODO: powerManagement.enable = lib.mkForce false; systemd = { targets = { sleep.enable = false; suspend.enable = false; }; timers."qbittorrent-healthcheck" = { wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "*/5 * * * *"; Unit = "qbittorrent-healthcheck"; }; }; services = { "qbittorrent-healthcheck" = { script = '' ${pkgs.docker}/bin/docker exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker}/bin/docker restart qbittorrent ''; serviceConfig = { Type = "oneshot"; User = "root"; }; }; docker = { unitConfig = { RequiresMountsFor = "/raid"; }; wantedBy = [ "graphical.target" ]; }; sshdAlert = { enable = true; unitConfig = { Requires = "sshd.service"; }; serviceConfig = { User = "dockremap"; ExecStart = '' ${pkgs.curl}/bin/curl --request POST --url https://discord.com/api/webhooks/1235751608046846012/CU7tz271Z3Rbq9mPV0_rB5RBCRDhLKhGH14ebBm-TePpWFqKKJaCRYVMHYTJsIaSq2H- --header 'Content-Type: application/json' --data '{"username": "Auxin SSH status","avatar_url": "https://pbs.twimg.com/media/GMPtuovaQAAQ7Qr?format=png&name=large","content": "SSHD is Running!"}' ''; }; wantedBy = [ "multi-user.target" ]; }; ceph-mon = { enable = true; description = "Ceph cluster monitor daemon"; unitConfig = { partOf = "ceph-mon.target"; # # According to: # # http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget # # these can be removed once ceph-mon will dynamically change network # # configuration. after = [ "network-online.target" "local-fs.target" "time-sync.target" ]; before = [ "remote-fs-pre.target" "ceph-mon.target" ]; wants = [ "network-online.target" "local-fs.target" "time-sync.target" "remote-fs-pre.target" "ceph-mon.target" ]; }; serviceConfig = { # Environment=CLUSTER=ceph # EnvironmentFile=-/etc/default/ceph # ExecReload=/bin/kill -HUP $MAINPID ExecStart="/run/current/system/sw/bin/ceph-mon -f --cluster ceph --id auxin --setuser ceph --setgroup ceph"; # LimitNOFILE=1048576 # LimitNPROC=1048576 # LockPersonality=true # MemoryDenyWriteExecute=true # # Need NewPrivileges via `sudo smartctl` NoNewPrivileges = false; # # We need access to block devices to check the health of the disk backing the # # monitor DB store. It can be set to `true` if you're not interested in that # # feature. PrivateDevices=false; # PrivateTmp=true # ProtectControlGroups=true # ProtectHome=true # ProtectHostname=true # ProtectKernelLogs=true # ProtectKernelModules=true # ProtectKernelTunables=true # ProtectSystem=full # Restart=on-failure # RestartSec=10 # RestrictSUIDSGID=true # StartLimitBurst=5 # StartLimitInterval=30min # TasksMax=infinity }; wantedBy = [ "ceph-mon.target" ]; }; # ceph-mesh = { # enable = true; # description = "Ceph OSD Bindings"; # unitConfig = { # After = "local-fs.target"; # Wants = "local-fs.target"; # }; # serviceConfig = { # Type = "oneshot"; # KillMode = "none"; # Environment = "CEPH_VOLUME_TIMEOUT=10000 PATH=$PATH:/run/current-system/sw/bin/"; # ExecStart = "/bin/sh -c 'timeout $CEPH_VOLUME_TIMEOUT /run/current-system/sw/bin/ceph-volume lvm activate --all --no-systemd'"; # TimeoutSec = 0; # }; # wantedBy = [ "multi-user.target" ]; # }; }; }; # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. system = { # copySystemConfiguration = true; # NOTE: Doesn't work with flakes stateVersion = "23.11"; # NOTE: Don't fuck with this }; }