{ config , lib , pkgs , ... }: let ports = [ 111 # RPC? 2049 # NFS 22 # SSH 22000 # syncthing 2222 # Gitea SSH 2377 25565 # Minecraft 3001 # Gitea(->3000) 4001 # Lockd 4002 # Mountd 443 # HTTPS 445 # SMB 7359 # jellyfin (dlna?) 7946 80 # HTTP 8080 # qbittorrent 8089 # traefik (->8080) 8096 # Jellyfin 8191 # flaresolverr 8420 # Website (->4321) 8842 # Crowdsec (-> 8842) 8888 # Kodi 9000 # Portainer (-> 9443) ];#// lib.lists.range 6800 7568 ; in { imports = [ # Include the results of the hardware scan. # ./hardware-configuration.nix ]; nixpkgs = { config = { kodi.enableAdvancedLauncher = true; pulseaudio = true; }; }; networking = { interfaces.enp5s0f0u1c2.ipv4.addresses = [{ address = "192.168.2.153"; prefixLength = 24; }]; # hostName = "auxin"; # Define your hostname. nameservers = [ "192.168.1.1" ]; firewall = { enable = true; allowedUDPPorts = ports; allowedTCPPorts = ports; }; defaultGateway = { address = "192.168.1.1"; }; }; environment.systemPackages = with pkgs; [ alacritty czkawka gcc go hyperfine sof-firmware jellyfin-media-player lazydocker gamescope lazygit nil dig nmap upower nodePackages.nodejs nodePackages.pnpm ]; # Define a user account. Don't forget to set a password with ‘passwd’. users = { users = { # mesh = { isNormalUser = true; extraGroups = [ "wheel" "docker" ]; }; dockremap = { isSystemUser = true; uid = 100000; group = "dockremap"; subUidRanges = [ { startUid = 100000; count = 65536; } ]; subGidRanges = [ { startGid = 100000; count = 65536; } ]; }; }; }; i18n.defaultLocale = "en_US.UTF-8"; programs = { virt-manager.enable = true; fuse.userAllowOther = true; steam = { gamescopeSession.enable = true; enable = true; remotePlay.openFirewall = true; dedicatedServer.openFirewall = true; localNetworkGameTransfers.openFirewall = true; }; nh = { enable = true; clean.enable = true; clean.extraArgs = "--keep-since 4d --keep 3"; flake = "/etc/nixos/"; }; gnupg.agent = { enable = true; enableSSHSupport = true; }; zsh.enable = true; neovim = { enable = true; configure = { customRC = '' set number relativenumber ''; }; defaultEditor = true; }; }; services = { nfs = { idmapd.settings = { Mapping = { "Nobody-User" = lib.mkForce "dockremap"; "Nobody-Group" = lib.mkForce "dockremap"; }; }; server = { enable = true; mountdPort = 4002; lockdPort = 4001; exports = '' /raid/swarm 192.168.1.0/24(rw,sync,all_squash,anonuid=100000,anongid=100000) ''; }; }; gvfs.enable = true; xrdp = { enable = true; openFirewall = true; }; x2goserver.enable = true; # Enable the X11 windowing system. xserver = { enable = true; # videoDrivers = ["modesetting"]; # desktopManager.xfce.enable = true; # Kodi desktopManager.kodi = { enable = true; package = pkgs.kodi.withPackages (pkgs: with pkgs; [ jellyfin jellycon sendtokodi sponsorblock steam-library youtube libretro libretro-mgba steam-controller steam-launcher visualization-matrix visualization-spectrum visualization-waveform inputstream-adaptive ]); }; displayManager.lightdm.greeter.enable = false; }; displayManager.autoLogin ={ enable = true; user="mira";}; btrbk = { }; # TODO: caddy = { }; # TODO: fail2ban = { enable = true; ignoreIP = [ "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" ]; bantime-increment.enable = true; }; samba-wsdd = { enable = true; openFirewall = true; }; # samba = { # enable = true; # settings = { # global = { # "min protocol" = "SMB2"; # "max protocol" = "SMB3"; # "client min protocol" = "SMB2"; # "client max protocol" = "SMB3"; # "client ipc min protocol" = "SMB2"; # "client ipc max protocol" = "SMB3"; # "server min protocol" = "SMB2"; # "server max protocol" = "SMB3"; # }; # public = { # path = "/"; # browseable = "yes"; # "guest ok" = "yes"; # "read only" = "no"; # "create mask" = "0644"; # "directory mask" = "0755"; # "force user" = "dockremap"; # "force group" = "dockremap"; # }; # }; # }; pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; audio.enable = true; # If you want to use JACK applications, uncomment this #jack.enable = true; }; }; virtualisation.docker = { storageDriver = "overlay2"; enableOnBoot = true; enable = true; autoPrune.enable = true; # TODO: you're gonna need to disable this eventually # extraOptions = "--userns-remap=default"; liveRestore = false; # NOTE: Incompatible with swarm }; virtualisation.libvirtd.enable = true; # TODO: powerManagement.enable = lib.mkForce false; systemd = { targets = { sleep.enable = false; suspend.enable = false; }; timers."qbittorrent-healthcheck" = { wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "*/5 * * * *"; Unit = "qbittorrent-healthcheck"; }; }; services = { "qbittorrent-healthcheck" = { script = '' ${pkgs.docker}/bin/docker exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker}/bin/docker restart qbittorrent ''; serviceConfig = { Type = "oneshot"; User = "root"; }; }; docker = { unitConfig = { RequiresMountsFor = "/raid"; }; wantedBy = [ "graphical.target" ]; }; # TODO: switch to ntfy? sshdAlert = { enable = true; unitConfig = { Requires = "sshd.service"; }; serviceConfig = { User = "dockremap"; ExecStart = '' ${pkgs.curl}/bin/curl --request POST --url https://discord.com/api/webhooks/1235751608046846012/CU7tz271Z3Rbq9mPV0_rB5RBCRDhLKhGH14ebBm-TePpWFqKKJaCRYVMHYTJsIaSq2H- --header 'Content-Type: application/json' --data '{"username": "Auxin SSH status","avatar_url": "https://pbs.twimg.com/media/GMPtuovaQAAQ7Qr?format=png&name=large","content": "SSHD is Running!"}' ''; }; wantedBy = [ "multi-user.target" ]; }; }; }; system = { stateVersion = "23.11"; # NOTE: Don't fuck with this }; }