304 lines
6.6 KiB
Nix
304 lines
6.6 KiB
Nix
{
|
||
config,
|
||
lib,
|
||
pkgs,
|
||
...
|
||
}: let
|
||
ports = [
|
||
22 # SSH
|
||
22000 # syncthing
|
||
2222 # Gitea SSH
|
||
2377
|
||
25565 # Minecraft
|
||
3001 # Gitea(->3000)
|
||
443 # HTTPS
|
||
445
|
||
7359 # jellyfin (dlna?)
|
||
7946
|
||
80 # HTTP
|
||
8080 # qbittorrent
|
||
8089 # traefik (->8080)
|
||
8096 # Jellyfin
|
||
8191 # flaresolverr
|
||
8420 # Website (->4321)
|
||
8842 # Crowdsec (-> 8842)
|
||
8888 # Kodi
|
||
9000 # Portainer (-> 9443)
|
||
2049 # NFS
|
||
4001 # Lockd
|
||
4002 # Mountd
|
||
];
|
||
in {
|
||
imports = [
|
||
# Include the results of the hardware scan.
|
||
# ./hardware-configuration.nix
|
||
];
|
||
nixpkgs = {
|
||
config = {
|
||
kodi.enableAdvancedLauncher = true;
|
||
pulseaudio = true;
|
||
};
|
||
};
|
||
|
||
networking = {
|
||
# hostName = "auxin"; # Define your hostname.
|
||
nameservers = ["192.168.1.207"];
|
||
firewall = {
|
||
enable = true;
|
||
allowedUDPPorts = ports;
|
||
allowedTCPPorts = ports;
|
||
};
|
||
bridges = {
|
||
"br0" = {
|
||
interfaces = [
|
||
"enp9s0"
|
||
|
||
"enp0s20f0u4"
|
||
];
|
||
};
|
||
};
|
||
interfaces.br0.ipv4.addresses = [
|
||
{
|
||
address = "192.168.1.153";
|
||
prefixLength = 24;
|
||
}
|
||
];
|
||
defaultGateway = {
|
||
address = "192.168.1.1";
|
||
};
|
||
};
|
||
|
||
environment.systemPackages = with pkgs; [
|
||
alacritty
|
||
czkawka
|
||
gcc
|
||
go
|
||
hyperfine
|
||
sof-firmware
|
||
jellyfin-media-player
|
||
lazydocker
|
||
gamescope
|
||
lazygit
|
||
nil
|
||
nodePackages.nodejs
|
||
nodePackages.pnpm
|
||
];
|
||
# Define a user account. Don't forget to set a password with ‘passwd’.
|
||
users = {
|
||
users = {
|
||
dockremap = {
|
||
isSystemUser = true;
|
||
uid = 100000;
|
||
group = "dockremap";
|
||
subUidRanges = [
|
||
{
|
||
startUid = 100000;
|
||
count = 65536;
|
||
}
|
||
];
|
||
subGidRanges = [
|
||
{
|
||
startGid = 100000;
|
||
count = 65536;
|
||
}
|
||
];
|
||
};
|
||
};
|
||
};
|
||
programs = {
|
||
steam = {
|
||
gamescopeSession.enable = true;
|
||
enable = true;
|
||
remotePlay.openFirewall = true;
|
||
dedicatedServer.openFirewall = true;
|
||
localNetworkGameTransfers.openFirewall = true;
|
||
};
|
||
|
||
nh = {
|
||
enable = true;
|
||
clean.enable = true;
|
||
clean.extraArgs = "--keep-since 4d --keep 3";
|
||
flake = "/etc/nixos/";
|
||
};
|
||
gnupg.agent = {
|
||
enable = true;
|
||
enableSSHSupport = true;
|
||
};
|
||
|
||
zsh.enable = true;
|
||
|
||
neovim = {
|
||
enable = true;
|
||
configure = {
|
||
customRC = ''
|
||
set number relativenumber
|
||
'';
|
||
};
|
||
|
||
defaultEditor = true;
|
||
};
|
||
};
|
||
|
||
services = {
|
||
nfs.server = {
|
||
enable = true;
|
||
mountdPort = 4002;
|
||
lockdPort = 4001;
|
||
exports = ''
|
||
/raid/swarm 192.168.1.0/24(rw)
|
||
'';
|
||
};
|
||
gvfs.enable = true;
|
||
xrdp = {
|
||
enable = true;
|
||
openFirewall = true;
|
||
};
|
||
x2goserver.enable = true;
|
||
|
||
k3s = {
|
||
enable = false;
|
||
role = "server";
|
||
token = "uwubernetes"; # TODO: change this
|
||
extraFlags = toString [
|
||
"--write-kubeconfig-mode \"0644\""
|
||
"--cluster-init"
|
||
# "--disable localstorage"
|
||
];
|
||
};
|
||
# Enable the X11 windowing system.
|
||
xserver = {
|
||
enable = true;
|
||
|
||
desktopManager.xfce.enable = false;
|
||
|
||
# Kodi
|
||
desktopManager.kodi = {
|
||
enable = true;
|
||
package = pkgs.kodi.withPackages (pkgs:
|
||
with pkgs; [
|
||
jellyfin
|
||
jellycon
|
||
sendtokodi
|
||
sponsorblock
|
||
steam-library
|
||
youtube
|
||
libretro
|
||
libretro-mgba
|
||
steam-controller
|
||
steam-launcher
|
||
visualization-matrix
|
||
visualization-spectrum
|
||
visualization-waveform
|
||
inputstream-adaptive
|
||
]);
|
||
};
|
||
};
|
||
displayManager.sddm = {
|
||
enable = true;
|
||
settings = {
|
||
Autologin = {
|
||
Session = "kodi.desktop";
|
||
User = "mira";
|
||
};
|
||
};
|
||
};
|
||
btrbk = {}; # TODO:
|
||
caddy = {}; # TODO:
|
||
ceph = {}; # TODO:
|
||
fail2ban = {
|
||
enable = true;
|
||
ignoreIP = [
|
||
"10.0.0.0/8"
|
||
"172.16.0.0/12"
|
||
"192.168.0.0/16"
|
||
];
|
||
bantime-increment.enable = true;
|
||
};
|
||
samba-wsdd = {
|
||
enable = true;
|
||
openFirewall = true;
|
||
};
|
||
# TODO: check security settings
|
||
samba = {
|
||
enable = true;
|
||
shares = {
|
||
public = {
|
||
path = "/";
|
||
browseable = "yes";
|
||
"guest ok" = "yes";
|
||
};
|
||
};
|
||
};
|
||
pipewire = {
|
||
enable = false;
|
||
alsa.enable = true;
|
||
alsa.support32Bit = true;
|
||
pulse.enable = true;
|
||
audio.enable = true;
|
||
# If you want to use JACK applications, uncomment this
|
||
#jack.enable = true;
|
||
};
|
||
};
|
||
virtualisation.docker = {
|
||
storageDriver = "overlay2";
|
||
enableOnBoot = true;
|
||
enable = true;
|
||
autoPrune.enable = true;
|
||
extraOptions = "--userns-remap=default";
|
||
liveRestore = false; # NOTE: Incompatible with swarm
|
||
};
|
||
|
||
# TODO:
|
||
powerManagement.enable = lib.mkForce false;
|
||
systemd = {
|
||
targets = {
|
||
sleep.enable = false;
|
||
suspend.enable = false;
|
||
};
|
||
timers."qbittorrent-healthcheck" = {
|
||
wantedBy = ["timers.target"];
|
||
timerConfig = {
|
||
OnCalendar = "*/5 * * * *";
|
||
Unit = "qbittorrent-healthcheck";
|
||
};
|
||
};
|
||
services = {
|
||
"qbittorrent-healthcheck" = {
|
||
script = ''
|
||
${pkgs.docker}/bin/docker exec qbittorrent ping -c 1 -w 5 -I protonwire0 8.8.8.8 || ${pkgs.docker}/bin/docker restart qbittorrent
|
||
'';
|
||
serviceConfig = {
|
||
Type = "oneshot";
|
||
User = "root";
|
||
};
|
||
};
|
||
|
||
docker = {
|
||
unitConfig = {
|
||
RequiresMountsFor = "/raid";
|
||
};
|
||
wantedBy = ["graphical.target"];
|
||
};
|
||
sshdAlert = {
|
||
enable = true;
|
||
unitConfig = {
|
||
Requires = "sshd.service";
|
||
};
|
||
serviceConfig = {
|
||
ExecStart = ''
|
||
${pkgs.curl}/bin/curl --request POST --url https://discord.com/api/webhooks/1235751608046846012/CU7tz271Z3Rbq9mPV0_rB5RBCRDhLKhGH14ebBm-TePpWFqKKJaCRYVMHYTJsIaSq2H- --header 'Content-Type: application/json' --data '{"username": "Auxin SSH status","avatar_url": "https://pbs.twimg.com/media/GMPtuovaQAAQ7Qr?format=png&name=large","content": "SSHD is Running!"}'
|
||
'';
|
||
};
|
||
wantedBy = ["multi-user.target"];
|
||
};
|
||
};
|
||
};
|
||
# Copy the NixOS configuration file and link it from the resulting system
|
||
# (/run/current-system/configuration.nix). This is useful in case you
|
||
# accidentally delete configuration.nix.
|
||
system = {
|
||
# copySystemConfiguration = true; # NOTE: Doesn't work with flakes
|
||
|
||
stateVersion = "23.11"; # NOTE: Don't fuck with this
|
||
};
|
||
}
|