wanderer/infra
1
0
Fork 0
Code Issues 1 Pull Requests Releases Activity
development
infra/nix/hosts/umberto-nix/configuration.nix
nixurtur e5b76c2d85
many stuffzz...
2026-01-05 23:09:19 +01:00

295 lines
6.9 KiB
Nix
Raw Permalink Blame History

{
config,
lib,
pkgs,
...
}:
let
tailnet = "tail530c7.ts.net";
in
{
imports = [
./hardware-configuration.nix
./modules/coredns.nix
./modules/promtail/promtail.nix
../../modules/base.nix
../../modules/dnscrypt.nix
../../modules/sanoid.nix
../../modules/zram.nix
];
sops = {
defaultSopsFile = ./secrets.yaml;
age = {
# keyFile = "/root/.age/nixpi-key";
sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; # "/root/.ssh/nixpiage"];
generateKey = false;
};
secrets = {
rootPassphrase.owner = "root";
"attic/netrc".owner = "root";
};
};
# nix.settings.netrc-file = config.sops.secrets."attic/netrc".path;
nixpkgs = {
# buildPlatform.system = "x86_64-linux";
hostPlatform.system = "aarch64-linux";
};
boot = {
# kernelPackages = pkgs.linuxPackages_latest;
# kernelPackages = pkgs.linuxPackages_6_12;
kernelPackages = pkgs.linuxPackages_6_17;
kernelParams = [
"cma=256M"
# "console=ttyS0,115200n8"
# "console=ttyAMA0,115200n8"
"console=tty0"
"consoleblank=600"
"nohibernate"
# "loglevel=5"
];
loader = {
timeout = 7;
grub.enable = false;
generic-extlinux-compatible.enable = false;
systemd-boot = {
enable = true;
configurationLimit = 75; # maximum number of latest NixOS generations to show
};
efi.canTouchEfiVariables = true;
# raspberryPi.firmwareConfig = lib.mkForce ''
# gpu_mem=256
# '';
# kernelParams = ["cma=256M"];
};
supportedFilesystems = [ "zfs" ];
zfs.forceImportRoot = true;
initrd.kernelModules = [ "zfs" ];
initrd.availableKernelModules = [
"xhci_pci"
"usbhid"
"usb_storage"
];
# initrd.availableKernelModules = ["usbhid"];
# initrd.kernelModules = [ "vc4" "bcm2835_dma" "i2c_bcm2835" ];
tmp = {
useTmpfs = true;
cleanOnBoot = true;
};
};
#powerManagement.cpuFreqGovernor = "ondemand";
fileSystems = {
"/" = {
device = "zroot/root";
fsType = "zfs";
options = [ "zfsutil" ];
};
#"/boot/firmware" = {
# device = "/dev/disk/by-label/FIRMWARE";
# fsType = "vfat";
# options = [
# "nofail"
# "noauto"
# ];
#};
};
# don't use lix here.
nix.package = lib.mkForce pkgs.nixVersions.latest;
console.keyMap = "uk";
networking = {
hostId = "ba7e9011";
hostName = "umberto-nix";
nftables.enable = true;
dhcpcd.extraConfig = "nohook resolv.conf";
nameservers = [
"127.0.0.1"
"::1"
];
resolvconf.dnsSingleRequest = true;
resolvconf.extraOptions = [
"single-request-reopen"
"attempts:7"
"timeout:3"
"rotate"
"ndots:1"
# Sets RES_NOCHECKNAME in _res.options, which disables the modern BIND
# checking of incoming hostnames and mail names for invalid characters such
# as underscore (_), non-ASCII, or control characters.
"no-check-names"
"trust-ad"
];
firewall = {
allowPing = true;
checkReversePath = lib.mkForce false; # FIXME: fix the root issue instead.
logReversePathDrops = true;
logRefusedConnections = true;
trustedInterfaces = [
"virbr0"
# "bro"
"tailscale0"
];
allowedTCPPorts = [
9418 # soft-serve git
23231 # soft-serve ssh
];
};
stevenblack.enable = true;
stevenblack.block = [
"fakenews"
"gambling"
];
wireless = {
enable = false;
# networks."${SSID}".psk = SSIDpassword;
# interfaces = [ interface ];
};
};
documentation.nixos.enable = false;
environment = {
variables = {
EDITOR = "vim";
VISUAL = "vim";
NIXPKGS_ALLOW_UNFREE = "0";
};
systemPackages = with pkgs; [
vim
zsh
raspberrypifw
neofetch
wol
starship
fzf
zoxide
# fastfetch # long compile times.
sdcv # console version of StarDict
];
};
services = {
fstrim.enable = true;
openssh.enable = true;
soft-serve = {
enable = true;
settings = {
name = "wanderllama's repos";
log_format = "text";
ssh = {
listen_addr = ":23231";
public_url = "ssh://umberto-nix.${tailnet}:23231";
max_timeout = 30;
idle_timeout = 120;
};
stats.listen_addr = ":23233";
initial_admin_keys = [
"ssh-ed25519 aaaac3nzac1lzdi1nte5aaaaibtg6ncgdlhx4ztpfvynraslkwzcl6kdtc1dehvh4kal"
"ssh-ed25519 aaaac3nzac1lzdi1nte5aaaailplzzkzwm+iiwrqblx4+iyxsuqewojm74l7zn2nsrau"
];
users = [
{
name = "admin";
admin = true;
public-keys = [
"ssh-ed25519 aaaac3nzac1lzdi1nte5aaaaibtg6ncgdlhx4ztpfvynraslkwzcl6kdtc1dehvh4kal"
"ssh-ed25519 aaaac3nzac1lzdi1nte5aaaailplzzkzwm+iiwrqblx4+iyxsuqewojm74l7zn2nsrau"
];
}
];
};
};
sanoid = {
enable = true;
interval = "*:0/5";
datasets = {
"zroot/userdata" = {
useTemplate = [ "frequent" ];
# recursive = "zfs";
recursive = true;
};
"zroot/root" = {
useTemplate = [ "production" ];
# recursive = "zfs";
recursive = true;
};
};
};
};
programs.zsh.enable = true;
programs.zsh.promptInit = "eval \"`zinit load sindresorhus/pure`\"";
users.users.root = {
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBtG6NCgdLHX4ztpfvYNRaslKWZcl6KdTc1DehVH4kAL"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILPLzZkzWM+iiwRqbLX4+iyXSUqewojm74L7Zn2nSrAU"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJaXmXbNegxiXLldy/sMYX8kCsghY1SGqn2FZ5Jk7QJw"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBZbkw9vjCfbMPEH7ZAFq20XE9oIJ4w/HRIMu2ivNcej caelum's nixbldr key"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGKzPC0ZK4zrOEBUdu1KNThEleVb1T5Pl3+n3KB3o0b8 surtur's nixbldr key"
];
# hashedPasswordFile = config.sops.secrets.rootPassphrase.path;
hashedPassword = "$2b$05$jKQ3UaA39JFRqRKGvXrXEOB7kRzFrR1dklflRZIOMkr3pQva3g/oe";
autoSubUidGidRange = true;
};
# systemd.watchdog.runtimeTime = "30s";
# systemd.watchdog.runtimeTime = "3m";
services = {
prometheus = {
enable = false;
exporters = {
node = {
enable = true;
enabledCollectors = [
"logind"
"systemd"
"sysctl"
"network_route"
"zfs"
];
disabledCollectors = [
"arp"
"tapestats"
];
port = 9100;
};
smartctl = {
enable = true;
listenAddress = "0.0.0.0";
devices = [ "/dev/sda" ];
};
};
};
};
hardware.bluetooth.enable = true;
hardware.enableRedistributableFirmware = true;
system.stateVersion = "25.11";
}
Reference in New Issue View Git Blame Copy Permalink