diff --git a/systems/zeus/configuration.nix b/systems/zeus/configuration.nix new file mode 100644 index 0000000..dc4e1b4 --- /dev/null +++ b/systems/zeus/configuration.nix @@ -0,0 +1,422 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ config, lib, pkgs, ... }: + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.zfsSupport = true; + boot.loader.grub.extraEntries = '' + menuentry 'Debian GNU/Linux' --class debian --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-/dev/sda4_/dev/sdb4_/dev/sdc4_/dev/sdd4' { + load_video + insmod gzio + if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi + insmod part_gpt + insmod part_gpt + insmod part_gpt + insmod part_gpt + insmod zfs + set root='hd3,gpt3' + if [ x$feature_platform_search_hint = xy ]; then + search --no-floppy --fs-uuid --set=root --hint-bios=hd3,gpt3 --hint-efi=hd3,gpt3 --hint-baremetal=ahci3,gpt3 --hint-bios=hd1,gpt3 --hint-efi=hd1,gpt3 --hint-baremetal=ahci1,gpt3 --hint-bios=hd2,gpt3 --hint-efi=hd2,gpt3 --hint-baremetal=ahci2,gpt3 --hint-bios=hd0,gpt3 --hint-efi=hd0,gpt3 --hint-baremetal=ahci0,gpt3 f8ecb74936118c7a + else + search --no-floppy --fs-uuid --set=root f8ecb74936118c7a + fi + echo 'Loading Linux 6.1.0-20-amd64 ...' + linux /BOOT/debian@/vmlinuz-6.1.0-20-amd64 root=ZFS=/ROOT/debian ro root=ZFS=rpool/ROOT/debian quiet splash + echo 'Loading initial ramdisk ...' + initrd /BOOT/debian@/initrd.img-6.1.0-20-amd64 + } + ''; + boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages; + # boot.loader.grub.efiSupport = true; + # boot.loader.grub.efiInstallAsRemovable = true; + # boot.loader.efi.efiSysMountPoint = "/boot/efi"; + # Define on which hard drive you want to install Grub. + # boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" "/dev/sde" "/dev/sdf" ]; + + networking.hostName = "zeus"; # Define your hostname. + networking.hostId = (builtins.substring 0 8 (builtins.readFile "/etc/machine-id")); + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; + # Pick only one of the below networking options. + # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + networking.useNetworkd = true; + systemd.network.enable = true; + services.resolved.enable = true; + services.resolved.fallbackDns = [ "8.8.8.8" ]; + systemd.network.netdevs = { + bond0 = { + netdevConfig = { + Name = "bond0"; + Kind = "bond"; + }; + bondConfig = { + Mode = "active-backup"; + }; + }; + lan-shim = { + netdevConfig = { + Name = "lan-shim"; + Kind = "macvlan"; + MACAddress = "3e:53:37:25:08:ef"; + }; + macvlanConfig = { + Mode = "bridge"; + }; + }; + wg0 = { + netdevConfig = { + Name = "wg0"; + Kind = "wireguard"; + }; + wireguardConfig = { + PrivateKeyFile = /etc/nixos/wireguard.priv; + ListenPort = 51821; + }; + wireguardPeers = [{ + wireguardPeerConfig = { + PublicKey = "ZT+n0XONAZ6dkiIJR+2bmTT9y7WTxDNdnZo5S7b8vxE="; + AllowedIPs = [ "10.98.0.0/31" ]; + PresharedKeyFile = /etc/nixos/wireguard.psk; + PersistentKeepalive = 25; + Endpoint = "remote.kow.is:51821"; + }; + }]; + }; + }; + systemd.network.networks = { + "00-bondage" = { + name = "en*"; + networkConfig.Bond = "bond0"; + }; + bond0 = { + name = "bond0"; + networkConfig.MACVLAN = "lan-shim"; + }; + lan-shim = { + name = "lan-shim"; + address = [ "10.42.69.100/24" "fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01/64" ]; + dns = [ "10.42.69.2" ]; + domains = [ "icanttype.org" ]; + gateway = [ "10.42.69.1" ]; + }; + wg0 = { + name = "wg0"; + address = [ "10.98.0.0/31" "fd72:3dd5:21ae:ff1a::1/64" ]; + }; + }; + + # Set your time zone. + time.timeZone = "America/New_York"; + + # Configure network proxy if necessary + # networking.proxy.default = "http://user:password@proxy:port/"; + # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + # console = { + # font = "Lat2-Terminus16"; + # keyMap = "us"; + # useXkbConfig = true; # use xkb.options in tty. + # }; + + # Enable the X11 windowing system. + # services.xserver.enable = true; + + + + + # Configure keymap in X11 + # services.xserver.xkb.layout = "us"; + # services.xserver.xkb.options = "eurosign:e,caps:escape"; + + # Enable CUPS to print documents. + # services.printing.enable = true; + + # Enable sound. + # sound.enable = true; + # hardware.pulseaudio.enable = true; + + # Enable touchpad support (enabled default in most desktopManager). + # services.xserver.libinput.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + # users.users.alice = { + # isNormalUser = true; + # extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. + # packages = with pkgs; [ + # firefox + # tree + # ]; + # }; + virtualisation = { + containers.enable = true; + podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; + }; + oci-containers.containers = { + dockerproxy = { + image = "ghcr.io/tecnativa/docker-socket-proxy:latest"; + volumes = [ "/var/run/podman/podman.sock:/var/run/docker.sock:ro" ]; + environment = { + CONTAINERS="1"; + POST="0"; + }; + extraOptions = [ "--pull=newer" "--network=www"]; + }; + swag = { + image = "lscr.io/linuxserver/swag:2.9.0-ls292"; + volumes = [ "swag-config:/config" ]; + environment = { + TZ="America/New_York"; + URL="icanttype.org"; + VALIDATION="dns"; + SUBDOMAINS="wildcard"; + DNSPLUGIN="cloudflare"; + DOCKER_HOST="dockerproxy"; + DOCKER_MODS="linuxserver/mods:swag-dashboard|linuxserver/mods:swag-auto-proxy|linuxserver/mods:universal-docker|linuxserver/mods:universal-cloudflared"; + CF_ZONE_ID="4e68852334290a922718696a0986e75a"; + CF_ACCOUNT_ID="5c1c252b9d9a9af6ea3a5de8590f36fa"; + CF_API_TOKEN="mRfY8ubtFUxzVuehI6WFipSQFIcstCNds7RF5FTQ"; + CF_TUNNEL_NAME="icanttype.org"; + CF_TUNNEL_PASSWORD="iZh4UYxVSo3S2H3XwwboM2z@mJEqYJkQ5yMTfd5p"; + FILE__CF_TUNNEL_CONFIG="/config/tunnelconfig.yml"; + EMAIL="cdombroski@gmail.com"; + }; + ports = [ "80:80" "443:443" ]; + extraOptions = [ "--pull=newer" "--network=www" "--cap-add" "NET_ADMIN" "--network-alias=icanttype.org" ]; + }; + jellyfin = { + image = "lscr.io/linuxserver/jellyfin:latest"; + volumes = [ "jellyfin-config:/config" "/video-data/media:/data/media" ]; + environment.TZ="America/New_York"; + labels.swag = "enable"; + ports = [ "1900:1900/udp" "7359:7359/udp" ]; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + zwave-js-ui = { + image = "docker.io/zwavejs/zwave-js-ui:latest"; + volumes = [ "zwave-config:/usr/src/app/store" ]; + environment.TZ = "America/New_York"; + labels = { swag = "enable"; swag_url = "zwave.icanttype.org"; }; + extraOptions = [ "--pull=newer" "--network=www" "--device=/dev/ttyACM0:/dev/zwave" ]; + }; + homeassistant = { + image = "lscr.io/linuxserver/homeassistant:latest"; + volumes = [ "homeassistant-config:/config" ]; + environment.TZ = "America/New_York"; + labels.swag = "enable"; + extraOptions = [ "--pull=newer" "--network=www" "--network=lan" ]; + }; + postgres = { + image = "docker.io/library/postgres:15"; + volumes = [ "postgres-15:/var/lib/postgresql/data" ]; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; +# gogs = { +# image = "docker.io/gogs/gogs:latest"; +# volumes = [ "gogs-data:/data" ]; +# labels = { +# swag = "enable"; +# swag_url = "git.icanttype.org"; +# swag_port = "3000"; +# }; +# ports = [ "10022:22" ]; +# extraOptions = [ "--pull=newer" "--network=www" ]; +# }; + calibre = { + image = "lscr.io/linuxserver/calibre:latest"; + volumes = [ "calibre-config:/config" "/video-data:/data" ]; + environment.TZ = "America/New_York"; + labels.swag = "enable"; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + calibre-web = { + image = "lscr.io/linuxserver/calibre-web:latest"; + volumes = [ "calibre-web-config:/config" "/video-data:/data" ]; + environment.TZ = "America/New_York"; + labels.swag = "enable"; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + flaresolverr = { + image = "ghcr.io/flaresolverr/flaresolverr:latest"; + environment.LOG_LEVEL = "info"; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + qbittorrent = { + image = "lscr.io/linuxserver/qbittorrent:latest"; + volumes = [ "qbittorrent-config:/config" "/video-data/torrent:/data/torrent" ]; + environment = { + TZ = "America/New_York"; + UMASK_SET = "000"; + DELUGE_LOGLEVEL = "error"; + }; + labels.swag = "enable"; + ports = [ "34996:34996" "34996:34996/udp" ]; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + prowlarr = { + image = "lscr.io/linuxserver/prowlarr:latest"; + volumes = [ "prowlarr-config:/config" ]; + environment.TZ = "America/New_York"; + labels.swag = "enable"; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + readarr = { + image = "lscr.io/linuxserver/readarr:develop"; + volumes = [ "readarr-config:/config" "/video-data:/data" ]; + environment.TZ = "America/New_York"; + labels.swag = "enable"; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + radarr = { + image = "lscr.io/linuxserver/radarr:latest"; + volumes = [ "radarr-config:/config" "/video-data:/data" ]; + environment.TZ = "America/New_York"; + labels.swag = "enable"; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + sonarr = { + image = "lscr.io/linuxserver/sonarr:latest"; + volumes = [ "sonarr-config:/config" "/video-data:/data" ]; + environment.TZ = "America/New_York"; + labels.swag = "enable"; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + static = { + image = "docker.io/library/nginx:alpine"; + volumes = [ "/srv/docker/nginx/static:/usr/share/nginx/html:ro" "/srv/docker/nginx/config/static/default.conf:/etc/nginx/config.d/default.conf:ro" ]; + labels = { + swag = "enable"; + swag_url = "www.icanttype.org"; + }; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + forgejo = { + image = "codeberg.org/forgejo/forgejo:7"; + volumes = [ "forgejo-data:/data" "/etc/localtime:/etc/localtime:ro" ]; + labels = { + swag = "enable"; + swag_url = "git.icanttype.org"; + swag_port = "3000"; + }; + ports = [ "10022:22" ]; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + docker_dind = { + image = "docker.io/library/docker:dind"; + cmd = [ "dockerd" "-H" "tcp://0.0.0.0:2375" "--tls=false" ]; + extraOptions = [ "--pull=newer" "--privileged" "--network=www" ]; + }; + runner = { + image = "code.forgejo.org/forgejo/runner:3.4.1"; + dependsOn = [ "docker_dind" ]; + environment.DOCKER_HOST = "tcp://docker_dind:2375"; + volumes = [ "forgejo-runner:/data" ]; + cmd = [ "forgejo-runner" "daemon" ]; + extraOptions = [ "--pull=newer" "--network=www" ]; + }; + }; + }; + networking.firewall.interfaces."podman+" = { + allowedUDPPorts = [ 53 ]; + allowedTCPPorts = [ 53 ]; + }; + + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEApZvmNao6HvjOI3NQ96+Hu+N4MTw20KSvrx7ml8/PD4zb5GXo2sXRROHy0VclIXBEPKPKq93QGCMhfCR0jvr2tSib5CwrCMDnjjRxGJV36jhCE1mOV6TKis1MDdigg/7NSVf+eszUW4ed6CSDNFu3ooVZSwdf4Tja2672ROk1W59rDbfgs0Et7pRNnmWM1q+sTbD0eRbY9+0DXBhx5u4OVjp6eNNmO59WGErVvAAjOnZR3rw2LSX7MDrtzeCe1sdR/28WGPIIUVL8eCorlhzPB6PfrTL1Y/fbWAOGdvs6h+wTPX3ivTlrs8J5AXERCymp/CXIA1mwVjnM9zOklFhun+VvCNNJsZPSM62jrHfD4bP11y1kSt87TORGW517nWdS80oUY6MwxRcN2salwWzZA0sVjIHmvc4FkAuPHhdlMQpkym9fpFfR9taWlxU2NMP/+Quj3NaAPKksPvUGwos8lP8Z+QF5ljedNZFsC5/S0u6Fqoa26zRTnVki4KhfGPyKHXIUp9kNV7PRz4oRizHibUfp05xVMACtVIn+pQU7CaQEJCdYfLpo9gMDZ+6ZanmQX0vCUEyiaimrF/eSCkzjBtqSKMRHLd6ADEFEDxSr5nfaqgkddQVkQiBvngCnKwYcKfINA5mYIIFJZyLxpki03SHT6qGT541iHT3OX9F4MBc=" + ]; + + users.users.nixremote = { + description = "User for remote builds"; + isNormalUser = true; + uid = 1100; + openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH7rvqA2VG9kOPHBNgfna0YA+jEjIR6ZAKrdgWVWQjCV root@orangepihole" ]; + }; + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + dive + podman-tui + docker-compose + wireguard-tools + nix-output-monitor + ]; + + # Some programs need SUID wrappers, can be configured further or are + # started in user sessions. + # programs.mtr.enable = true; + # programs.gnupg.agent = { + # enable = true; + # enableSSHSupport = true; + # }; +# programs.msmtp.enable = true; + programs.vim.defaultEditor = true; + nix = { + settings.experimental-features = [ "nix-command" "flakes" ]; + settings.trusted-users = [ "nixremote" ]; + gc = { + automatic = true; + options = "--delete-older-than 30d"; + dates = "weekly"; + }; + optimise.automatic = true; + }; + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + services.zfs.autoScrub.enable = true; +# services.zfs.zed.settings = { +# ZED_EMAIL_ADDR = [ "cdombroski@gmail.com" ]; +# ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp"; +# ZED_EMAIL_OPTS = "@ADDRESS@"; +# ZED_USE_ENCLOSURE_LEDS = true; +# ZED_SCRUB_AFTER_RESILVER = true; +# }; +# services.zfs.zed.enableMail = false; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + # system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "23.11"; # Did you read the comment? + zramSwap.enable = true; +} + diff --git a/systems/zeus/hardware-configuration.nix b/systems/zeus/hardware-configuration.nix new file mode 100644 index 0000000..19c8a45 --- /dev/null +++ b/systems/zeus/hardware-configuration.nix @@ -0,0 +1,59 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "ohci_pci" "ehci_pci" "sata_nv" "sd_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zroot/root"; + fsType = "zfs"; + }; + + fileSystems."/boot" = + { device = "zboot/boot"; + fsType = "zfs"; + }; + + fileSystems."/home" = + { device = "zroot/home"; + fsType = "zfs"; + }; + + fileSystems."/nix" = + { device = "zroot/nix"; + fsType = "zfs"; + }; + + fileSystems."/var" = + { device = "zroot/var"; + fsType = "zfs"; + }; + + fileSystems."/video-data" = + { device = "rpool/video-data"; + fsType = "zfs"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/aecf6400-9c9f-43f9-8c57-08f3c8a633e7"; } + { device = "/dev/disk/by-uuid/3fca7d18-441c-4f39-adad-ffd882b1f210"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault false; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}