300 lines
10 KiB
Nix
300 lines
10 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
imports =
|
|
[ # Include the results of the hardware scan.
|
|
./hardware-configuration.nix
|
|
../../modules/common.nix
|
|
../../modules/aarch64-emu.nix
|
|
../../modules/networkd-base.nix
|
|
../../modules/smartd.nix
|
|
];
|
|
|
|
boot.loader.grub.enable = true;
|
|
boot.loader.grub.zfsSupport = true;
|
|
boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
|
|
boot.loader.grub.devices = [ "/dev/sda" "/dev/sdb" "/dev/sdc" "/dev/sdd" "/dev/sde" "/dev/sdf" ];
|
|
|
|
networking.hostName = "zeus"; # Define your hostname.
|
|
networking.hostId = "9e95b576";
|
|
sops.secrets = {
|
|
private_key = {
|
|
sopsFile = ../../secrets/zeus/wireguard.yaml;
|
|
owner = "systemd-network";
|
|
};
|
|
preshared_key = {
|
|
sopsFile = ../../secrets/zeus/wireguard.yaml;
|
|
owner = "systemd-network";
|
|
};
|
|
};
|
|
systemd.network.netdevs = {
|
|
bond0 = {
|
|
netdevConfig = {
|
|
Name = "bond0";
|
|
Kind = "bond";
|
|
};
|
|
bondConfig = {
|
|
Mode = "active-backup";
|
|
};
|
|
};
|
|
lan-shim = {
|
|
netdevConfig = {
|
|
Name = "lan-shim";
|
|
Kind = "macvlan";
|
|
MACAddress = "3e:53:37:25:08:ef";
|
|
};
|
|
macvlanConfig = {
|
|
Mode = "bridge";
|
|
};
|
|
};
|
|
wg0 = {
|
|
netdevConfig = {
|
|
Name = "wg0";
|
|
Kind = "wireguard";
|
|
};
|
|
wireguardConfig = {
|
|
PrivateKeyFile = config.sops.secrets.private_key.path;
|
|
ListenPort = 51821;
|
|
};
|
|
wireguardPeers = [{
|
|
wireguardPeerConfig = {
|
|
PublicKey = "ZT+n0XONAZ6dkiIJR+2bmTT9y7WTxDNdnZo5S7b8vxE=";
|
|
AllowedIPs = [ "10.98.0.0/31" ];
|
|
PresharedKeyFile = config.sops.secrets.preshared_key.path;
|
|
PersistentKeepalive = 25;
|
|
Endpoint = "remote.kow.is:51821";
|
|
};
|
|
}];
|
|
};
|
|
};
|
|
systemd.network.networks = {
|
|
"00-bondage" = {
|
|
name = "en*";
|
|
networkConfig.Bond = "bond0";
|
|
};
|
|
bond0 = {
|
|
name = "bond0";
|
|
networkConfig.MACVLAN = "lan-shim";
|
|
};
|
|
lan-shim = {
|
|
name = "lan-shim";
|
|
address = [ "10.42.69.100/24" "fd72:3dd5:21ae:3c97:101b:87ff:fe86:5f01/64" ];
|
|
dns = [ "10.42.69.2" ];
|
|
domains = [ "icanttype.org" ];
|
|
gateway = [ "10.42.69.1" ];
|
|
};
|
|
wg0 = {
|
|
name = "wg0";
|
|
address = [ "10.98.0.0/31" "fd72:3dd5:21ae:ff1a::1/64" ];
|
|
};
|
|
};
|
|
|
|
|
|
virtualisation = {
|
|
containers.enable = true;
|
|
podman = {
|
|
enable = true;
|
|
dockerCompat = true;
|
|
defaultNetwork.settings.dns_enabled = true;
|
|
};
|
|
oci-containers.containers = {
|
|
dockerproxy = {
|
|
image = "ghcr.io/tecnativa/docker-socket-proxy:latest";
|
|
volumes = [ "/var/run/podman/podman.sock:/var/run/docker.sock:ro" ];
|
|
environment = {
|
|
CONTAINERS="1";
|
|
POST="0";
|
|
};
|
|
extraOptions = [ "--pull=newer" "--network=www"];
|
|
};
|
|
swag = {
|
|
image = "lscr.io/linuxserver/swag:2.9.0-ls292";
|
|
volumes = [ "swag-config:/config" ];
|
|
environment = {
|
|
TZ="America/New_York";
|
|
URL="icanttype.org";
|
|
VALIDATION="dns";
|
|
SUBDOMAINS="wildcard";
|
|
DNSPLUGIN="cloudflare";
|
|
DOCKER_HOST="dockerproxy";
|
|
DOCKER_MODS="linuxserver/mods:swag-dashboard|linuxserver/mods:swag-auto-proxy|linuxserver/mods:universal-docker|linuxserver/mods:universal-cloudflared";
|
|
CF_ZONE_ID="4e68852334290a922718696a0986e75a";
|
|
CF_ACCOUNT_ID="5c1c252b9d9a9af6ea3a5de8590f36fa";
|
|
CF_API_TOKEN="mRfY8ubtFUxzVuehI6WFipSQFIcstCNds7RF5FTQ";
|
|
CF_TUNNEL_NAME="icanttype.org";
|
|
CF_TUNNEL_PASSWORD="iZh4UYxVSo3S2H3XwwboM2z@mJEqYJkQ5yMTfd5p";
|
|
FILE__CF_TUNNEL_CONFIG="/config/tunnelconfig.yml";
|
|
EMAIL="cdombroski@gmail.com";
|
|
};
|
|
ports = [ "80:80" "443:443" ];
|
|
extraOptions = [ "--pull=newer" "--network=www" "--cap-add" "NET_ADMIN" "--network-alias=icanttype.org" ];
|
|
};
|
|
jellyfin = {
|
|
image = "lscr.io/linuxserver/jellyfin:latest";
|
|
volumes = [ "jellyfin-config:/config" "/video-data/media:/data/media" ];
|
|
environment.TZ="America/New_York";
|
|
labels.swag = "enable";
|
|
ports = [ "1900:1900/udp" "7359:7359/udp" ];
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
zwave-js-ui = {
|
|
image = "docker.io/zwavejs/zwave-js-ui:latest";
|
|
volumes = [ "zwave-config:/usr/src/app/store" ];
|
|
environment.TZ = "America/New_York";
|
|
labels = { swag = "enable"; swag_url = "zwave.icanttype.org"; };
|
|
extraOptions = [ "--pull=newer" "--network=www" "--device=/dev/ttyACM0:/dev/zwave" ];
|
|
};
|
|
homeassistant = {
|
|
image = "lscr.io/linuxserver/homeassistant:latest";
|
|
volumes = [ "homeassistant-config:/config" ];
|
|
environment.TZ = "America/New_York";
|
|
labels.swag = "enable";
|
|
extraOptions = [ "--pull=newer" "--network=www" "--network=lan" ];
|
|
};
|
|
postgres = {
|
|
image = "docker.io/library/postgres:15";
|
|
volumes = [ "postgres-15:/var/lib/postgresql/data" ];
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
calibre = {
|
|
image = "lscr.io/linuxserver/calibre:latest";
|
|
volumes = [ "calibre-config:/config" "/video-data:/data" ];
|
|
environment.TZ = "America/New_York";
|
|
labels.swag = "enable";
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
calibre-web = {
|
|
image = "lscr.io/linuxserver/calibre-web:latest";
|
|
volumes = [ "calibre-web-config:/config" "/video-data:/data" ];
|
|
environment.TZ = "America/New_York";
|
|
labels.swag = "enable";
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
flaresolverr = {
|
|
image = "ghcr.io/flaresolverr/flaresolverr:latest";
|
|
environment.LOG_LEVEL = "info";
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
qbittorrent = {
|
|
image = "lscr.io/linuxserver/qbittorrent:latest";
|
|
volumes = [ "qbittorrent-config:/config" "/video-data/torrent:/data/torrent" ];
|
|
environment = {
|
|
TZ = "America/New_York";
|
|
UMASK_SET = "000";
|
|
DELUGE_LOGLEVEL = "error";
|
|
};
|
|
labels.swag = "enable";
|
|
ports = [ "34996:34996" "34996:34996/udp" ];
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
prowlarr = {
|
|
image = "lscr.io/linuxserver/prowlarr:latest";
|
|
volumes = [ "prowlarr-config:/config" ];
|
|
environment.TZ = "America/New_York";
|
|
labels.swag = "enable";
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
readarr = {
|
|
image = "lscr.io/linuxserver/readarr:develop";
|
|
volumes = [ "readarr-config:/config" "/video-data:/data" ];
|
|
environment.TZ = "America/New_York";
|
|
labels.swag = "enable";
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
radarr = {
|
|
image = "lscr.io/linuxserver/radarr:latest";
|
|
volumes = [ "radarr-config:/config" "/video-data:/data" ];
|
|
environment.TZ = "America/New_York";
|
|
labels.swag = "enable";
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
sonarr = {
|
|
image = "lscr.io/linuxserver/sonarr:latest";
|
|
volumes = [ "sonarr-config:/config" "/video-data:/data" ];
|
|
environment.TZ = "America/New_York";
|
|
labels.swag = "enable";
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
static = {
|
|
image = "docker.io/library/nginx:alpine";
|
|
volumes = [ "/srv/docker/nginx/static:/usr/share/nginx/html:ro" "/srv/docker/nginx/config/static/default.conf:/etc/nginx/config.d/default.conf:ro" ];
|
|
labels = {
|
|
swag = "enable";
|
|
swag_url = "www.icanttype.org";
|
|
};
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
forgejo = {
|
|
image = "codeberg.org/forgejo/forgejo:7";
|
|
volumes = [ "forgejo-data:/data" "/etc/localtime:/etc/localtime:ro" ];
|
|
labels = {
|
|
swag = "enable";
|
|
swag_url = "git.icanttype.org";
|
|
swag_port = "3000";
|
|
};
|
|
ports = [ "10022:22" ];
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
docker_dind = {
|
|
image = "docker.io/library/docker:dind";
|
|
cmd = [ "dockerd" "-H" "tcp://0.0.0.0:2375" "--tls=false" ];
|
|
extraOptions = [ "--pull=newer" "--privileged" "--network=www" ];
|
|
};
|
|
runner = {
|
|
image = "code.forgejo.org/forgejo/runner:3.4.1";
|
|
dependsOn = [ "docker_dind" ];
|
|
environment.DOCKER_HOST = "tcp://docker_dind:2375";
|
|
volumes = [ "forgejo-runner:/data" ];
|
|
cmd = [ "forgejo-runner" "daemon" ];
|
|
extraOptions = [ "--pull=newer" "--network=www" ];
|
|
};
|
|
};
|
|
};
|
|
networking.firewall = {
|
|
interfaces."podman+" = {
|
|
allowedUDPPorts = [ 53 ];
|
|
allowedTCPPorts = [ 53 ];
|
|
};
|
|
allowedUDPPorts = [ 137 138 ];
|
|
allowedTCPPorts = [ 139 445 ];
|
|
};
|
|
|
|
users.users.nixremote = {
|
|
description = "User for remote builds";
|
|
isNormalUser = true;
|
|
uid = 1100;
|
|
openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH7rvqA2VG9kOPHBNgfna0YA+jEjIR6ZAKrdgWVWQjCV root@orangepihole" ];
|
|
};
|
|
environment.systemPackages = with pkgs; [
|
|
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
|
|
dive
|
|
podman-tui
|
|
docker-compose
|
|
wireguard-tools
|
|
];
|
|
|
|
services.samba.enable = true;
|
|
services.samba.shares = {
|
|
media = {
|
|
path = "/video-data";
|
|
browseable = "yes";
|
|
"read only" = "no";
|
|
"guest ok" = "yes";
|
|
};
|
|
};
|
|
services.zfs.autoScrub.enable = true;
|
|
services.zfs.zed.settings = {
|
|
ZED_EMAIL_ADDR = [ "root" ];
|
|
ZED_EMAIL_PROG = "${pkgs.msmtp}/bin/msmtp";
|
|
ZED_EMAIL_OPTS = "@ADDRESS@";
|
|
ZED_NOTIFY_INTERVAL_SECS = 3600;
|
|
ZED_NOTIFY_VERBOSE = true;
|
|
ZED_USE_ENCLOSURE_LEDS = true;
|
|
ZED_SCRUB_AFTER_RESILVER = true;
|
|
};
|
|
services.zfs.zed.enableMail = false;
|
|
|
|
system.stateVersion = "23.11"; # Did you read the comment?
|
|
zramSwap.enable = true;
|
|
}
|
|
|