nix-configs/nixos-configurations/orangepihole.nix

{
  config,
  pkgs,
  modulesPath,
  ezModules,
  lib,
  inputs,
  ...
}:

{
  imports = [
    # Include the results of the hardware scan.
    "${modulesPath}/installer/scan/not-detected.nix"
    inputs.impermanence.nixosModules.impermanence
    ezModules.dhcp
    ezModules.networkd-base
    ezModules.unbound
  ];

  boot = {
    loader = {
      grub.enable = false;
      generic-extlinux-compatible.enable = true;
      timeout = 1;
    };
    tmp.cleanOnBoot = true;
  };

  fileSystems = {
    "/" = {
      device = "none";
      fsType = "tmpfs";
      options = [
        "defaults"
        "mode=755"
      ];
    };
    "/persist" = {
      device = "/dev/disk/by-uuid/6df53c4f-42b6-478b-8be4-f7887ad18b5b";
      fsType = "btrfs";
      neededForBoot = true;
      options = [
        "compress=lzo"
        "autodefrag"
        "defaults"
        "subvol=@nixos/root"
      ];
    };
    "/boot" = {
      device = "/dev/disk/by-uuid/a4d76da9-b8eb-4615-9d64-a36e1383da80";
      fsType = "ext4";
      options = [ "defaults" ];
    };
    "/nix" = {
      device = "/dev/disk/by-uuid/6df53c4f-42b6-478b-8be4-f7887ad18b5b";
      fsType = "btrfs";
      options = [
        "compress=lzo"
        "autodefrag"
        "defaults"
        "subvol=@nixos/nix"
      ];
    };
  };
  mainInterface = "end0";
  mainInterfaceConfig = "40-end0";

  networking = {
    hostName = "orangepihole"; # Define your hostname.
    useDHCP = lib.mkDefault true;
  };
  systemd.network.networks."40-end0" = {
    matchConfig.Name = "end0";
    address = [
      "10.42.69.2/24"
      "fd72:3dd5:21ae:3c97::2/64"
    ];
    dns = [
      "10.42.69.2"
      "10.42.69.100"
    ];
    domains = [ "icanttype.org" ];
    gateway = [ "10.42.69.1" ];
    dhcpServerConfig = {
      PoolOffset = 150;
    };
  };
  zramSwap.enable = true;
  swapDevices = [
    {
      device = "/persist/swapfile";
      size = 4096;
    }
  ];
  services = {
    unbound = {
      enable = true;
      localControlSocketPath = "/var/lib/unbound/control.sock";
      settings = {
        server = {
          do-ip6 = "no";
          qname-minimisation = "yes";
          interface = [ "end0" ];
          access-control = [
            "10.0.0.0/8 allow"
            "fc::/7 allow"
          ];
        };
        include = [
          "/etc/unbound/ads.conf"
          "${../configs/unbound-local.conf}"
        ];
      };
    };
    journald.storage = "volatile";
  };

  environment = {
    systemPackages = [
      pkgs.vim
      pkgs.wget
    ];
    persistence."/persist" = {
      hideMounts = true;
      directories = [
        "/var/lib/nixos"
        "/var/lib/systemd"
        "/tmp"
      ];
      files = [
        "/etc/machine-id"
        "/etc/adjtime"
        "/etc/ssh/ssh_host_rsa_key"
        "/etc/ssh/ssh_host_rsa_key.pub"
        "/etc/ssh/ssh_host_ed25519_key"
        "/etc/ssh/ssh_host_ed25519_key.pub"
        "/etc/unbound/ads.conf"
      ];
    };
  };

  system.stateVersion = "23.11"; # Did you read the comment?
  sops.secrets."nixremote/sshkey" = { };
  nix = {
    distributedBuilds = true;
    #    settings.max-jobs = 0;
    buildMachines = [
      {
        hostName = "zeus";
        systems = [
          "x86_64-linux"
          "aarch64-linux"
        ];
        protocol = "ssh-ng";
        sshKey = config.sops.secrets."nixremote/sshkey".path;
        sshUser = "nixremote";
        supportedFeatures = [
          "nixos-test"
          "benchmark"
          "big-parallel"
          "kvm"
        ];
      }
    ];
  };
  programs.ssh.extraConfig = ''
    Host zeus
    User nixremote
    StrictHostKeyChecking accept-new
    IdentitiesOnly yes
    IdentityFile ${config.sops.secrets."nixremote/sshkey".path}
  '';
  nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}