my nix configs for my servers and desktop
nekomimi.pet
1# hosts/valefar/configuration.nix (or default.nix)
2{ config, lib, pkgs, modulesPath, microvm, inputs, ... }:
3{
4 # =============================================================================
5 # IMPORTS
6 # =============================================================================
7 imports = [
8 # Host-specific hardware
9 ./hardware.nix
10 ./secrets.nix
11 ../../common/nvidia.nix
12
13 # Common secrets
14 ../../host-secrets.nix
15
16 # Common modules shared across hosts
17 ../../common/system.nix
18 ../../common/users.nix
19 ../../common/services.nix
20 ../../common/efi.nix
21
22 # Hardware-specific (commented out)
23 # ../../common/nvidia.nix
24 ];
25
26 # =============================================================================
27 # SYSTEM CONFIGURATION
28 # =============================================================================
29 system.stateVersion = "24.11";
30 nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
31
32 # Intel microcode updates
33 hardware.cpu.intel.updateMicrocode = lib.mkDefault
34 config.hardware.enableRedistributableFirmware;
35
36 # =============================================================================
37 # CUSTOM MODULES
38 # =============================================================================
39 modules.garage.enable = true;
40 modules.forgejo.enable = true;
41 modules.immich.enable = true;
42 modules.github-runners.enable = true;
43
44 # =============================================================================
45 # NETWORKING
46 # =============================================================================
47 /*networking = {
48 hostName = "valefar";
49 hostId = "2a07da90";
50 firewall.enable = false;
51 firewall.trustedInterfaces = [ "tailscale0" ];
52 nameservers = [ "10.0.0.210" "1.1.1.1" ];
53 useDHCP = true;
54 firewall.allowedTCPPorts = [ 22 80 443 2049 2456 2457 9000 9001 9002 ];
55 firewall.allowedUDPPorts = [ 2049 ];
56 };*/
57 networking.useNetworkd = true;
58 systemd.network.enable = true;
59 networking.hostName = "valefar";
60 networking.hostId = "2a07da90";
61 networking.firewall.enable = false;
62
63 systemd.network.networks."10-lan" = {
64 matchConfig.Name = ["enp6s0" "vm-*"];
65 networkConfig = {
66 Bridge = "br0";
67 };
68 };
69 systemd.network.netdevs."br0" = {
70 netdevConfig = {
71 Name = "br0";
72 Kind = "bridge";
73 };
74 };
75
76 systemd.network.networks."10-lan-bridge" = {
77 matchConfig.Name = "br0";
78 networkConfig = {
79 Address = ["10.0.0.30/24" "2601:5c2:8400:26c0::30/64"];
80 Gateway = "10.0.0.1";
81 DNS = ["10.0.0.210" "1.1.1.1" "1.0.0.1"];
82 IPv6AcceptRA = true;
83 };
84 linkConfig.RequiredForOnline = "routable";
85 };
86
87 # DNS resolution
88 services.resolved = {
89 enable = true;
90 dnssec = "false";
91 domains = [ "~." ];
92 fallbackDns = [ "10.0.0.210" "1.1.1.1" ];
93 dnsovertls = "false";
94 };
95
96 # =============================================================================
97 # BOOT & FILESYSTEMS
98 # =============================================================================
99 boot = {
100 supportedFilesystems = [ "zfs" ];
101 kernelModules = [ "nct6775" "coretemp" ];
102
103 zfs = {
104 extraPools = [ "garage" "storage" ];
105 devNodes = "/dev/disk/by-id";
106 forceImportAll = true;
107 };
108 };
109
110 # =============================================================================
111 # ZFS CONFIGURATION
112 # =============================================================================
113 # ZFS import services
114 systemd.services.zfs-import-cache.enable = false;
115 systemd.services.zfs-import-scan = {
116 enable = true;
117 after = [ "systemd-udev-settle.service" ];
118 wants = [ "systemd-udev-settle.service" ];
119 };
120
121 # ZFS mount points
122 systemd.mounts = [
123 {
124 what = "garage";
125 where = "/garage";
126 type = "zfs";
127 after = [ "zfs-import-scan.service" ];
128 wants = [ "zfs-import-scan.service" ];
129 }
130 {
131 what = "storage";
132 where = "/storage";
133 type = "zfs";
134 after = [ "zfs-import-scan.service" ];
135 wants = [ "zfs-import-scan.service" ];
136 }
137 ];
138
139 # ZFS maintenance
140 services.zfs = {
141 autoScrub.enable = true;
142 trim.enable = true;
143 };
144
145 # =============================================================================
146 # DIRECTORY STRUCTURE
147 # =============================================================================
148 systemd.tmpfiles.rules = [
149 "d /storage/immich 0755 immich immich -"
150 "d /storage/immich/photos 0755 immich immich -"
151 "Z /storage/immich 0755 immich immich -"
152 "d /storage/tm_share 0755 regent users"
153 ];
154
155 # =============================================================================
156 # NFS SERVER
157 # =============================================================================
158 services.nfs.server = {
159 enable = true;
160 exports = ''
161 /storage *(rw,sync,no_subtree_check,no_root_squash)
162 '';
163 };
164
165 services.samba = {
166 enable = true;
167 settings = {
168 global = {
169 "workgroup" = "WORKGROUP";
170 "server string" = "valefar";
171 "netbios name" = "valefar";
172 "security" = "user";
173
174 "hosts allow" = "100.64.0.0/10 10.0.0.0/24 127.0.0.1 localhost";
175 "hosts deny" = "0.0.0.0/0";
176 "guest account" = "nobody";
177 "map to guest" = "bad user";
178 };
179
180 "tm_share" = {
181 "path" = "/storage/tm_share";
182 "valid users" = "regent";
183 "public" = "yes";
184 "writeable" = "yes";
185 "force user" = "regent";
186 "fruit:aapl" = "yes";
187 "fruit:time machine" = "yes";
188 "vfs objects" = "catia fruit streams_xattr";
189 };
190 };
191 };
192
193 services.netatalk = {
194 enable = true;
195 settings = {
196 time-machine = {
197 path = "/storage/timemachine";
198 "valid users" = "regent";
199 "time machine" = true;
200 };
201 };
202 };
203
204 services.avahi = {
205 enable = true;
206 nssmdns = true;
207 publish = {
208 enable = true;
209 userServices = true;
210 };
211
212 extraServiceFiles = {
213 timemachine = ''
214 <?xml version="1.0" standalone='no'?>
215 <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
216 <service-group>
217 <name replace-wildcards="yes">%h</name>
218 <service>
219 <type>_smb._tcp</type>
220 <port>445</port>
221 </service>
222 <service>
223 <type>_device-info._tcp</type>
224 <port>0</port>
225 <txt-record>model=TimeCapsule8,119</txt-record>
226 </service>
227 <service>
228 <type>_adisk._tcp</type>
229 <!--
230 change tm_share to share name, if you changed it.
231 -->
232 <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
233 <txt-record>sys=waMa=0,adVF=0x100</txt-record>
234 </service>
235 </service-group>
236 '';
237 };
238 };
239
240 # =============================================================================
241 # SERVICES
242 # =============================================================================
243 services.vscode-server = {
244 enable = true;
245 nodejsPackage = pkgs.nodejs_20;
246 };
247
248 # =============================================================================
249 # VIRTUALIZATION
250 # =============================================================================
251 virtualisation.docker = {
252 enable = true;
253 enableOnBoot = true;
254 package = pkgs.docker.override {
255 buildGoModule = pkgs.buildGo123Module;
256 };
257 };
258
259 # =============================================================================
260 # PACKAGES
261 # =============================================================================
262 environment.systemPackages = with pkgs; [
263 lm_sensors
264 code-server
265 inputs.agenix.packages.x86_64-linux.default
266 ];
267
268
269 # =============================================================================
270 # VIRTUAL MACHINES
271 # =============================================================================
272 systemd.services."microvm@".after = [ "microvm-virtiofsd@%i.service" ];
273
274 microvm.vms = {
275 gameservers = {
276 config = import ./gamevm.nix;
277 };
278 };
279
280 microvm.autostart = [
281 "gameservers"
282 ];
283}