hosts/valefar/default.nix at main · nekomimi.pet/nixcfg

nekomimi.pet / nixcfg
my nix configs for my servers and desktop
nixcfg / hosts / valefar / default.nix
at main 8.7 kB view raw
  1# hosts/valefar/configuration.nix (or default.nix)
  2{ config, lib, pkgs, modulesPath, microvm, inputs, ... }:
  3{
  4  # =============================================================================
  5  # IMPORTS
  6  # =============================================================================
  7  imports = [
  8    ./hardware.nix
  9    ./secrets.nix
 10    ../../common/nvidia.nix
 11
 12    ../../host-secrets.nix
 13    
 14    ../../common/system.nix
 15    ../../common/users.nix
 16    ../../common/services.nix
 17    ../../common/efi.nix
 18    
 19    ../../common/nvidia.nix
 20  ];
 21
 22  # =============================================================================
 23  # SYSTEM CONFIGURATION
 24  # =============================================================================
 25  system.stateVersion = "24.11";
 26  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
 27  
 28  hardware.cpu.amd.updateMicrocode = lib.mkDefault
 29    config.hardware.enableRedistributableFirmware;
 30
 31  # =============================================================================
 32  # CUSTOM MODULES
 33  # =============================================================================
 34  modules.garage.enable = true;
 35  modules.forgejo.enable = true;
 36  modules.immich.enable = true;
 37  modules.github-runners.enable = true;
 38
 39  # =============================================================================
 40  # NETWORKING
 41  # =============================================================================
 42  /*networking = {
 43    hostName = "valefar";
 44    hostId = "2a07da90";
 45    firewall.enable = false;
 46    firewall.trustedInterfaces = [ "tailscale0" ];
 47    nameservers = [ "10.0.0.210" "1.1.1.1" ];
 48    useDHCP = true;
 49    firewall.allowedTCPPorts = [ 22 80 443 2049 2456 2457 9000 9001 9002 ];
 50    firewall.allowedUDPPorts = [ 2049 ];
 51  };*/
 52  networking.useNetworkd = true;
 53  systemd.network.enable = true;
 54  networking.hostName = "valefar";
 55  networking.hostId = "2a07da90";
 56  networking.firewall.enable = false;
 57
 58  services.proxmox-ve.bridges = [ "vmbr0" ];
 59
 60  systemd.network.networks."10-lan" = {
 61    matchConfig.Name = ["enp6s0"];
 62    networkConfig = {
 63      Bridge = "vmbr0";
 64    };
 65  };
 66  systemd.network.netdevs."br0" = {
 67    netdevConfig = {
 68      Name = "vmbr0";
 69      Kind = "bridge";
 70    };
 71  };
 72
 73  systemd.network.networks."10-lan-bridge" = {
 74    matchConfig.Name = "vmbr0";
 75    networkConfig = {
 76      Address = ["10.0.0.30/24" "2601:5c2:8400:26c0::30/64"];
 77      Gateway = "10.0.0.1";
 78      DNS = ["10.0.0.210" "1.1.1.1" "1.0.0.1"];
 79      IPv6AcceptRA = true;
 80    };
 81    linkConfig.RequiredForOnline = "routable";
 82  };
 83
 84  # DNS resolution
 85  services.resolved = {
 86    enable = true;
 87    dnssec = "false";
 88    domains = [ "~." ];
 89    fallbackDns = [ "10.0.0.210" "1.1.1.1" ];
 90    dnsovertls = "false";
 91  };
 92
 93  # =============================================================================
 94  # BOOT & FILESYSTEMS
 95  # =============================================================================
 96  boot = {
 97    supportedFilesystems = [ "zfs" ];
 98    kernelModules = [ "nct6775" "coretemp" ];
 99    
100    zfs = {
101      extraPools = [ "garage" "storage" ];
102      devNodes = "/dev/disk/by-id";
103      forceImportAll = true;
104    };
105  };
106
107  # =============================================================================
108  # ZFS CONFIGURATION
109  # =============================================================================
110  # ZFS import services
111  systemd.services.zfs-import-cache.enable = false;
112  systemd.services.zfs-import-scan = {
113    enable = true;
114    after = [ "systemd-udev-settle.service" ];
115    wants = [ "systemd-udev-settle.service" ];
116  };
117
118  # ZFS mount points
119  systemd.mounts = [
120    {
121      what = "garage";
122      where = "/garage";
123      type = "zfs";
124      after = [ "zfs-import-scan.service" ];
125      wants = [ "zfs-import-scan.service" ];
126    }
127    {
128      what = "storage";
129      where = "/storage";
130      type = "zfs";
131      after = [ "zfs-import-scan.service" ];
132      wants = [ "zfs-import-scan.service" ];
133    }
134  ];
135
136  # ZFS maintenance
137  services.zfs = {
138    autoScrub.enable = true;
139    trim.enable = true;
140  };
141
142  # =============================================================================
143  # DIRECTORY STRUCTURE
144  # =============================================================================
145  systemd.tmpfiles.rules = [
146    "d /storage/immich 0755 immich immich -"
147    "d /storage/immich/photos 0755 immich immich -"
148    "Z /storage/immich 0755 immich immich -"
149    "d /storage/tm_share 0755 regent users"
150    "Z /garage/ 0755 garage garage -"
151  ];
152
153  # =============================================================================
154  # NFS SERVER
155  # =============================================================================
156  services.nfs.server = {
157    enable = true;
158    exports = ''
159      /storage *(rw,sync,no_subtree_check,no_root_squash)
160    '';
161  };
162
163  services.samba = {
164    enable = true;
165    settings = {
166      global = {
167        "workgroup" = "WORKGROUP";
168        "server string" = "valefar";
169        "netbios name" = "valefar";
170        "security" = "user";
171
172        "hosts allow" = "100.64.0.0/10 10.0.0.0/24 127.0.0.1 localhost";
173        "hosts deny" = "0.0.0.0/0";
174        "guest account" = "nobody";
175        "map to guest" = "bad user";
176      };
177
178      "tm_share" = {
179        "path" = "/storage/tm_share";
180        "valid users" = "regent";
181        "public" = "yes";
182        "writeable" = "yes";
183        "force user" = "regent";
184        "fruit:aapl" = "yes";
185        "fruit:time machine" = "yes";
186        "vfs objects" = "catia fruit streams_xattr";
187      };
188    };
189  };
190
191  services.netatalk = {
192    enable = true;
193    settings = {
194      time-machine = {
195        path = "/storage/timemachine";
196	      "valid users" = "regent";
197        "time machine" = true;
198      };
199    };
200  };
201
202  services.avahi = {
203    enable = true;
204    nssmdns = true;
205    publish = {
206      enable = true;
207      userServices = true;
208    };
209
210    extraServiceFiles = {
211        timemachine = ''
212        <?xml version="1.0" standalone='no'?>
213        <!DOCTYPE service-group SYSTEM "avahi-service.dtd">
214        <service-group>
215          <name replace-wildcards="yes">%h</name>
216          <service>
217            <type>_smb._tcp</type>
218            <port>445</port>
219          </service>
220            <service>
221            <type>_device-info._tcp</type>
222            <port>0</port>
223            <txt-record>model=TimeCapsule8,119</txt-record>
224          </service>
225          <service>
226            <type>_adisk._tcp</type>
227            <!--
228              change tm_share to share name, if you changed it.
229            -->
230            <txt-record>dk0=adVN=tm_share,adVF=0x82</txt-record>
231            <txt-record>sys=waMa=0,adVF=0x100</txt-record>
232          </service>
233        </service-group>
234      '';
235    };
236  };
237
238  # =============================================================================
239  # SERVICES
240  # =============================================================================
241  services.vscode-server = {
242    enable = true;
243    nodejsPackage = pkgs.nodejs_20;
244  };
245
246  services.ollama = {
247    enable = true;
248    loadModels = ["deepseek-r1:1.5b" "gemma3:12b"];
249    acceleration = "cuda";
250  };
251
252  services.open-webui.enable = true;
253
254  # =============================================================================
255  # VIRTUALIZATION
256  # =============================================================================
257  virtualisation.docker = {
258    enable = true;
259    enableOnBoot = true;
260  };
261
262  services.fail2ban = {
263    enable = true;
264    # Ban IP after 5 failures
265    maxretry = 5;
266    ignoreIP = [
267      "10.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" "100.64.0.0/10"
268    ];
269    bantime = "24h"; # Ban IPs for one day on the first ban
270    bantime-increment = {
271      enable = true; # Enable increment of bantime after each violation
272      multipliers = "1 2 4 8 16 32 64";
273      maxtime = "168h"; # Do not ban for more than 1 week
274      overalljails = true; # Calculate the bantime based on all the violations
275    };
276  };
277
278  # =============================================================================
279  # PACKAGES
280  # =============================================================================
281  environment.systemPackages = with pkgs; [
282    lm_sensors
283    code-server
284    inputs.agenix.packages.x86_64-linux.default
285  ];
286
287
288  # =============================================================================
289  # VIRTUAL MACHINES
290  # =============================================================================
291  /*systemd.services."microvm@".after = [ "microvm-virtiofsd@%i.service" ];
292
293  microvm.vms = {
294    gameservers = {
295      config = import ./gamevm.nix;
296    };
297  };
298
299  microvm.autostart = [
300    "gameservers"
301  ];*/
302}