nixos/hosts/architect/default.nix

{ config, pkgs, lib, ... }:

let
  macbookPubkey = (import ../pubkeys.nix).macbook;
  pubkeys = [ macbookPubkey ];
  domain = "devs.giugl.io";

  utilities = import ./utilities.nix { inherit lib config; };
  inherit (utilities) generateDeviceStrings;
in
{
  imports = [
    ./options.nix
    ./backup.nix
    ./hardware.nix
    ./firewall.nix
    ./nginx.nix
    ./gitea.nix
    ./sonarr.nix
    ./radarr.nix
    ./bazarr.nix
    ./nzbget.nix
    ./nextcloud.nix
    ./minio.nix
    ./matrix.nix
    ./fail2ban.nix
    ./dns.nix
    # ./minecraft.nix
    ./prowlarr.nix
    ./redlib.nix
    # ./invidious.nix
    ./jellyfin.nix
    # ./docker.nix
    ./tailscale.nix
    ./headscale.nix
    ./llm.nix
    # ./photoprism.nix
    ./sunshine.nix
    ./jellyseer.nix
    ./teslamate.nix
    ./postgres.nix
    ./netdata.nix
    ./homeassistant.nix
  ];

  age.identityPaths = [ "/root/.ssh/id_ed25519" ];

  architect = {
    networks.lan = {
      interface = "enp6s0";
      net = "10.0.0.0/24";
      devices = {
        architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; };
        router = { address = "10.0.0.1"; hostname = "router.${domain}"; };
        dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; };
      };
    };

    firewall = {
      openTCP = [ 22 ];
    };
  };

  time.timeZone = "Europe/London";
  users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
  boot = {
    initrd = {
      availableKernelModules = [ "igc" "r8169" ];
      network = {
        enable = true;
        ssh = {
          enable = true;
          port = 22;
          hostKeys = [ /secrets/ssh_host_rsa_key ];
          authorizedKeys = pubkeys;
        };
      };
    };

    kernelParams = with config.architect.networks.lan; [
      "ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off"
    ];

    kernel.sysctl = { "net.ipv4.ip_forward" = 1; };

    loader = {
      systemd-boot = {
        enable = true;
        memtest86.enable = true;
      };
      efi.canTouchEfiVariables = true;
    };

    supportedFilesystems = [ "zfs" ];
    zfs.requestEncryptionCredentials = true;
    tmp.tmpfsSize = "50%";
  };

  networking = with config.architect.networks.lan; {
    hostName = "architect";
    hostId = "49350853";
    useDHCP = false;
    defaultGateway = devices.router.address;
    interfaces = {
      ${interface}.ipv4.addresses = [{
        address = devices.architect.address;
        prefixLength = 24;
      }];
    };
    extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + ''

      # Blacklist
      0.0.0.0                metrics.plex.tv
      0.0.0.0                analytics.plex.tv
      0.0.0.0                cdn.luckyorange.com
      0.0.0.0                w1.luckyorange.com
      0.0.0.0                browser.sentry-cdn.com
      0.0.0.0                analytics.facebook.com
      0.0.0.0                ads.facebook.com
      0.0.0.0                extmaps-api.yandex.net
      0.0.0.0                logservice.hicloud.com
      0.0.0.0                logbak.hicloud.com
      0.0.0.0                logservice1.hicloud.com
      0.0.0.0                samsung-com.112.2o7.net
      0.0.0.0                supportmetrics.apple.com
      0.0.0.0                analytics.oneplus.cn
      0.0.0.0                click.oneplus.cn
      0.0.0.0        analytics-api.samsunghealthcn.com
    '';
  };

  hardware.opengl = {
    enable = true;
    extraPackages = with pkgs; [ vaapiVdpau ];
  };

  services = {
    fwupd.enable = true;
    das_watchdog.enable = true;
    zfs.autoScrub.enable = true;

    openssh = {
      enable = true;

      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };

      extraConfig = ''
        MaxAuthTries 15
      '';
    };
    smartd.enable = true;
  };
}
architect: Use networking options 2023-05-12 12:48:45 +01:00			`{ config, pkgs, lib, ... }:`
using conf structure as sondr3 2021-07-01 01:02:55 +01:00
maxi update giupi 2021-07-03 23:43:52 +01:00			`let`
refactor(architect/default.nix): centralize public keys in `pubkeys.nix` 2024-12-06 21:06:17 +00:00			`macbookPubkey = (import ../pubkeys.nix).macbook;`
			`pubkeys = [ macbookPubkey ];`
architect: Use networking options 2023-05-12 12:48:45 +01:00			`domain = "devs.giugl.io";`
Initial move to 23.05 2023-05-27 23:16:46 +01:00
architect: services use new networking attrset 2023-05-12 22:05:10 +01:00			`utilities = import ./utilities.nix { inherit lib config; };`
			`inherit (utilities) generateDeviceStrings;`
Formatting 2023-02-11 02:29:48 +00:00			`in`
			`{`
			`imports = [`
architect: Refactored firewall settings. Added architect.firewall option 2023-02-14 23:19:52 +00:00			`./options.nix`
formatting 2021-11-21 23:41:17 +00:00			`./backup.nix`
			`./hardware.nix`
			`./firewall.nix`
			`./nginx.nix`
gitea: reenable gitea 2023-06-05 02:16:19 +01:00			`./gitea.nix`
formatting 2021-11-21 23:41:17 +00:00			`./sonarr.nix`
			`./radarr.nix`
			`./bazarr.nix`
			`./nzbget.nix`
			`./nextcloud.nix`
			`./minio.nix`
			`./matrix.nix`
			`./fail2ban.nix`
			`./dns.nix`
architect: disabled services, updated network interface after hw change 2024-02-21 11:30:59 +00:00			`# ./minecraft.nix`
formatting 2021-11-21 23:41:17 +00:00			`./prowlarr.nix`
feat: bump to 24.11 2024-11-18 19:58:44 +00:00			`./redlib.nix`
architect: disabled a few unused services 2023-12-02 17:41:08 +00:00			`# ./invidious.nix`
architect: disabled services, updated network interface after hw change 2024-02-21 11:30:59 +00:00			`./jellyfin.nix`
refactor(architect/default.nix): comment out docker.nix 2024-12-10 11:53:05 +00:00			`# ./docker.nix`
architect: Added initial support for Tailscale 2023-01-30 08:46:20 +00:00			`./tailscale.nix`
headscale: init 2023-05-06 14:04:25 +01:00			`./headscale.nix`
architect: enabled LLM 2023-11-16 12:26:06 +00:00			`./llm.nix`
architect: disabled services, updated network interface after hw change 2024-02-21 11:30:59 +00:00			`# ./photoprism.nix`
			`./sunshine.nix`
feat(architect): enable jellyseer 2024-09-10 15:44:04 +01:00			`./jellyseer.nix`
feat(architect/default.nix): add teslamate and postgres services 2024-11-17 20:30:11 +00:00			`./teslamate.nix`
			`./postgres.nix`
feat(architect): add netdata monitoring service 2024-12-06 23:30:35 +00:00			`./netdata.nix`
feat(architect): add Home Assistant configuration - Added `homeassistant.nix` to the list of services in `default.nix` - Configured Home Assistant with basic settings and extra components - Set up vhost for Home Assistant with specified domain and network interfaces - Included necessary Python packages for Home Assistant components 2024-12-09 10:35:38 +00:00			`./homeassistant.nix`
formatting 2021-11-21 23:41:17 +00:00			`];`

feat(secrets): add initial secrets.nix configuration 2024-12-06 20:49:18 +00:00			`age.identityPaths = [ "/root/.ssh/id_ed25519" ];`

architect: Use networking options 2023-05-12 12:48:45 +01:00			`architect = {`
			`networks.lan = {`
architect: disabled services, updated network interface after hw change 2024-02-21 11:30:59 +00:00			`interface = "enp6s0";`
architect: Use networking options 2023-05-12 12:48:45 +01:00			`net = "10.0.0.0/24";`
			`devices = {`
			`architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; };`
			`router = { address = "10.0.0.1"; hostname = "router.${domain}"; };`
			`dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; };`
			`};`
			`};`

			`firewall = {`
			`openTCP = [ 22 ];`
			`};`
			`};`

architect: disabled services, updated network interface after hw change 2024-02-21 11:30:59 +00:00			`time.timeZone = "Europe/London";`
formatting 2021-11-21 23:41:17 +00:00			`users.users.giulio.openssh.authorizedKeys.keys = pubkeys;`
			`boot = {`
			`initrd = {`
			`availableKernelModules = [ "igc" "r8169" ];`
			`network = {`
			`enable = true;`
			`ssh = {`
maxi update giupi 2021-07-03 23:43:52 +01:00			`enable = true;`
formatting 2021-11-21 23:41:17 +00:00			`port = 22;`
mah boh 2022-07-06 19:34:12 +01:00			`hostKeys = [ /secrets/ssh_host_rsa_key ];`
formatting 2021-11-21 23:41:17 +00:00			`authorizedKeys = pubkeys;`
cleaned a bit 2021-07-01 01:05:43 +01:00			`};`
maxi update giupi 2021-07-03 23:43:52 +01:00			`};`
cleaned a bit 2021-07-01 01:05:43 +01:00			`};`
mah boh 2022-07-06 19:34:12 +01:00
architect: Use networking options 2023-05-12 12:48:45 +01:00			`kernelParams = with config.architect.networks.lan; [`
			`"ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off"`
mah boh 2022-07-06 19:34:12 +01:00			`];`

			`kernel.sysctl = { "net.ipv4.ip_forward" = 1; };`
cleaned a bit 2021-07-01 01:05:43 +01:00
formatting 2021-11-21 23:41:17 +00:00			`loader = {`
mah boh 2022-07-06 19:34:12 +01:00			`systemd-boot = {`
many updates, yasssss 2022-03-15 15:58:04 +00:00			`enable = true;`
			`memtest86.enable = true;`
			`};`
formatting 2021-11-21 23:41:17 +00:00			`efi.canTouchEfiVariables = true;`
			`};`
maxi update giupi 2021-07-03 23:43:52 +01:00
formatting 2021-11-21 23:41:17 +00:00			`supportedFilesystems = [ "zfs" ];`
			`zfs.requestEncryptionCredentials = true;`
Initial move to 23.05 2023-05-27 23:16:46 +01:00			`tmp.tmpfsSize = "50%";`
formatting 2021-11-21 23:41:17 +00:00			`};`

architect: Use networking options 2023-05-12 12:48:45 +01:00			`networking = with config.architect.networks.lan; {`
			`hostName = "architect";`
formatting 2021-11-21 23:41:17 +00:00			`hostId = "49350853";`
			`useDHCP = false;`
architect: Use networking options 2023-05-12 12:48:45 +01:00			`defaultGateway = devices.router.address;`
formatting 2021-11-21 23:41:17 +00:00			`interfaces = {`
architect: Use networking options 2023-05-12 12:48:45 +01:00			`${interface}.ipv4.addresses = [{`
			`address = devices.architect.address;`
formatting 2021-11-21 23:41:17 +00:00			`prefixLength = 24;`
			`}];`
maxi update giupi 2021-07-03 23:43:52 +01:00			`};`
architect: Use networking options 2023-05-12 12:48:45 +01:00			`extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + ''`
plex: disabled 2023-05-12 23:53:17 +01:00
formatting 2021-11-21 23:41:17 +00:00			`# Blacklist`
			`0.0.0.0 metrics.plex.tv`
			`0.0.0.0 analytics.plex.tv`
			`0.0.0.0 cdn.luckyorange.com`
			`0.0.0.0 w1.luckyorange.com`
			`0.0.0.0 browser.sentry-cdn.com`
			`0.0.0.0 analytics.facebook.com`
			`0.0.0.0 ads.facebook.com`
			`0.0.0.0 extmaps-api.yandex.net`
			`0.0.0.0 logservice.hicloud.com`
			`0.0.0.0 logbak.hicloud.com`
			`0.0.0.0 logservice1.hicloud.com`
			`0.0.0.0 samsung-com.112.2o7.net`
			`0.0.0.0 supportmetrics.apple.com`
			`0.0.0.0 analytics.oneplus.cn`
			`0.0.0.0 click.oneplus.cn`
			`0.0.0.0 analytics-api.samsunghealthcn.com`
			`'';`
			`};`

architect: Module cleanup 2023-02-14 17:15:12 +00:00			`hardware.opengl = {`
			`enable = true;`
			`extraPackages = with pkgs; [ vaapiVdpau ];`
formatting 2021-11-21 23:41:17 +00:00			`};`
cleaned a bit 2021-07-01 01:05:43 +01:00
formatting 2021-11-21 23:41:17 +00:00			`services = {`
architect: Module cleanup 2023-02-14 17:14:06 +00:00			`fwupd.enable = true;`
			`das_watchdog.enable = true;`
formatting 2021-11-21 23:41:17 +00:00			`zfs.autoScrub.enable = true;`
architect: commented out nvidia in main 2024-03-14 11:05:41 +00:00
Removed password auth from sshd 2021-12-19 12:24:19 +00:00			`openssh = {`
			`enable = true;`
Initial move to 23.05 2023-05-27 23:16:46 +01:00
			`settings = {`
tanta roba 2023-05-28 21:45:49 +01:00			`PasswordAuthentication = false;`
			`KbdInteractiveAuthentication = false;`
Initial move to 23.05 2023-05-27 23:16:46 +01:00			`};`
tanta roba 2023-05-28 21:45:49 +01:00
mah boh 2022-07-06 19:34:12 +01:00			`extraConfig = ''`
			`MaxAuthTries 15`
			`'';`
Removed password auth from sshd 2021-12-19 12:24:19 +00:00			`};`
formatting 2021-11-21 23:41:17 +00:00			`smartd.enable = true;`
			`};`
			`}`
architect: Use networking options 2023-05-12 12:48:45 +01:00