nixos/hosts/architect/default.nix

{ config, pkgs, ... }:

let
  pubkeys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
  ];
  hostname = "architect";
  network = import ./network.nix;
in {
  imports = [ # Include the results of the hardware scan.
    ./backup.nix
    ./hardware.nix
    ./firewall.nix
    ./nginx.nix
    ./gitea.nix
    ./sonarr.nix
    ./radarr.nix
    ./bazarr.nix
    ./nzbget.nix
    ./nextcloud.nix
    ./wireguard.nix
    ./minio.nix
    ./matrix.nix
    ./fail2ban.nix
    ./dns.nix
    #    ./minecraft.nix
    ./prowlarr.nix
    #    ./plex.nix
    #./githubrunner.nix
    ./libreddit.nix
    ./invidious.nix
    ./nitter.nix
    ./ccache.nix
    ./lidarr.nix
#    ./navidrome.nix
    ./jellyfin.nix
    ./prosody.nix
    ./deluge.nix
    #    ./calibre.nix
    ../../cachix.nix
    ./docker.nix
  ];

  nixpkgs.config.permittedInsecurePackages = [ "nodejs-12.22.12" ];
  time.timeZone = "Europe/Rome";
  system.stateVersion = "21.11"; # Did you read the comment?
  users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
  boot = {
    initrd = {
      availableKernelModules = [ "igc" "r8169" ];
      network = {
        enable = true;
        ssh = {
          enable = true;
          port = 22;
          hostKeys = [ /secrets/ssh_host_rsa_key ];
          authorizedKeys = pubkeys;
        };

       # postCommands = ''
       #   zpool import backedpool -f
       #   zpool import zpool -f

       #   echo "zfs load-key -ar; killall zfs" >> /root/.profile
       # '';
      };
    };
  };

  services.fwupd.enable = true;
  boot = {
    kernelParams = [
      "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"
      "nvme_core.default_ps_max_latency_us=5500"
      "zfs_arc_max=1073741824"
      "memmap=32M$0x4ca6f9478"
    ];

    kernel.sysctl = { "net.ipv4.ip_forward" = 1; };

    loader = {
      systemd-boot = {
        enable = true;
        memtest86.enable = true;
      };
      efi.canTouchEfiVariables = true;
    };

    supportedFilesystems = [ "zfs" ];
    zfs.requestEncryptionCredentials = true;
    tmpOnTmpfsSize = "80%";
  };

  networking = {
    hostName = hostname;
    hostId = "49350853";
    useDHCP = false;
    defaultGateway = "10.0.0.1";
    interfaces = {
      enp5s0.ipv4.addresses = [{
        address = network.architect-lan;
        prefixLength = 24;
      }];
      enp6s0.useDHCP = false;
      wlp4s0.useDHCP = false;
    };
    extraHosts = ''
      127.0.0.1      ${hostname}.devs.giugl.io localhost

      # LAN
      ${network.architect-lan} ${hostname}.devs.giugl.io

      ${network.dvr-lan}      dvr.devs.giugl.io
      ${network.nas-lan}      nas.devs.giugl.io
      192.168.1.1           vodafone.station
      # Blacklist
      0.0.0.0                metrics.plex.tv
      0.0.0.0                analytics.plex.tv
      0.0.0.0                cdn.luckyorange.com
      0.0.0.0                w1.luckyorange.com
      0.0.0.0                browser.sentry-cdn.com
      0.0.0.0                analytics.facebook.com
      0.0.0.0                ads.facebook.com
      0.0.0.0                extmaps-api.yandex.net
      0.0.0.0                logservice.hicloud.com
      0.0.0.0                logbak.hicloud.com
      0.0.0.0                logservice1.hicloud.com
      0.0.0.0                samsung-com.112.2o7.net
      0.0.0.0                supportmetrics.apple.com
      0.0.0.0                analytics.oneplus.cn
      0.0.0.0                click.oneplus.cn
      0.0.0.0        analytics-api.samsunghealthcn.com
    '';
  };

  environment.systemPackages = with pkgs; [ cudatoolkit cachix ];

  hardware = {
    opengl.enable = true;
    opengl.extraPackages = with pkgs; [ vaapiVdpau ];
    opengl.driSupport = true;
  };

  services.das_watchdog.enable = true;

  services = {
    zfs.autoScrub.enable = true;
    xserver.videoDrivers = [ "nvidia" ];
    openssh = {
      enable = true;
      passwordAuthentication = false;
      challengeResponseAuthentication = false;
      extraConfig = ''
        MaxAuthTries 15
      '';
    };
    smartd.enable = true;
  };

  environment.variables = { LIBVA_DRIVER_NAME = "vdpau"; };
}
moving to flakes, wip. no home-manager 2021-07-13 09:53:22 +01:00			`{ config, pkgs, ... }:`
using conf structure as sondr3 2021-07-01 01:02:55 +01:00
maxi update giupi 2021-07-03 23:43:52 +01:00			`let`
formatting 2021-11-21 23:41:17 +00:00			`pubkeys = [`
			"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
			`];`
			`hostname = "architect";`
removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services. 2021-12-08 16:39:00 +00:00			`network = import ./network.nix;`
formatting 2021-11-21 23:41:17 +00:00			`in {`
			`imports = [ # Include the results of the hardware scan.`
			`./backup.nix`
			`./hardware.nix`
			`./firewall.nix`
			`./nginx.nix`
			`./gitea.nix`
			`./sonarr.nix`
			`./radarr.nix`
			`./bazarr.nix`
			`./nzbget.nix`
			`./nextcloud.nix`
			`./wireguard.nix`
			`./minio.nix`
			`./matrix.nix`
			`./fail2ban.nix`
			`./dns.nix`
mah boh 2022-07-06 19:34:12 +01:00			`# ./minecraft.nix`
formatting 2021-11-21 23:41:17 +00:00			`./prowlarr.nix`
mah boh 2022-07-06 19:34:12 +01:00			`# ./plex.nix`
			`#./githubrunner.nix`
nixos 21.11, added nitter, invidious and libreddit. modified umask transmission 2021-12-01 14:47:50 +00:00			`./libreddit.nix`
			`./invidious.nix`
			`./nitter.nix`
Enabled ccache module, tmpOnTmpfsSize = 150% 2021-12-18 21:02:23 +00:00			`./ccache.nix`
prossima volta committo seriamente 2022-02-15 10:58:08 +00:00			`./lidarr.nix`
mah boh 2022-07-06 19:34:12 +01:00			`# ./navidrome.nix`
prossima volta committo seriamente 2022-02-15 10:58:08 +00:00			`./jellyfin.nix`
			`./prosody.nix`
many updates, yasssss 2022-03-15 15:58:04 +00:00			`./deluge.nix`
mah boh 2022-07-06 19:34:12 +01:00			`# ./calibre.nix`
Calibre and cachix 2022-04-05 13:04:53 +01:00			`../../cachix.nix`
Enable docker 2022-04-05 13:07:35 +01:00			`./docker.nix`
formatting 2021-11-21 23:41:17 +00:00			`];`

mah boh 2022-07-06 19:34:12 +01:00			`nixpkgs.config.permittedInsecurePackages = [ "nodejs-12.22.12" ];`
formatting 2021-11-21 23:41:17 +00:00			`time.timeZone = "Europe/Rome";`
nixos 21.11, added nitter, invidious and libreddit. modified umask transmission 2021-12-01 14:47:50 +00:00			`system.stateVersion = "21.11"; # Did you read the comment?`
formatting 2021-11-21 23:41:17 +00:00			`users.users.giulio.openssh.authorizedKeys.keys = pubkeys;`
			`boot = {`
			`initrd = {`
			`availableKernelModules = [ "igc" "r8169" ];`
			`network = {`
			`enable = true;`
			`ssh = {`
maxi update giupi 2021-07-03 23:43:52 +01:00			`enable = true;`
formatting 2021-11-21 23:41:17 +00:00			`port = 22;`
mah boh 2022-07-06 19:34:12 +01:00			`hostKeys = [ /secrets/ssh_host_rsa_key ];`
formatting 2021-11-21 23:41:17 +00:00			`authorizedKeys = pubkeys;`
cleaned a bit 2021-07-01 01:05:43 +01:00			`};`

mah boh 2022-07-06 19:34:12 +01:00			`# postCommands = ''`
			`# zpool import backedpool -f`
			`# zpool import zpool -f`
maxi update giupi 2021-07-03 23:43:52 +01:00
mah boh 2022-07-06 19:34:12 +01:00			`# echo "zfs load-key -ar; killall zfs" >> /root/.profile`
			`# '';`
maxi update giupi 2021-07-03 23:43:52 +01:00			`};`
cleaned a bit 2021-07-01 01:05:43 +01:00			`};`
mah boh 2022-07-06 19:34:12 +01:00			`};`

			`services.fwupd.enable = true;`
			`boot = {`
			`kernelParams = [`
			`"ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off"`
			`"nvme_core.default_ps_max_latency_us=5500"`
			`"zfs_arc_max=1073741824"`
			`"memmap=32M$0x4ca6f9478"`
			`];`

			`kernel.sysctl = { "net.ipv4.ip_forward" = 1; };`
cleaned a bit 2021-07-01 01:05:43 +01:00
formatting 2021-11-21 23:41:17 +00:00			`loader = {`
mah boh 2022-07-06 19:34:12 +01:00			`systemd-boot = {`
many updates, yasssss 2022-03-15 15:58:04 +00:00			`enable = true;`
			`memtest86.enable = true;`
			`};`
formatting 2021-11-21 23:41:17 +00:00			`efi.canTouchEfiVariables = true;`
			`};`
maxi update giupi 2021-07-03 23:43:52 +01:00
formatting 2021-11-21 23:41:17 +00:00			`supportedFilesystems = [ "zfs" ];`
			`zfs.requestEncryptionCredentials = true;`
prossima volta committo seriamente 2022-02-15 10:58:08 +00:00			`tmpOnTmpfsSize = "80%";`
formatting 2021-11-21 23:41:17 +00:00			`};`

			`networking = {`
			`hostName = hostname;`
			`hostId = "49350853";`
			`useDHCP = false;`
			`defaultGateway = "10.0.0.1";`
			`interfaces = {`
			`enp5s0.ipv4.addresses = [{`
removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services. 2021-12-08 16:39:00 +00:00			`address = network.architect-lan;`
formatting 2021-11-21 23:41:17 +00:00			`prefixLength = 24;`
			`}];`
			`enp6s0.useDHCP = false;`
			`wlp4s0.useDHCP = false;`
maxi update giupi 2021-07-03 23:43:52 +01:00			`};`
formatting 2021-11-21 23:41:17 +00:00			`extraHosts = ''`
			`127.0.0.1 ${hostname}.devs.giugl.io localhost`

			`# LAN`
removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services. 2021-12-08 16:39:00 +00:00			`${network.architect-lan} ${hostname}.devs.giugl.io`
formatting 2021-11-21 23:41:17 +00:00
removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services. 2021-12-08 16:39:00 +00:00			`${network.dvr-lan} dvr.devs.giugl.io`
			`${network.nas-lan} nas.devs.giugl.io`
prossima volta committo seriamente 2022-02-15 10:58:08 +00:00			`192.168.1.1 vodafone.station`
formatting 2021-11-21 23:41:17 +00:00			`# Blacklist`
			`0.0.0.0 metrics.plex.tv`
			`0.0.0.0 analytics.plex.tv`
			`0.0.0.0 cdn.luckyorange.com`
			`0.0.0.0 w1.luckyorange.com`
			`0.0.0.0 browser.sentry-cdn.com`
			`0.0.0.0 analytics.facebook.com`
			`0.0.0.0 ads.facebook.com`
			`0.0.0.0 extmaps-api.yandex.net`
			`0.0.0.0 logservice.hicloud.com`
			`0.0.0.0 logbak.hicloud.com`
			`0.0.0.0 logservice1.hicloud.com`
			`0.0.0.0 samsung-com.112.2o7.net`
			`0.0.0.0 supportmetrics.apple.com`
			`0.0.0.0 analytics.oneplus.cn`
			`0.0.0.0 click.oneplus.cn`
			`0.0.0.0 analytics-api.samsunghealthcn.com`
			`'';`
			`};`

nixos 21.11, added nitter, invidious and libreddit. modified umask transmission 2021-12-01 14:47:50 +00:00			`environment.systemPackages = with pkgs; [ cudatoolkit cachix ];`
formatting 2021-11-21 23:41:17 +00:00
			`hardware = {`
			`opengl.enable = true;`
			`opengl.extraPackages = with pkgs; [ vaapiVdpau ];`
			`opengl.driSupport = true;`
			`};`
cleaned a bit 2021-07-01 01:05:43 +01:00
added github-runner 2021-11-21 10:37:18 +00:00			`services.das_watchdog.enable = true;`

formatting 2021-11-21 23:41:17 +00:00			`services = {`
			`zfs.autoScrub.enable = true;`
			`xserver.videoDrivers = [ "nvidia" ];`
Removed password auth from sshd 2021-12-19 12:24:19 +00:00			`openssh = {`
			`enable = true;`
			`passwordAuthentication = false;`
			`challengeResponseAuthentication = false;`
mah boh 2022-07-06 19:34:12 +01:00			`extraConfig = ''`
			`MaxAuthTries 15`
			`'';`
Removed password auth from sshd 2021-12-19 12:24:19 +00:00			`};`
formatting 2021-11-21 23:41:17 +00:00			`smartd.enable = true;`
			`};`
maxi update giupi 2021-07-03 23:43:52 +01:00
formatting 2021-11-21 23:41:17 +00:00			`environment.variables = { LIBVA_DRIVER_NAME = "vdpau"; };`
			`}`