nixos/hosts/giupi/default.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, variables, ... }:

let 
  lan_address = "10.0.0.8";
  pubkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"];
  hostname = "giupi";
in {
  imports =
    [ # Include the results of the hardware scan.
    ./hardware.nix
    ../../variables.nix
    ../../common.nix
    ../../users.nix
  ];

  variables.hostname                             = hostname;
  time.timeZone                                  = "Europe/Rome";
  system.stateVersion                            = "21.05"; # Did you read the comment?
  users.users.giulio.openssh.authorizedKeys.keys = pubkeys;

  boot = {
    kernelParams = ["ip=${lan_address}::10.0.0.1:255.255.255.0::enp5s0:off"];

    initrd = {
      availableKernelModules = ["igc" "r8169"];
      network = {
        enable = true;
        ssh = {
          enable         = true;
          port           = 2222;
          hostKeys       = [/boot/host_ecdsa_key];
          authorizedKeys = pubkeys;
        };

        postCommands = ''
            echo "zfs load-key -a; killall zfs" >> /root/.profile
        '';
      };
    };

    loader = {
      systemd-boot.enable      = true;
      efi.canTouchEfiVariables = true;
    };

    supportedFilesystems             = ["zfs"];
    zfs.requestEncryptionCredentials = true;
  };


  networking = {
    hostName   = hostname;
    hostId     = "49350853";
    useDHCP    = false;
    defaultGateway = "10.0.0.1";
    interfaces = {
      enp5s0.ipv4.addresses = [{ address = lan_address; prefixLength = 24; }];
      enp6s0.useDHCP = false;
      wlp4s0.useDHCP = false;
    };
#    extraHosts = ''
#        127.0.0.1	${hostname}.devs.giugl.io jf.giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io giupyter.giugl.io irc.giugl.io localhost
#
## LAN
#${lan_address}	${hostname}.devs.giugl.io giugl.io jf.giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io todo.giugl.io giupyter.giugl.io collabora.giugl.io htjak.giugl.io irc.giugl.io
#
#        10.0.0.1	router.devs.giugl.io
#        10.0.0.2	dvr.devs.giugl.io
#        10.0.0.3	nas.devs.giugl.io
#
## Wireguard hosts
#        10.3.0.1	${hostname}.devs.giugl.io jf.giugl.io giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io todo.giugl.io giupyter.giugl.io collabora.giugl.io htjak.giugl.io irc.giugl.io
#        10.3.0.2	galuminum.devs.giugl.io
#        10.3.0.3	oneplus.devs.giugl.io
#        10.3.0.4	ipad.devs.giugl.io
#        10.3.0.5	manduria.devs.giugl.io
#        10.3.0.6	antonio.devs.giugl.io
#        10.3.0.7	gbeast.devs.giugl.io
#        10.3.0.8	parisa-phone.devs.giugl.io
#        10.3.0.9	parisa-pc.devs.giugl.io
#        10.3.0.10	peppiniell.devs.giugl.io
#        10.3.0.11	padulino.devs.giugl.io
#        10.3.0.12	shield.devs.giugl.io
#        10.3.0.13	angelino.devs.giugl.io
#        10.3.0.14	peposone.devs.giugl.io
#        10.3.0.15	pepostwo.devs.giugl.io
#        10.3.0.100	eleonora.devs.giugl.io
#        10.3.0.200	broccolino.devs.giugl.io
#        10.3.0.201	hotpottino.devs.giugl.io
#
## Blacklist
#        0.0.0.0		metrics.plex.tv
#        0.0.0.0		analytics.plex.tv
#        0.0.0.0		cdn.luckyorange.com
#        0.0.0.0		w1.luckyorange.com
#        0.0.0.0		browser.sentry-cdn.com
#        0.0.0.0		analytics.facebook.com
#        0.0.0.0		ads.facebook.com
#        0.0.0.0		extmaps-api.yandex.net
#        0.0.0.0		logservice.hicloud.com
#        0.0.0.0		logbak.hicloud.com
#        0.0.0.0		logservice1.hicloud.com
#        0.0.0.0		samsung-com.112.2o7.net
#        0.0.0.0		supportmetrics.apple.com
#        0.0.0.0		analytics.oneplus.cn
#        0.0.0.0		click.oneplus.cn
#        0.0.0.0 	analytics-api.samsunghealthcn.com
#
## The following lines are desirable for IPv6 capable hosts
#        ::1     localhost ip6-localhost ip6-loopback
#        ff02::1 ip6-allnodes
#        ff02::2 ip6-allrouters
#    '';
  };

  environment.systemPackages = with pkgs; 
  [
    neovim
    docker
    htop
    glances
    git
    home-manager
    openiscsi
    wireguard
    dnscrypt-proxy2
    restic
  ];

  hardware = {
    cpu.amd.updateMicrocode = true;
  };

  services = {
    zfs.autoScrub.enable = true;
    xserver.videoDrivers = [ "nvidia" ];

    dnsmasq = {
      enable      = true;
      servers     = ["127.0.0.1#5353"];
      extraConfig = ''
            localise-queries
      '';
    };

    dnscrypt-proxy2 = {
      enable = true;
      settings = {
        listen_addresses   = ["127.0.0.1:5353"];
        ipv4_servers       = true;
        ipv6_servers       = false;
        dnscrypt_servers   = true;
        doh_servers        = true;
        require_nolog      = true;
        require_nofilter   = true;
        timeout            = 350;
        lb_strategy        = "p4";
        lb_estimator       = true;
        ignore_system_dns  = true;
        fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"];
      };
    };

    openssh = {
      enable                 = true;
      passwordAuthentication = true;
      permitRootLogin        = "yes";
    };
  };
}