nixos/hosts/giupi/default.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, variables, ... }:

with import ./network.nix;
let 
  pubkeys     = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"];
  hostname    = "giupi";
in {
  imports =
    [ # Include the results of the hardware scan.
    ./hardware.nix
    ../../variables.nix
    ../../common.nix
    ../../users.nix
    ./firewall.nix
  ];

  variables.hostname                             = hostname;
  time.timeZone                                  = "Europe/Rome";
  system.stateVersion                            = "21.05"; # Did you read the comment?
  users.users.giulio.openssh.authorizedKeys.keys = pubkeys;

  boot = {
    kernelParams = ["ip=${giupi_lan_ip}::10.0.0.1:255.255.255.0::${wan_if}:off"];

    initrd = {
      availableKernelModules = ["igc" "r8169"];
      network = {
        enable = true;
        ssh = {
          enable         = true;
          port           = 22;
          hostKeys       = [/boot/ssh_host_rsa_key];
          authorizedKeys = pubkeys;
        };

        postCommands = ''
            echo "zfs load-key -a; killall zfs" >> /root/.profile
        '';
      };
    };

    loader = {
      systemd-boot.enable      = true;
      efi.canTouchEfiVariables = true;
    };

    supportedFilesystems             = ["zfs"];
    zfs.requestEncryptionCredentials = true;
  };


  networking = {
    hostName       = hostname;
    hostId         = "49350853";
    useDHCP        = false;
    defaultGateway = "10.0.0.1";
    interfaces     = {
      enp5s0.ipv4.addresses = [{ address = giupi_lan_ip; prefixLength = 24; }];
      enp6s0.useDHCP = false;
      wlp4s0.useDHCP = false;
    };
#    extraHosts = ''
#        127.0.0.1	${hostname}.devs.giugl.io jf.giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io giupyter.giugl.io irc.giugl.io localhost
#
## LAN
#${giupi_lan_ip}	${hostname}.devs.giugl.io giugl.io jf.giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io todo.giugl.io giupyter.giugl.io collabora.giugl.io htjak.giugl.io irc.giugl.io
#
#        10.0.0.1	router.devs.giugl.io
#        ${dvr_ip}	dvr.devs.giugl.io
#        ${nas_ip}	nas.devs.giugl.io
#
## Wireguard hosts
#        ${giupi_wg_ip}	${hostname}.devs.giugl.io jf.giugl.io giugl.io yt.giugl.io s3.giugl.io synclounge.giugl.io htson.giugl.io htrad.giugl.io htnzb.giugl.io httra.giugl.io todo.giugl.io giupyter.giugl.io collabora.giugl.io htjak.giugl.io irc.giugl.io
#        ${galuminum-wg}	galuminum.devs.giugl.io
#        ${oneplus-wg}	oneplus.devs.giugl.io
#        ${ipad-wg}	ipad.devs.giugl.io
#        ${manduria-wg}	manduria.devs.giugl.io
#        ${antonio-wg}	antonio.devs.giugl.io
#        ${gbeast-wg}	gbeast.devs.giugl.io
#        ${parisaphone-wg}	parisa-phone.devs.giugl.io
#        ${parisapc-wg}	parisa-pc.devs.giugl.io
#        ${peppiniell-wg}	peppiniell.devs.giugl.io
#        ${padulino-wg}	padulino.devs.giugl.io
#        ${shield-wg}	shield.devs.giugl.io
#        ${angelino-wg}	angelino.devs.giugl.io
#        ${pepos_one-wg}	peposone.devs.giugl.io
#        ${pepos_two-wg}	pepostwo.devs.giugl.io
#        ${eleonora-wg}	eleonora.devs.giugl.io
#        ${broccolino-wg}	broccolino.devs.giugl.io
#        ${hotpottino-wg}	hotpottino.devs.giugl.io
#
## Blacklist
#        0.0.0.0		metrics.plex.tv
#        0.0.0.0		analytics.plex.tv
#        0.0.0.0		cdn.luckyorange.com
#        0.0.0.0		w1.luckyorange.com
#        0.0.0.0		browser.sentry-cdn.com
#        0.0.0.0		analytics.facebook.com
#        0.0.0.0		ads.facebook.com
#        0.0.0.0		extmaps-api.yandex.net
#        0.0.0.0		logservice.hicloud.com
#        0.0.0.0		logbak.hicloud.com
#        0.0.0.0		logservice1.hicloud.com
#        0.0.0.0		samsung-com.112.2o7.net
#        0.0.0.0		supportmetrics.apple.com
#        0.0.0.0		analytics.oneplus.cn
#        0.0.0.0		click.oneplus.cn
#        0.0.0.0 	analytics-api.samsunghealthcn.com
#
## The following lines are desirable for IPv6 capable hosts
#        ::1     localhost ip6-localhost ip6-loopback
#        ff02::1 ip6-allnodes
#        ff02::2 ip6-allrouters
#    '';
  };

  environment.systemPackages = with pkgs; 
  [
    docker
    openiscsi
    wireguard
  ];

  hardware = {
    cpu.amd.updateMicrocode = true;
  };

  services = {
    zfs.autoScrub.enable = true;
    xserver.videoDrivers = [ "nvidia" ];

    dnsmasq = {
      enable      = true;
      servers     = ["127.0.0.1#5353"];
      extraConfig = ''
            localise-queries
      '';
    };

    dnscrypt-proxy2 = {
      enable = true;
      settings = {
        listen_addresses   = ["127.0.0.1:5353"];
        ipv4_servers       = true;
        ipv6_servers       = false;
        dnscrypt_servers   = true;
        doh_servers        = true;
        require_nolog      = true;
        require_nofilter   = true;
        timeout            = 350;
        lb_strategy        = "p4";
        lb_estimator       = true;
        ignore_system_dns  = true;
        fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"];
      };
    };

    openssh = {
      enable                 = true;
      passwordAuthentication = true;
      permitRootLogin        = "yes";
    };
  };
}