{ config, pkgs, ... }: with import ./network.nix; let pubkeys = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"]; hostname = "architect"; in { imports = [ # Include the results of the hardware scan. ./backup.nix ./hardware.nix ../../common.nix ../../users.nix ./firewall.nix ./nginx.nix ./gitea.nix ./sonarr.nix ./radarr.nix ./bazarr.nix ./nzbget.nix # ./jellyfin.nix ./nextcloud.nix ./wireguard.nix ./minio.nix ./matrix.nix ./fail2ban.nix ./plex.nix ]; time.timeZone = "Europe/Rome"; system.stateVersion = "21.05"; # Did you read the comment? users.users.giulio.openssh.authorizedKeys.keys = pubkeys; fileSystems."/tmp" = { device = "tmpfs"; fsType = "tmpfs"; options = ["size=20G"]; }; boot = { kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"]; kernel.sysctl."net.ipv4.ip_forward" = 1; initrd = { availableKernelModules = ["igc" "r8169"]; network = { enable = true; ssh = { enable = true; port = 22; hostKeys = [/boot/ssh_host_rsa_key]; authorizedKeys = pubkeys; }; postCommands = '' zpool import backedpool zpool import zpool mkdir /mnt-root echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile ''; }; }; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; supportedFilesystems = ["zfs"]; zfs.enableUnstable = true; zfs.requestEncryptionCredentials = true; }; networking = { hostName = hostname; hostId = "49350853"; useDHCP = false; defaultGateway = "10.0.0.1"; interfaces = { enp5s0.ipv4.addresses = [{ address = architect-lan; prefixLength = 24; }]; enp6s0.useDHCP = false; wlp4s0.useDHCP = false; }; extraHosts = '' 127.0.0.1 ${hostname}.devs.giugl.io giugl.io localhost # LAN ${architect-lan} ${hostname}.devs.giugl.io giugl.io 10.0.0.1 router.devs.giugl.io ${dvr-lan} dvr.devs.giugl.io ${nas-lan} nas.devs.giugl.io ${giupi-lan} giupi.devs.giugl.io # Wireguard hosts ${architect-wg} ${hostname}.devs.giugl.io giugl.io ${galuminum-wg} galuminum.devs.giugl.io ${oneplus-wg} oneplus.devs.giugl.io ${ipad-wg} ipad.devs.giugl.io ${manduria-wg} manduria.devs.giugl.io ${antonio-wg} antonio.devs.giugl.io ${gbeast-wg} gbeast.devs.giugl.io ${parisaphone-wg} parisa-phone.devs.giugl.io ${parisapc-wg} parisa-pc.devs.giugl.io ${peppiniell-wg} peppiniell.devs.giugl.io ${padulino-wg} padulino.devs.giugl.io ${shield-wg} shield.devs.giugl.io ${angelino-wg} angelino.devs.giugl.io ${pepos_one-wg} peposone.devs.giugl.io ${pepos_two-wg} pepostwo.devs.giugl.io ${eleonora-wg} eleonora.devs.giugl.io ${broccolino-wg} broccolino.devs.giugl.io ${hotpottino-wg} hotpottino.devs.giugl.io ${salvatore-wg} salvatore.devs.giugl.io ${papa-wg} papa.devs.giugl.io ${defy-wg} defy.devs.giugl.io ${germano-wg} germano.devs.giugl.io # Blacklist 0.0.0.0 metrics.plex.tv 0.0.0.0 analytics.plex.tv 0.0.0.0 cdn.luckyorange.com 0.0.0.0 w1.luckyorange.com 0.0.0.0 browser.sentry-cdn.com 0.0.0.0 analytics.facebook.com 0.0.0.0 ads.facebook.com 0.0.0.0 extmaps-api.yandex.net 0.0.0.0 logservice.hicloud.com 0.0.0.0 logbak.hicloud.com 0.0.0.0 logservice1.hicloud.com 0.0.0.0 samsung-com.112.2o7.net 0.0.0.0 supportmetrics.apple.com 0.0.0.0 analytics.oneplus.cn 0.0.0.0 click.oneplus.cn 0.0.0.0 analytics-api.samsunghealthcn.com # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters ''; }; environment.systemPackages = with pkgs; [ openiscsi wireguard cudatoolkit ]; hardware = { cpu.amd.updateMicrocode = true; opengl.enable = true; opengl.extraPackages= with pkgs; [vaapiVdpau]; opengl.driSupport = true; }; services = { zfs.autoScrub.enable = true; xserver.videoDrivers = [ "nvidia" ]; openssh.enable = true; dnsmasq = { enable = true; servers = ["127.0.0.1#5353"]; extraConfig = '' localise-queries min-cache-ttl=120 max-cache-ttl=2400 ''; }; dnscrypt-proxy2 = { enable = true; settings = { listen_addresses = ["127.0.0.1:5353"]; ipv4_servers = true; ipv6_servers = false; block_ipv6 = true; dnscrypt_servers = true; doh_servers = true; require_nolog = true; require_nofilter = true; timeout = 350; lb_strategy = "p4"; lb_estimator = true; ignore_system_dns = true; fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"]; cache_min_ttl = 450; cache_max_ttl = 2400; }; }; }; environment.variables = { LIBVA_DRIVER_NAME="vdpau"; }; }