nixos/hosts/architect/default.nix

{ config, pkgs, lib, ... }:

let
  macbookPubkey = (import ../pubkeys.nix).macbook;
  pubkeys = [ macbookPubkey ];
  domain = "devs.giugl.io";

  utilities = import ./utilities.nix { inherit lib config; };
  inherit (utilities) generateDeviceStrings;
in
{
  imports = [
    ./options.nix
    ./backup.nix
    ./hardware.nix
    ./firewall.nix
    ./nginx.nix
    ./gitea.nix
    ./sonarr.nix
    ./radarr.nix
    ./bazarr.nix
    ./nzbget.nix
    ./nextcloud.nix
    ./minio.nix
    ./matrix.nix
    ./fail2ban.nix
    ./dns.nix
    # ./minecraft.nix
    ./prowlarr.nix
    ./redlib.nix
    # ./invidious.nix
    ./jellyfin.nix
    ./docker.nix
    ./tailscale.nix
    ./headscale.nix
    ./llm.nix
    # ./photoprism.nix
    ./sunshine.nix
    ./jellyseer.nix
    ./teslamate.nix
    ./postgres.nix
    ./netdata.nix
  ];

  age.identityPaths = [ "/root/.ssh/id_ed25519" ];

  architect = {
    networks.lan = {
      interface = "enp6s0";
      net = "10.0.0.0/24";
      devices = {
        architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; };
        router = { address = "10.0.0.1"; hostname = "router.${domain}"; };
        dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; };
      };
    };

    firewall = {
      openTCP = [ 22 ];
    };
  };

  time.timeZone = "Europe/London";
  users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
  boot = {
    initrd = {
      availableKernelModules = [ "igc" "r8169" ];
      network = {
        enable = true;
        ssh = {
          enable = true;
          port = 22;
          hostKeys = [ /secrets/ssh_host_rsa_key ];
          authorizedKeys = pubkeys;
        };
      };
    };

    kernelParams = with config.architect.networks.lan; [
      "ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off"
    ];

    kernel.sysctl = { "net.ipv4.ip_forward" = 1; };

    loader = {
      systemd-boot = {
        enable = true;
        memtest86.enable = true;
      };
      efi.canTouchEfiVariables = true;
    };

    supportedFilesystems = [ "zfs" ];
    zfs.requestEncryptionCredentials = true;
    tmp.tmpfsSize = "50%";
  };

  networking = with config.architect.networks.lan; {
    hostName = "architect";
    hostId = "49350853";
    useDHCP = false;
    defaultGateway = devices.router.address;
    interfaces = {
      ${interface}.ipv4.addresses = [{
        address = devices.architect.address;
        prefixLength = 24;
      }];
    };
    extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + ''

      # Blacklist
      0.0.0.0                metrics.plex.tv
      0.0.0.0                analytics.plex.tv
      0.0.0.0                cdn.luckyorange.com
      0.0.0.0                w1.luckyorange.com
      0.0.0.0                browser.sentry-cdn.com
      0.0.0.0                analytics.facebook.com
      0.0.0.0                ads.facebook.com
      0.0.0.0                extmaps-api.yandex.net
      0.0.0.0                logservice.hicloud.com
      0.0.0.0                logbak.hicloud.com
      0.0.0.0                logservice1.hicloud.com
      0.0.0.0                samsung-com.112.2o7.net
      0.0.0.0                supportmetrics.apple.com
      0.0.0.0                analytics.oneplus.cn
      0.0.0.0                click.oneplus.cn
      0.0.0.0        analytics-api.samsunghealthcn.com
    '';
  };

  hardware.opengl = {
    enable = true;
    extraPackages = with pkgs; [ vaapiVdpau ];
  };

  services = {
    fwupd.enable = true;
    das_watchdog.enable = true;
    zfs.autoScrub.enable = true;

    openssh = {
      enable = true;

      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };

      extraConfig = ''
        MaxAuthTries 15
      '';
    };
    smartd.enable = true;
  };
}