nixos/hosts/architect/default.nix

{ config, pkgs, lib, ... }:

let
  pubkeys = [
    "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"
  ];
  domain = "devs.giugl.io";

  utilities = import ./utilities.nix { inherit lib config; };
  inherit (utilities) generateDeviceStrings;
in
{
  imports = [
    ./options.nix
    ./backup.nix
    ./hardware.nix
    ./firewall.nix
    ./nginx.nix
    ./gitea.nix
    ./sonarr.nix
    ./radarr.nix
    ./bazarr.nix
    ./nzbget.nix
    ./nextcloud.nix
    ./minio.nix
    ./matrix.nix
    ./fail2ban.nix
    ./dns.nix
    ./minecraft.nix
    ./prowlarr.nix
    ./libreddit.nix
    # ./invidious.nix
    #    ./lidarr.nix
    #    ./navidrome.nix
    # ./jellyfin.nix
    # ./prosody.nix
    ./deluge.nix
    #./calibre.nix
    ./docker.nix
    # ./keycloak.nix
    #    ./runas.nix
    ./tailscale.nix
    # ./searx.nix
    ./plex.nix
    ./headscale.nix
    ./llm.nix
    ./photoprism.nix
  ];

  architect = {
    networks.lan = {
      interface = "enp5s0";
      net = "10.0.0.0/24";
      devices = {
        vodafoneStation = { address = "192.168.1.1"; hostname = "vodafone.station"; };

        architect = { address = "10.0.0.250"; hostname = "architect.${domain}"; };
        router = { address = "10.0.0.1"; hostname = "router.${domain}"; };
        dvr = { address = "10.0.0.3"; hostname = "dvr.${domain}"; };
      };
    };

    firewall = {
      openTCP = [ 22 ];
      openTCPVPN = [ 22 ];
    };
  };

  time.timeZone = "Europe/Rome";
  users.users.giulio.openssh.authorizedKeys.keys = pubkeys;
  boot = {
    initrd = {
      availableKernelModules = [ "igc" "r8169" ];
      network = {
        enable = true;
        ssh = {
          enable = true;
          port = 22;
          hostKeys = [ /secrets/ssh_host_rsa_key ];
          authorizedKeys = pubkeys;
        };
      };
    };

    kernelParams = with config.architect.networks.lan; [
      "ip=${devices.architect.address}::${devices.router.address}:255.255.255.0::${interface}:off"
      "nvme_core.default_ps_max_latency_us=5500"
      "zfs_arc_max=1073741824"
      "memmap=32M$0x4ca6f9478"
    ];

    kernelPackages = pkgs.linuxPackages;

    kernel.sysctl = { "net.ipv4.ip_forward" = 1; };

    loader = {
      systemd-boot = {
        enable = true;
        memtest86.enable = true;
      };
      efi.canTouchEfiVariables = true;
    };

    supportedFilesystems = [ "zfs" ];
    zfs.requestEncryptionCredentials = true;
    tmp.tmpfsSize = "50%";
  };

  networking = with config.architect.networks.lan; {
    hostName = "architect";
    hostId = "49350853";
    useDHCP = false;
    defaultGateway = devices.router.address;
    interfaces = {
      ${interface}.ipv4.addresses = [{
        address = devices.architect.address;
        prefixLength = 24;
      }];
      enp6s0.useDHCP = false;
      wlp4s0.useDHCP = false;
    };
    extraHosts = (generateDeviceStrings config.architect.networks.lan.devices) + ''

      # Blacklist
      0.0.0.0                metrics.plex.tv
      0.0.0.0                analytics.plex.tv
      0.0.0.0                cdn.luckyorange.com
      0.0.0.0                w1.luckyorange.com
      0.0.0.0                browser.sentry-cdn.com
      0.0.0.0                analytics.facebook.com
      0.0.0.0                ads.facebook.com
      0.0.0.0                extmaps-api.yandex.net
      0.0.0.0                logservice.hicloud.com
      0.0.0.0                logbak.hicloud.com
      0.0.0.0                logservice1.hicloud.com
      0.0.0.0                samsung-com.112.2o7.net
      0.0.0.0                supportmetrics.apple.com
      0.0.0.0                analytics.oneplus.cn
      0.0.0.0                click.oneplus.cn
      0.0.0.0        analytics-api.samsunghealthcn.com
    '';
  };

  hardware.opengl = {
    enable = true;
    extraPackages = with pkgs; [ vaapiVdpau ];
    driSupport = true;
  };

  services = {
    fwupd.enable = true;
    das_watchdog.enable = true;
    zfs.autoScrub.enable = true;
    xserver.videoDrivers = [ "nvidia" ];
    openssh = {
      enable = true;

      settings = {
        PasswordAuthentication = false;
        KbdInteractiveAuthentication = false;
      };

      extraConfig = ''
        MaxAuthTries 15
      '';
    };
    smartd.enable = true;
  };

  environment = {
    variables = { LIBVA_DRIVER_NAME = "vdpau"; };
    systemPackages = with pkgs; [ cachix linuxPackages.usbip ];
  };
}