nixos/hosts/architect/default.nix

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, variables, ... }:

with import ./network.nix;
let
  unstable = import <nixos-unstable> {};
  pubkeys     = ["ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC1we38/N+t8Ah5yrLof8QUwhrob7/VXFKIddaJeOVBLuDVnW7ljiAtdtEiL69D/DV4Ohmt5wMvkAAjfuHmim6FD9A6lzPbSU4KH9W2dcckszKbbI636kuDwem/xui6BW3wJa6P+0xW5ksygEAkzcK2PXuC2b4B9uwhuUdKahiGMKDxISG/WianqAe72cGMfNkYvion3Y1VsMLUdm48d2ABnxNpr7NI9B5iJ8dziOft9gpgfz13CCQRlReo75gk/4xI+vSNrQp7eR+wzJy2/dZg/T8jtyA9Q6jVxrxBpqQ1LNXkAKaJkGo9OabF6Wgpzp+YTAurL4nwR2NaJxwFuyoKvACQy0ai4jrS3206gC6JXZv8ktZMZrwUN+jPqCwfgh5qObFkAqKCxbp52ioDek2MQLdOvzQBX//DBhGEp5rzHGLZ3vhRIiiQiaof5sF5zWiYDW5mqezSPNxJPX/BrTP/Wbs/jpwTLBh3wytiia0S1WXQmya89bqzTPFiDWvTRA62EVKB/JaQtPQQOFAxWwg799DMycPeZ81xttZOyMtI/MZSddyqx2S8fWGwvToZQvuZ38mSIpFseLM1IkgabRIrAmat5SBNGGy9Dqa0eMEa7bwIY/4CMB1y6HMTnaoMXA6cnQfHMoB/zyTZ6oTXIeqeOyiZsK+RN0Mvahj8mXi7dw== giulio@giulio-X230"];
  hostname    = "architect";
in 
  {
    imports =
      [ # Include the results of the hardware scan.
      ./hardware.nix
      ../../variables.nix
      ../../common.nix
      ../../users.nix
      ./firewall.nix
      ./nginx.nix
      ./gitea.nix
      ./sonarr.nix
      ./radarr.nix
      ./bazarr.nix
      ./nzbget.nix
      ./jellyfin.nix
    ];

    variables.hostname                             = hostname;
    time.timeZone                                  = "Europe/Rome";
    system.stateVersion                            = "21.05"; # Did you read the comment?
    users.users.giulio.openssh.authorizedKeys.keys = pubkeys;

    boot = {
      kernelParams = ["ip=${architect-lan}::10.0.0.1:255.255.255.0::${wan-if}:off"];

      initrd = {
        availableKernelModules = ["igc" "r8169"];
        network = {
          enable = true;
          ssh = {
            enable         = true;
            port           = 22;
            hostKeys       = [/boot/ssh_host_rsa_key];
            authorizedKeys = pubkeys;
          };

          postCommands = ''
            zpool import backedpool
            zpool import zpool

            mkdir /mnt-root
            echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile
          '';
        };
      };

      loader = {
        systemd-boot.enable      = true;
        efi.canTouchEfiVariables = true;
      };

      supportedFilesystems             = ["zfs"];
      zfs.requestEncryptionCredentials = true;
    };

    networking = {
      hostName       = hostname;
      hostId         = "49350853";
      useDHCP        = false;
      defaultGateway = "10.0.0.1";
      interfaces     = {
        enp5s0.ipv4.addresses = [{ address = architect-lan; prefixLength = 24; }];
        enp6s0.useDHCP = false;
        wlp4s0.useDHCP = false;
      };
      extraHosts = ''
        127.0.0.1      ${hostname}.devs.giugl.io localhost

        # LAN
        ${architect-lan} ${hostname}.devs.giugl.io

        10.0.0.1       router.devs.giugl.io
        ${dvr-lan}      dvr.devs.giugl.io
        ${nas-lan}      nas.devs.giugl.io

        # Wireguard hosts
        ${architect-wg} ${hostname}.devs.giugl.io
        ${galuminum-wg}        galuminum.devs.giugl.io
        ${oneplus-wg}  oneplus.devs.giugl.io
        ${ipad-wg}     ipad.devs.giugl.io
        ${manduria-wg} manduria.devs.giugl.io
        ${antonio-wg}  antonio.devs.giugl.io
        ${gbeast-wg}   gbeast.devs.giugl.io
        ${parisaphone-wg}      parisa-phone.devs.giugl.io
        ${parisapc-wg} parisa-pc.devs.giugl.io
        ${peppiniell-wg}       peppiniell.devs.giugl.io
        ${padulino-wg} padulino.devs.giugl.io
        ${shield-wg}   shield.devs.giugl.io
        ${angelino-wg} angelino.devs.giugl.io
        ${pepos_one-wg}        peposone.devs.giugl.io
        ${pepos_two-wg}        pepostwo.devs.giugl.io
        ${eleonora-wg} eleonora.devs.giugl.io
        ${broccolino-wg}       broccolino.devs.giugl.io
        ${hotpottino-wg}       hotpottino.devs.giugl.io

        # Blacklist
        0.0.0.0                metrics.plex.tv
        0.0.0.0                analytics.plex.tv
        0.0.0.0                cdn.luckyorange.com
        0.0.0.0                w1.luckyorange.com
        0.0.0.0                browser.sentry-cdn.com
        0.0.0.0                analytics.facebook.com
        0.0.0.0                ads.facebook.com
        0.0.0.0                extmaps-api.yandex.net
        0.0.0.0                logservice.hicloud.com
        0.0.0.0                logbak.hicloud.com
        0.0.0.0                logservice1.hicloud.com
        0.0.0.0                samsung-com.112.2o7.net
        0.0.0.0                supportmetrics.apple.com
        0.0.0.0                analytics.oneplus.cn
        0.0.0.0                click.oneplus.cn
        0.0.0.0        analytics-api.samsunghealthcn.com

        # The following lines are desirable for IPv6 capable hosts
        ::1     localhost ip6-localhost ip6-loopback
        ff02::1 ip6-allnodes
        ff02::2 ip6-allrouters
      '';
    };

    environment.systemPackages = with pkgs;
    [
      openiscsi
      wireguard
      cudatoolkit
    ];

    hardware = {
      cpu.amd.updateMicrocode = true;
      opengl.enable = true;
      opengl.extraPackages= with pkgs; [vaapiVdpau];
      opengl.driSupport = true;
    };

    services = {
      zfs.autoScrub.enable = true;
      xserver.videoDrivers = [ "nvidia" ];
      openssh.enable = true;
      mysql.enable = true;
      mysql.package = with pkgs; mysql80;

      dnsmasq = {
        enable      = true;
        servers     = ["127.0.0.1#5353"];
        extraConfig = ''
            localise-queries
        '';
      };

      dnscrypt-proxy2 = {
        enable = true;
        settings = {
          listen_addresses   = ["127.0.0.1:5353"];
          ipv4_servers       = true;
          ipv6_servers       = false;
          dnscrypt_servers   = true;
          doh_servers        = true;
          require_nolog      = true;
          require_nofilter   = true;
          timeout            = 350;
          lb_strategy        = "p4";
          lb_estimator       = true;
          ignore_system_dns  = true;
          fallback_resolvers = ["1.1.1.1:53" "9.9.9.9:53"];
        };
      };
    };

    environment.variables = {
      LIBVA_DRIVER_NAME="vdpau";
    };
  }