mlaga97
/
mlaga97-nix
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Import most of a blockhouse config

This commit is contained in:
Lauren Lagarde 2025-07-01 22:16:30 -05:00
parent bf977166a4
commit 90c2f9d353
1 changed files with 336 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

336
systems/blockhouse/configuration.nix Executable file
View File

@ -0,0 +1,336 @@
{ config, lib, pkgs, modulesPath, ... }: {
nixpkgs.config.allowUnfree = true;
nix.settings.experimental-features = [ "nix-command" "flakes" ];
##############################################################################
##############################################################################
##############################################################################
# Bootloader / Kernel
boot.supportedFilesystems = [ "ntfs" ];
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
zfsSupport = true;
efiSupport = true;
mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot0";
}
{
devices = [ "nodev" ];
path = "/boot1";
}
];
};
# Activated at 1400 on April 10, 2024
powerManagement.cpuFreqGovernor = "performance";
boot.extraModprobeConfig = ''
# Under low-write conditions, wait up to 30 seconds before committing data to disk
options zfs zfs_txg_timeout=30
# Stupid silent data corruption bug (https://github.com/openzfs/zfs/issues/15933)
options zfs zfs_bclone_enabled=0
options zfs zfs_dmu_offset_next_sync=0
'';
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
boot.kernel.sysctl."net.ipv6.conf.all.disable_ipv6" = true;
##############################################################################
##############################################################################
##############################################################################
# NVIDIA
hardware.opengl.enable = true;
hardware.opengl.driSupport32Bit = true;
hardware.nvidia = {
modesetting.enable = true;
powerManagement.enable = false;
powerManagement.finegrained = false;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
nvidiaSettings = true;
};
services.xserver.videoDrivers = [ "nvidia" ];
virtualisation.docker = {
enable = true;
enableNvidia = true;
};
##############################################################################
##############################################################################
##############################################################################
# Filesystems
fileSystems = {
"/" = {
device = "blockhouse-root/root";
fsType = "zfs";
};
"/exports/Archive" = {
device = "Archive/Archive";
fsType = "zfs";
};
"/exports/Archive/Frigate" = {
device = "Archive/Frigate";
fsType = "zfs";
};
"/exports/Archive/Restic" = {
device = "Archive/Restic";
fsType = "zfs";
};
"/exports/Archive/Multimedia" = {
device = "Archive/Multimedia";
fsType = "zfs";
};
"/boot0" = {
device = "/dev/disk/by-uuid/DD98-25C2";
fsType = "vfat";
options = [ "nofail" ];
};
"/boot1" = {
device = "/dev/disk/by-uuid/2F9C-F902";
fsType = "vfat";
options = [ "nofail" ];
};
};
# TODO: Add back dotspace shares
##############################################################################
##############################################################################
##############################################################################
# Services
services.uptimed.enable = true;
services.samba = {
enable = true;
openFirewall = true;
shares = {
Parlor = {
path = "/exports/Parlor";
comment = "Fast Data Storage";
writable = "yes";
browseable = "yes";
"force user" = "nobody";
"force group" = "users";
"create mask" = "775";
"force create mode" = "775";
"security mask" = "775";
"force security mode" = "775";
"directory mask" = "2775";
"force directory mode" = "2775";
"directory security mask" = "2775";
"force directory security mode" = "2775";
};
Archive = {
path = "/exports/Archive";
comment = "Vast Data Storage";
writable = "yes";
browseable = "yes";
"force user" = "nobody";
"force group" = "users";
"create mask" = "0775";
"force create mode" = "0664";
"directory mask" = "0775";
"force directory mode" = "0775";
};
};
};
services.apcupsd = {
enable = true;
configText = ''
UPSTYPE net
DEVICE bastion:3551
BATTERYLEVEL 50
MINUTES 10
'';
};
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"nixos-cache.stronghold.mlaga97.space" = {
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
##############################################################################
##############################################################################
##############################################################################
# Users
users.mutableUsers = false;
users.users = {
# System Users
blockhouse = {
isNormalUser = true;
extraGroups = [ "wheel" ];
# TODO: Secret passwords?
};
dotspace = {
isNormalUser = true;
shell = pkgs.shadow;
# TODO: Secret passwords?
};
# Human users
lauren_lagarde = {
isNormalUser = true;
description = "Lauren Lagarde";
extraGroups = [ "wheel" "docker" "libvirtd" ];
initialHashedPassword = "$y$j9T$KqTFvSj9TYmRXugVbiSgj.$RbvxcGlY/DbLFioa64ntY5RO4Ym0CMswhegeQj5qHyD";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCl881A1gvgCx+4ECrmJnO2QCTiqjaOLfAegKAAkvWNFKL0rDfsj8tZULUcyn87HYsRrdmqCOQ62GOjQyK803azq7QTxwY4vjczkJxico4LnIToTobcz+JkgF6Rf/h74bs9dHk4ZU853FRBz3wi/14rI10Iwckt37B1ayJacpELuzFobKYip2FjiL1vNH3tiAFR131z+YBByvNX+uJYEhpsI0xry9zbsSUWUq5/YFpmjezblzYRokfsReYiKJeQBeROSeRC/xFBSnikECSylNI4sw5VIpGXFIxL5xhss+s+3dnb+LFQ+zInOYxkVRydYc/In9Wz6Tu7v07K8bjvE7nQwHenoGtRW590Xu0rJApS+k8Cu16sCO2QFj/aI+gCrhU0ymM0aicr0hFAME6Y7j9HcR6PxYxnXZjI7cfqhO5TG8jot25SPzJcvH3EV5oPKtAkw9XA+8+nAI9czFlUgHnuMJAqw1IGOD3qozwqZ5yn1+kG7FZJRpvaPc5pK2HtqaAKJmnRuVaWcFuNALh86gr7Qn8IEp8Q+YyKmDqrMZ4KLJUMnVqn4y0HVS1eB5nVujaJZUGJWA4q3og0FE/2kH74WEp2ZtuJAoEPcgfZ6Ns7BmmXIZU7qu4kQoQ73b3mn6hCi5xlQ/sClzwHYkRPo4tST64ED/UIRPCYe1byNUWSww== lauren@lagarde.dev"
];
};
ashley_funkhouser = {
isNormalUser = true;
description = "Ashley Funkhouser";
extraGroups = [ "wheel" "docker" "libvirtd" ];
initialHashedPassword = "$y$j9T$b.JgT15KeFXOjWQ0gJ7Ae0$n1KSyoAa8E.zI.4WZ6ze.Sk0RqXayZRrZK2319C77W/";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwgQE831tqVEbb5bhLH9XkhmiIxTJ4YlL0Yjha2MJ0uoXfC7y+twp2fJB0FjmXvrU5li2mAes5DVakq0RqG5MtkbGSFN9/lJPuis+k6OzTTihe3PGTkRqaC6JWAs5Db7yHlaq0a+qLpniXPH/9/W/IqjRB67EPvfPkZ7VefjeEkJ1aPSoobws8DJUGum5PAg1oLTGwgirGMSlpWNOCxt8h3dynjrRLbUG4afU/FvbQDy27J0ODIN5CPDj8ZiTgz1s0KsA702dXz8UiioDp8ES9gOOfLqye50lga3UuK47jNJXelwmIAvCdPj1LKpy4HvmdIH8F4CsCqwkzbF1/s55quWvf/olhcWofayKcjP6Vbs8k3M6cshjcXPKBbr2FnpznHZCPSDq0Htk6a/YfFGh3Jy96x5PJW29deKJ9pjEvTufWDBhU6Uqd/80QGpGg/VBNiMot5qPrcdKM3kN7aPxU1mlbF9ICG/T0E7mSGEQHYqKd2LGfbielvobE/pdPbErjTRzl9KeqYiN9NA8Um5r8KDj8w/E9oF6DMpqulFA9fdMYtMTeEVPXxt6c7S1+VzOkfSbRt/p5Ql5FF294f6lvN01gbbJrGrfAstXmyPKGmJ/OSYrTEX7hhpaDJytW9KgzAebdkP2C5CQnwyJHaTDr1dEDSieoB0JgRFMWuvBNUQ== ajfunk27@gmail.com"
];
};
};
##############################################################################
##############################################################################
##############################################################################
# Network
networking = {
hostName = "blockhouse";
hostId = "ed658529";
enableIPv6 = false;
useNetworkd = true;
firewall.enable = false;
};
services.resolved.extraConfig = "ResolveUnicastSingleLabel=yes";
systemd.network = {
enable = true;
netdevs = {
"20-br0".netdevConfig = {
Kind = "bridge";
Name = "br0";
};
};
networks = {
"30-eno1" = {
matchConfig.Name = "eno1";
networkConfig.Bridge = "br0";
linkConfig.RequiredForOnline = "enslaved";
};
"30-enp37s0" = {
matchConfig.Name = "enp37s0";
networkConfig.Bridge = "br0";
linkConfig.RequiredForOnline = "enslaved";
};
"30-enp40s0" = {
matchConfig.Name = "enp40s0";
networkConfig.Bridge = "br0";
linkConfig.RequiredForOnline = "enslaved";
};
"40-br0" = {
matchConfig.Name = "br0";
bridgeConfig = {};
linkConfig = {
RequiredForOnline = "routable";
};
networkConfig = {
DHCP = "ipv4";
IPv6AcceptRA = true;
};
};
"90-tinc" = {
matchConfig.Name = "tinc.mlaga97spa";
address = [ "10.86.84.104/32" ];
routes = [ { routeConfig = { Destination = "10.86.84.0/24"; }; } ];
};
};
};
services.tinc.networks.mlaga97space = {
name = "blockhouse";
ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";
chroot = false;
settings = {
ConnectTo = [ "fortress" "casemate" "vm_docker_0" "vm_docker_1" "vm_docker_2" ];
};
# TODO: dotspace.nix
};
# Set your time zone.
time.timeZone = "America/Chicago";
##############################################################################
##############################################################################
##############################################################################
# Periodic Tasks
# TODO: Systemd services and timers, one day
services.cron = {
enable = true;
systemCronJobs = [
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/DriveStats"
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats"
"0 */6 * * * lauren_lagarde /home/lauren_lagarde/bin/GetNWSMeteogram"
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/GetAllCameraImages"
# Collate LongCam
];
};
##############################################################################
##############################################################################
##############################################################################
# Other Services
virtualisation.libvirtd.enable = true;
services.openssh.enable = true;
services.openssh.settings = {
PermitRootLogin = "no";
StreamLocalBindUnlink = "yes";
};
services.smartd.enable = true;
environment.systemPackages = with pkgs; [
bc git vim btop tmux iotop byobu
cifs-utils samba ffmpeg libvirt tinc_pre restic rclone nixos-generators
];
zramSwap.enable = true;
zramSwap.algorithm = "zstd";
zramSwap.memoryPercent = 200;
system.stateVersion = "23.11";
}