From 90c2f9d353e15a996475d5ea105f3b3a0b4d1536 Mon Sep 17 00:00:00 2001
From: Lauren Lagarde <lauren@lagarde.dev>
Date: Tue, 1 Jul 2025 22:16:30 -0500
Subject: [PATCH] Import most of a blockhouse config

---
 systems/blockhouse/configuration.nix | 336 +++++++++++++++++++++++++++
 1 file changed, 336 insertions(+)
 create mode 100755 systems/blockhouse/configuration.nix

diff --git a/systems/blockhouse/configuration.nix b/systems/blockhouse/configuration.nix
new file mode 100755
index 0000000..a23c8f8
--- /dev/null
+++ b/systems/blockhouse/configuration.nix
@@ -0,0 +1,336 @@
+{ config, lib, pkgs, modulesPath, ... }: {
+
+  nixpkgs.config.allowUnfree = true;
+  nix.settings.experimental-features = [ "nix-command" "flakes" ];
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Bootloader / Kernel
+
+  boot.supportedFilesystems = [ "ntfs" ];
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.loader.grub = {
+    enable = true;
+    zfsSupport = true;
+    efiSupport = true;
+    mirroredBoots = [
+      {
+        devices = [ "nodev" ];
+        path = "/boot0";
+      }
+      {
+        devices = [ "nodev" ];
+        path = "/boot1";
+      }
+    ];
+  };
+
+  # Activated at 1400 on April 10, 2024
+  powerManagement.cpuFreqGovernor = "performance";
+
+  boot.extraModprobeConfig = ''
+    # Under low-write conditions, wait up to 30 seconds before committing data to disk
+    options zfs zfs_txg_timeout=30
+
+    # Stupid silent data corruption bug (https://github.com/openzfs/zfs/issues/15933)
+    options zfs zfs_bclone_enabled=0
+    options zfs zfs_dmu_offset_next_sync=0
+  '';
+
+  boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
+
+  boot.kernel.sysctl."net.ipv6.conf.all.disable_ipv6" = true;
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # NVIDIA
+
+  hardware.opengl.enable = true;
+  hardware.opengl.driSupport32Bit = true;
+  hardware.nvidia = {
+    modesetting.enable = true;
+    powerManagement.enable = false;
+    powerManagement.finegrained = false;
+    open = false;
+    package = config.boot.kernelPackages.nvidiaPackages.stable;
+    nvidiaSettings = true;
+  };
+  services.xserver.videoDrivers = [ "nvidia" ];
+  virtualisation.docker = {
+    enable = true;
+    enableNvidia = true;
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Filesystems
+
+  fileSystems = {
+    "/" = {
+      device = "blockhouse-root/root";
+      fsType = "zfs";
+    };
+
+    "/exports/Archive" = {
+      device = "Archive/Archive";
+      fsType = "zfs";
+    };
+    "/exports/Archive/Frigate" = {
+      device = "Archive/Frigate";
+      fsType = "zfs";
+    };
+    "/exports/Archive/Restic" = {
+      device = "Archive/Restic";
+      fsType = "zfs";
+    };
+    "/exports/Archive/Multimedia" = {
+      device = "Archive/Multimedia";
+      fsType = "zfs";
+    };
+
+    "/boot0" = {
+      device = "/dev/disk/by-uuid/DD98-25C2";
+      fsType = "vfat";
+      options = [ "nofail" ];
+    };
+    "/boot1" = {
+      device = "/dev/disk/by-uuid/2F9C-F902";
+      fsType = "vfat";
+      options = [ "nofail" ];
+    };
+  };
+
+  # TODO: Add back dotspace shares
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Services
+
+  services.uptimed.enable = true;
+
+  services.samba = {
+    enable = true;
+    openFirewall = true;
+    shares = {
+      Parlor = {
+        path = "/exports/Parlor";
+        comment = "Fast Data Storage";
+        writable = "yes";
+        browseable = "yes";
+
+        "force user" = "nobody";
+        "force group" = "users";
+
+        "create mask" = "775";
+        "force create mode" = "775";
+        "security mask" = "775";
+        "force security mode" = "775";
+
+        "directory mask" = "2775";
+        "force directory mode" = "2775";
+        "directory security mask" = "2775";
+        "force directory security mode" = "2775";
+      };
+      Archive = {
+        path = "/exports/Archive";
+        comment = "Vast Data Storage";
+        writable = "yes";
+        browseable = "yes";
+
+        "force user" = "nobody";
+        "force group" = "users";
+        "create mask" = "0775";
+        "force create mode" = "0664";
+        "directory mask" = "0775";
+        "force directory mode" = "0775";
+      };
+    };
+  };
+
+  services.apcupsd = {
+    enable = true;
+    configText = ''
+      UPSTYPE net
+      DEVICE bastion:3551
+      BATTERYLEVEL 50
+      MINUTES 10
+    '';
+  };
+
+  services.nix-serve = {
+    enable = true;
+    secretKeyFile = "/var/cache-priv-key.pem";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "nixos-cache.stronghold.mlaga97.space" = {
+        locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
+      };
+    };
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Users
+
+  users.mutableUsers = false;
+  users.users = {
+    # System Users
+    blockhouse = {
+      isNormalUser = true;
+      extraGroups = [ "wheel" ];
+      # TODO: Secret passwords?
+    };
+    dotspace = {
+      isNormalUser = true;
+      shell = pkgs.shadow;
+      # TODO: Secret passwords?
+    };
+
+    # Human users
+    lauren_lagarde = {
+      isNormalUser = true;
+      description = "Lauren Lagarde";
+      extraGroups = [ "wheel" "docker" "libvirtd" ];
+      initialHashedPassword = "$y$j9T$KqTFvSj9TYmRXugVbiSgj.$RbvxcGlY/DbLFioa64ntY5RO4Ym0CMswhegeQj5qHyD";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCl881A1gvgCx+4ECrmJnO2QCTiqjaOLfAegKAAkvWNFKL0rDfsj8tZULUcyn87HYsRrdmqCOQ62GOjQyK803azq7QTxwY4vjczkJxico4LnIToTobcz+JkgF6Rf/h74bs9dHk4ZU853FRBz3wi/14rI10Iwckt37B1ayJacpELuzFobKYip2FjiL1vNH3tiAFR131z+YBByvNX+uJYEhpsI0xry9zbsSUWUq5/YFpmjezblzYRokfsReYiKJeQBeROSeRC/xFBSnikECSylNI4sw5VIpGXFIxL5xhss+s+3dnb+LFQ+zInOYxkVRydYc/In9Wz6Tu7v07K8bjvE7nQwHenoGtRW590Xu0rJApS+k8Cu16sCO2QFj/aI+gCrhU0ymM0aicr0hFAME6Y7j9HcR6PxYxnXZjI7cfqhO5TG8jot25SPzJcvH3EV5oPKtAkw9XA+8+nAI9czFlUgHnuMJAqw1IGOD3qozwqZ5yn1+kG7FZJRpvaPc5pK2HtqaAKJmnRuVaWcFuNALh86gr7Qn8IEp8Q+YyKmDqrMZ4KLJUMnVqn4y0HVS1eB5nVujaJZUGJWA4q3og0FE/2kH74WEp2ZtuJAoEPcgfZ6Ns7BmmXIZU7qu4kQoQ73b3mn6hCi5xlQ/sClzwHYkRPo4tST64ED/UIRPCYe1byNUWSww== lauren@lagarde.dev"
+      ];
+    };
+    ashley_funkhouser = {
+      isNormalUser = true;
+      description = "Ashley Funkhouser";
+      extraGroups = [ "wheel" "docker" "libvirtd" ];
+      initialHashedPassword = "$y$j9T$b.JgT15KeFXOjWQ0gJ7Ae0$n1KSyoAa8E.zI.4WZ6ze.Sk0RqXayZRrZK2319C77W/";
+      openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwgQE831tqVEbb5bhLH9XkhmiIxTJ4YlL0Yjha2MJ0uoXfC7y+twp2fJB0FjmXvrU5li2mAes5DVakq0RqG5MtkbGSFN9/lJPuis+k6OzTTihe3PGTkRqaC6JWAs5Db7yHlaq0a+qLpniXPH/9/W/IqjRB67EPvfPkZ7VefjeEkJ1aPSoobws8DJUGum5PAg1oLTGwgirGMSlpWNOCxt8h3dynjrRLbUG4afU/FvbQDy27J0ODIN5CPDj8ZiTgz1s0KsA702dXz8UiioDp8ES9gOOfLqye50lga3UuK47jNJXelwmIAvCdPj1LKpy4HvmdIH8F4CsCqwkzbF1/s55quWvf/olhcWofayKcjP6Vbs8k3M6cshjcXPKBbr2FnpznHZCPSDq0Htk6a/YfFGh3Jy96x5PJW29deKJ9pjEvTufWDBhU6Uqd/80QGpGg/VBNiMot5qPrcdKM3kN7aPxU1mlbF9ICG/T0E7mSGEQHYqKd2LGfbielvobE/pdPbErjTRzl9KeqYiN9NA8Um5r8KDj8w/E9oF6DMpqulFA9fdMYtMTeEVPXxt6c7S1+VzOkfSbRt/p5Ql5FF294f6lvN01gbbJrGrfAstXmyPKGmJ/OSYrTEX7hhpaDJytW9KgzAebdkP2C5CQnwyJHaTDr1dEDSieoB0JgRFMWuvBNUQ== ajfunk27@gmail.com"
+      ];
+    };
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Network
+
+  networking = {
+    hostName = "blockhouse";
+    hostId = "ed658529";
+
+    enableIPv6 = false;
+    useNetworkd = true;
+    firewall.enable = false;
+  };
+
+  services.resolved.extraConfig = "ResolveUnicastSingleLabel=yes";
+
+  systemd.network = {
+    enable = true;
+    netdevs = {
+      "20-br0".netdevConfig = {
+        Kind = "bridge";
+        Name = "br0";
+      };
+    };
+    networks = {
+      "30-eno1" = {
+        matchConfig.Name = "eno1";
+        networkConfig.Bridge = "br0";
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+      "30-enp37s0" = {
+        matchConfig.Name = "enp37s0";
+        networkConfig.Bridge = "br0";
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+      "30-enp40s0" = {
+        matchConfig.Name = "enp40s0";
+        networkConfig.Bridge = "br0";
+        linkConfig.RequiredForOnline = "enslaved";
+      };
+
+      "40-br0" = {
+        matchConfig.Name = "br0";
+        bridgeConfig = {};
+        linkConfig = {
+          RequiredForOnline = "routable";
+        };
+        networkConfig = {
+          DHCP = "ipv4";
+          IPv6AcceptRA = true;
+        };
+      };
+
+      "90-tinc" = {
+        matchConfig.Name = "tinc.mlaga97spa";
+        address = [ "10.86.84.104/32" ];
+        routes = [ { routeConfig = { Destination = "10.86.84.0/24"; }; } ];
+      };
+    };
+  };
+
+  services.tinc.networks.mlaga97space = {
+    name = "blockhouse";
+    ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";
+
+    chroot = false;
+    settings = {
+      ConnectTo = [ "fortress" "casemate" "vm_docker_0" "vm_docker_1" "vm_docker_2" ];
+    };
+    # TODO: dotspace.nix
+  };    
+
+  # Set your time zone.
+  time.timeZone = "America/Chicago";
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Periodic Tasks
+  # TODO: Systemd services and timers, one day
+
+  services.cron = {
+    enable = true;
+    systemCronJobs = [
+      "* * * * *	lauren_lagarde		/home/lauren_lagarde/bin/DriveStats"
+      "* * * * *	lauren_lagarde		/home/lauren_lagarde/bin/PublishStats"
+      "0 */6 * * *	lauren_lagarde		/home/lauren_lagarde/bin/GetNWSMeteogram"
+      "* * * * *	lauren_lagarde		/home/lauren_lagarde/bin/GetAllCameraImages"
+      # Collate LongCam
+    ];
+  };
+
+  ##############################################################################
+  ##############################################################################
+  ##############################################################################
+  # Other Services
+
+  virtualisation.libvirtd.enable = true;
+
+  services.openssh.enable = true;
+  services.openssh.settings = {
+    PermitRootLogin = "no";
+    StreamLocalBindUnlink = "yes";
+  };
+
+  services.smartd.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    bc git vim btop tmux iotop byobu
+    cifs-utils samba ffmpeg libvirt tinc_pre restic rclone nixos-generators
+  ];
+
+  zramSwap.enable = true;
+  zramSwap.algorithm = "zstd";
+  zramSwap.memoryPercent = 200;
+
+  system.stateVersion = "23.11";
+}