{ inputs, self, pkgs, pkgs-unstable, ... }: { # System Info: # - Model: Dell OptiPlex 7060 Micro # - CPU: Intel Core i7-8700T (6C/12T, Passmark: 2301/10172) # - RAM: 32GB # - Storage: # - PNY CS900 PNY244624111201023FB 1TB SATA SSD # - Samsung 970 EVO Plus S58SNG0MA07159M 500GB NVMe SSD # - WD MyBook 25EE 3145484E3348454E 8TB External HDD # # WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!! # https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed # https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network networking.hostName = "bastion"; networking.hostId = "0d13f99b"; system.stateVersion = "24.11"; home-manager = { users."lauren_lagarde" = { home.stateVersion = "24.11"; imports = self.homeManagerModules."lauren_lagarde@tui.mlaga97.space"; }; extraSpecialArgs = { inherit self pkgs-unstable; }; }; time.timeZone = "America/Chicago"; sops.defaultSopsFile = ../../secrets.yaml; imports = [ inputs.sops-nix.nixosModules.sops inputs.lix-module.nixosModules.default inputs.home-manager.nixosModules.home-manager # Core Features ../../nixos/features/base.nix ../../nixos/features/tui-apps.nix ../../nixos/features/openssh-server.nix # Core Tweaks ../../nixos/tweaks/zram.nix ../../nixos/tweaks/enable_flakes.nix ../../nixos/tweaks/disable_nixos_user.nix ../../nixos/tweaks/systemd-resolved_nonsense.nix # Dotspace ../../dotspace/configuration.nix ../../nixos/features/stronghold-binary-cache.nix # Users ../../users/lauren_lagarde/configuration.nix ../../users/ashley_funkhouser/ashley_funkhouser.nix # Bastion Features ../../nixos/features/hardware/yubikey.nix ../../nixos/features/virtualization/dockge.nix ../../nixos/features/virtualization/docker.nix ../../nixos/features/virtualization/libvirt-host.nix # Bastion Tweaks ../../nixos/tweaks/zfs.nix ../../nixos/tweaks/disable_firewall.nix # Bastion IRL ../../nixos/features/gpu/intel.nix ../../nixos/tweaks/powersave.nix ../../nixos/features/frigate-mpv-cage.nix ]; ############################################################################## ############################################################################## ############################################################################## # Bootloader / Kernel boot.loader.efi.canTouchEfiVariables = true; boot.loader.grub = { enable = true; zfsSupport = true; efiSupport = true; }; ############################################################################## ############################################################################## ############################################################################## # Local Filesystems boot.loader.grub.mirroredBoots = [ { devices = [ "nodev" ]; path = "/boot0"; } { devices = [ "nodev" ]; path = "/boot1"; } ]; fileSystems = { "/" = { device = "bastion-root/root"; fsType = "zfs"; }; "/boot0" = { device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1"; fsType = "vfat"; options = [ "nofail" ]; }; "/boot1" = { device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1"; fsType = "vfat"; options = [ "nofail" ]; }; "/exports/Frigate" = { device = "bastion-frigate"; fsType = "zfs"; }; "/exports/MyBook" = { device = "MyBook/root"; fsType = "zfs"; options = [ "nofail" ]; }; }; ############################################################################## ############################################################################## ############################################################################## # Services hardware.coral.pcie.enable = true; services.apcupsd = { enable = true; configText = '' UPSTYPE usb NISIP 0.0.0.0 BATTERYLEVEL 5 MINUTES 3 ''; }; services.cron = { enable = true; mailto = ""; systemCronJobs = [ "* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats > /dev/null" # Sync Restic from Archive to MyBook daily at 0600 "0 6 * * * root /home/lauren_lagarde/bin/SyncRestic > /dev/null" # Copy footage from Frigate to MyBook and clear up space on both every 10 minutes "*/10 * * * * root /home/lauren_lagarde/bin/MaintainFrigate > /dev/null" # Grab a still photo from all cameras once per minute "* * * * * root /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null" # TODO: Automatically Collate Camera Images Monthly ]; }; services.samba = { enable = true; openFirewall = true; settings = { Frigate = { path = "/exports/Frigate"; comment = "NVR Local Storage"; writable = "yes"; browseable = "yes"; "force user" = "nobody"; "force group" = "users"; "create mask" = "775"; "force create mode" = "775"; "security mask" = "775"; "force security mode" = "775"; "directory mask" = "2775"; "force directory mode" = "2775"; "directory security mask" = "2775"; "force directory security mode" = "2775"; }; MyBook = { path = "/exports/MyBook"; comment = "External Storage"; writable = "yes"; browseable = "yes"; "force user" = "nobody"; "force group" = "users"; "create mask" = "775"; "force create mode" = "775"; "security mask" = "775"; "force security mode" = "775"; "directory mask" = "2775"; "force directory mode" = "2775"; "directory security mask" = "2775"; "force directory security mode" = "2775"; }; }; }; ############################################################################## ############################################################################## ############################################################################## # Networking networking.useNetworkd = true; systemd.network = { enable = true; # Configure Physical Interfaces links."10-usb0" = { linkConfig.Name = "usb0"; matchConfig.PermanentMACAddress = "8c:ae:4c:dd:f7:aa"; # 2.5Gb USB NIC }; # Declare VLAN Interfaces netdevs."10-usb0-vlan-wan" = { netdevConfig = { Kind = "vlan"; Name = "usb0"; }; vlanConfig.Id = 288; }; # Declare Bridge Interfaces netdevs."10-br-lan".netdevConfig = { Kind = "bridge"; Name = "br-lan"; MACAddress = "56:66:4b:dd:9b:0e"; }; netdevs."10-br-wan".netdevConfig = { Kind = "bridge"; Name = "br-wan"; }; # Add Bridge Members networks."20-eno0" = { matchConfig.Name = "eno0"; networkConfig.Bridge = "br-lan"; linkConfig.RequiredForOnline = "enslaved"; }; networks."20-usb0" = { matchConfig.Name = "usb0"; networkConfig = { VLAN = [ "usb0-wan" ]; Bridge = "br-lan"; }; linkConfig.RequiredForOnline = "enslaved"; }; networks."20-usb0-wan" = { matchConfig.Name = "usb0-wan"; networkConfig.Bridge = "br-wan"; }; # Actual Network Configs networks."30-br-lan" = { matchConfig.Name = "br-lan"; address = [ "192.168.2.51/24" ]; routes = [ { Gateway = "192.168.2.1"; } ]; networkConfig.IPv6AcceptRA = true; linkConfig.RequiredForOnline = "routable"; }; networks."90-tinc" = { matchConfig.Name = "tinc.dotspace"; address = [ "10.86.84.105/32" ]; routes = [ { Destination = "10.86.84.0/24"; } ]; }; }; services.tinc.networks.dotspace = { name = "bastion"; ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv"; chroot = false; settings.ConnectTo = [ "fortress" "citadel" ]; }; ############################################################################## ############################################################################## ############################################################################## # System Users users.users = { bastion = { isNormalUser = true; extraGroups = [ "wheel" ]; initialHashedPassword = "$y$j9T$WThHVbTQdHbv4mI0m4EjK/$LA.4Uf95jD/rJpLVf0kbfH0wFBj4FHCimV6xiDfLOD/"; }; dotspace = { isNormalUser = true; shell = pkgs.shadow; initialHashedPassword = "$y$j9T$cH1b/0aafCTaHyWigarb70$bS6WFrbYV4xUZwVtqDCepydOhEol1DqmokBfkGmvRcA"; }; }; }