mlaga97-nix/systems/bastion/configuration.nix

# WARNING: BUILT-IN ETHERNET HARDWARE IS BORKED!!!
# https://xcp-ng.org/docs/networking.html#intel-i218-i219-slow-speed
# https://serverfault.com/questions/581265/disable-tcp-checksum-offloading-on-kvm-virtual-network
{ pkgs, ... }: {
  # System Info:
  # - Model: Dell OptiPlex 7060 Micro
  # - CPU: Intel Core i7-8700T (6C/12T, Passmark: 2301/10172)
  # - RAM: 32GB
  # - Storage:
  #   - PNY CS900 PNY244624111201023FB 1TB SATA SSD
  #   - Samsung 970 EVO Plus S58SNG0MA07159M 500GB NVMe SSD
  #   - WD MyBook 25EE 3145484E3348454E 8TB External HDD

  imports = [
    # Core Features
    ../../nixos/features/base.nix
    ../../nixos/features/tui-apps.nix
    ../../nixos/features/openssh-server.nix

    # Core Tweaks
    ../../nixos/tweaks/zram.nix
    ../../nixos/tweaks/enable_flakes.nix
    ../../nixos/tweaks/disable_nixos_user.nix
    ../../nixos/tweaks/systemd-resolved_nonsense.nix

    # Dotspace
    ../../secrets/dotspace.nix
    ../../secrets/dotspace_shares.nix
    ../../nixos/features/stronghold-binary-cache.nix

    # Users
    ../../users/lauren_lagarde/lauren_lagarde.nix
    ../../users/ashley_funkhouser/ashley_funkhouser.nix

    # Bastion Features
    ../../nixos/features/hardware/yubikey.nix
    ../../nixos/features/networking/networkd-br0.nix
    ../../nixos/features/virtualization/dockge.nix
    ../../nixos/features/virtualization/docker.nix
    ../../nixos/features/virtualization/libvirt-host.nix

    # Bastion Tweaks
    ../../nixos/tweaks/zfs.nix
    ../../nixos/tweaks/disable_firewall.nix

    # Bastion IRL
    ../../nixos/features/gpu/intel.nix
    ../../nixos/tweaks/powersave.nix

    ../../nixos/features/frigate-mpv-cage.nix
  ];

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Bootloader / Kernel

  boot.loader.efi.canTouchEfiVariables = true;
  boot.loader.grub = {
    enable = true;
    zfsSupport = true;
    efiSupport = true;
  };

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Local Filesystems

  boot.loader.grub.mirroredBoots = [
    {
      devices = [ "nodev" ];
      path = "/boot0";
    }
    {
      devices = [ "nodev" ];
      path = "/boot1";
    }
  ];

  fileSystems = {
    "/" = {
      device = "bastion-root/root";
      fsType = "zfs";
    };

    "/boot0" = {
      device = "/dev/disk/by-id/nvme-Samsung_SSD_970_EVO_Plus_500GB_S58SNG0MA07159M-part1";
      fsType = "vfat";
      options = [ "nofail" ];
    };
    "/boot1" = {
      device = "/dev/disk/by-id/ata-PNY_CS900_1TB_SSD_PNY244624111201023FB-part1";
      fsType = "vfat";
      options = [ "nofail" ];
    };

    "/exports/Frigate" = {
      device = "bastion-frigate";
      fsType = "zfs";
    };
    "/exports/MyBook" = {
      device = "MyBook/root";
      fsType = "zfs";
      options = [ "nofail" ];
    };
  };

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Services

  hardware.coral.pcie.enable = true;

  services.apcupsd = {
    enable = true;
    configText = ''
      UPSTYPE usb
      NISIP 0.0.0.0
      BATTERYLEVEL 5
      MINUTES 3
    '';
  };

  services.cron = {
    enable = true;
    mailto = "";
    systemCronJobs = [
      "* * * * *	lauren_lagarde		/home/lauren_lagarde/bin/PublishStats > /dev/null"

      # Sync Restic from Archive to MyBook daily at 0600
      "0 6 * * *  root  /home/lauren_lagarde/bin/SyncRestic > /dev/null"

      # Copy footage from Frigate to MyBook and clear up space on both every 10 minutes
      "*/10 * * * *  root  /home/lauren_lagarde/bin/MaintainFrigate > /dev/null"

      # Grab a still photo from all cameras once per minute
      "* * * * *  root  /home/lauren_lagarde/bin/GetAllCameraImages > /dev/null"

      # TODO: Automatically Collate Camera Images Monthly
    ];
  };

  services.samba = {
    enable = true;
    openFirewall = true;
    settings = {
      Frigate = {
        path = "/exports/Frigate";
        comment = "NVR Local Storage";
        writable = "yes";
        browseable = "yes";

        "force user" = "nobody";
        "force group" = "users";

        "create mask" = "775";
        "force create mode" = "775";
        "security mask" = "775";
        "force security mode" = "775";

        "directory mask" = "2775";
        "force directory mode" = "2775";
        "directory security mask" = "2775";
        "force directory security mode" = "2775";
      };

      MyBook = {
        path = "/exports/MyBook";
        comment = "External Storage";
        writable = "yes";
        browseable = "yes";

        "force user" = "nobody";
        "force group" = "users";

        "create mask" = "775";
        "force create mode" = "775";
        "security mask" = "775";
        "force security mode" = "775";

        "directory mask" = "2775";
        "force directory mode" = "2775";
        "directory security mask" = "2775";
        "force directory security mode" = "2775";
      };
    };
  };

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # Networking

  systemd.network.networks = {
    "30-eno1" = {
      matchConfig.Name = "eno1";
      networkConfig.Bridge = "br0";
      linkConfig.RequiredForOnline = "enslaved";
    };
    "30-enp0s20f0u8" = {
      matchConfig.Name = "enp0s20f0u8";
      networkConfig.Bridge = "br0";
      linkConfig.RequiredForOnline = "enslaved";
    };

    "90-tinc" = {
      matchConfig.Name = "tinc.dotspace";
      address = [ "10.86.84.105/32" ];
      routes = [ { Destination = "10.86.84.0/24"; } ];
    };
  };

  services.tinc.networks.dotspace = {
    name = "bastion";
    ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";

    chroot = false;
    settings.ConnectTo = [ "fortress" "citadel" ];
  };

  ##############################################################################
  ##############################################################################
  ##############################################################################
  # System Users

  users.users = {
    bastion = {
      isNormalUser = true;
      extraGroups = [ "wheel" ];
      initialHashedPassword = "$y$j9T$WThHVbTQdHbv4mI0m4EjK/$LA.4Uf95jD/rJpLVf0kbfH0wFBj4FHCimV6xiDfLOD/";
    };
    dotspace = {
      isNormalUser = true;
      shell = pkgs.shadow;
      initialHashedPassword = "$y$j9T$cH1b/0aafCTaHyWigarb70$bS6WFrbYV4xUZwVtqDCepydOhEol1DqmokBfkGmvRcA";
    };
  };
}