mlaga97/mlaga97-nix
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
mlaga97-nix/systems/blockhouse/configuration.nix
Lauren Lagarde f6e96617df Major refactor of dotspace config
2025-08-21 22:25:10 -05:00

336 lines
9 KiB
Nix
Executable file
Raw Blame History

{ inputs, self, pkgs, pkgs-unstable, config, ... }: {
# System Info:
# - Model: Custom
# - CPU: AMD Ryzen 9 3900X (12C/24T, Passmark: 2703/32546)
# - RAM: 128GB
# - Storage: Yes
networking.hostName = "blockhouse";
networking.hostId = "ed658529";
system.stateVersion = "23.11";
home-manager = {
users."lauren_lagarde" = {
home.stateVersion = "24.11";
imports = self.homeManagerModules."lauren_lagarde@tui.mlaga97.space";
};
extraSpecialArgs = { inherit self pkgs-unstable; };
};
time.timeZone = "America/Chicago";
sops.defaultSopsFile = ../../secrets.yaml;
imports = [
inputs.sops-nix.nixosModules.sops
inputs.lix-module.nixosModules.default
inputs.home-manager.nixosModules.home-manager
# Core Features
../../nixos/features/base.nix
../../nixos/features/tui-apps.nix
../../nixos/features/openssh-server.nix
# Core Tweaks
../../nixos/tweaks/zram.nix
../../nixos/tweaks/enable_flakes.nix
../../nixos/tweaks/disable_nixos_user.nix
../../nixos/tweaks/systemd-resolved_nonsense.nix
# Dotspace
../../dotspace/configuration.nix
../../nixos/features/stronghold-binary-cache.nix
# Users
../../users/lauren_lagarde/configuration.nix
../../users/ashley_funkhouser/ashley_funkhouser.nix
# Blockhouse Features
../../nixos/tweaks/aarch64-crosscompile.nix
../../nixos/features/gpu/nvidia.nix
../../nixos/features/virtualization/dockge.nix
../../nixos/features/virtualization/docker.nix
../../nixos/features/virtualization/libvirt-host.nix
# Blockhouse
../../nixos/tweaks/zfs.nix
../../nixos/tweaks/disable_firewall.nix
];
##############################################################################
##############################################################################
##############################################################################
# Bootloader / Kernel
boot.loader.efi.canTouchEfiVariables = true;
boot.loader.grub = {
enable = true;
zfsSupport = true;
efiSupport = true;
};
##############################################################################
##############################################################################
##############################################################################
# Local Filesystems
boot.loader.grub.mirroredBoots = [
{
devices = [ "nodev" ];
path = "/boot0";
}
{
devices = [ "nodev" ];
path = "/boot1";
}
];
fileSystems = {
"/" = {
device = "blockhouse-root/root";
fsType = "zfs";
};
"/exports/Archive" = {
device = "Archive/Archive";
fsType = "zfs";
};
"/exports/Archive/Frigate" = {
device = "Archive/Frigate";
fsType = "zfs";
};
"/exports/Archive/Restic" = {
device = "Archive/Restic";
fsType = "zfs";
};
"/exports/Archive/Multimedia" = {
device = "Archive/Multimedia";
fsType = "zfs";
};
"/boot0" = {
device = "/dev/disk/by-uuid/DD98-25C2";
fsType = "vfat";
options = [ "nofail" ];
};
"/boot1" = {
device = "/dev/disk/by-uuid/2F9C-F902";
fsType = "vfat";
options = [ "nofail" ];
};
};
##############################################################################
##############################################################################
##############################################################################
# Services
services.samba = {
enable = true;
openFirewall = true;
settings = {
global = {
"force user" = "nobody";
"force group" = "users";
};
Parlor = {
path = "/exports/Parlor";
comment = "Fast Data Storage";
writable = "yes";
browseable = "yes";
"create mask" = "775";
"force create mode" = "775";
"security mask" = "775";
"force security mode" = "775";
"directory mask" = "2775";
"force directory mode" = "2775";
"directory security mask" = "2775";
"force directory security mode" = "2775";
};
Archive = {
path = "/exports/Archive";
comment = "Vast Data Storage";
writable = "yes";
browseable = "yes";
"create mask" = "0775";
"force create mode" = "0664";
"directory mask" = "0775";
"force directory mode" = "0775";
};
Music = {
path = "/exports/Music";
public = "yes";
writable = "no";
browseable = "yes";
"guest ok" = "yes";
};
};
};
services.apcupsd = {
enable = true;
configText = ''
UPSTYPE net
DEVICE bastion.mlaga97.space:3551
BATTERYLEVEL 50
MINUTES 10
'';
};
services.nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"nixos-cache.stronghold.mlaga97.space" = {
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${toString config.services.nix-serve.port}";
};
};
};
##############################################################################
##############################################################################
##############################################################################
# Users
users.users = {
# System Users
blockhouse = {
isNormalUser = true;
extraGroups = [ "wheel" ];
# TODO: Secret passwords?
};
dotspace = {
isNormalUser = true;
shell = pkgs.shadow;
# TODO: Secret passwords?
};
};
##############################################################################
##############################################################################
##############################################################################
# Networking
# Disable IPv6?
networking.enableIPv6 = false;
boot.kernel.sysctl."net.ipv6.conf.all.disable_ipv6" = true;
networking.useNetworkd = true;
systemd.network = {
enable = true;
# Configure Physical Interfaces
links."10-card0" = {
linkConfig.Name = "card0";
matchConfig.PermanentMACAddress = "6c:92:bf:42:51:c6"; # 10Gb SFP+ NIC
};
# Declare VLAN Interfaces
netdevs."10-card0-vlan-wan" = {
netdevConfig = {
Kind = "vlan";
Name = "card0-wan";
};
vlanConfig.Id = 288;
};
netdevs."10-card0-vlan-cams" = {
netdevConfig = {
Kind = "vlan";
Name = "card0-cams";
};
vlanConfig.Id = 100;
};
# Declare Bridge Interfaces
netdevs."10-br-lan".netdevConfig = {
Kind = "bridge";
Name = "br-lan";
MACAddress = "96:9b:28:22:1f:fa";
};
netdevs."10-br-wan".netdevConfig = {
Kind = "bridge";
Name = "br-wan";
};
netdevs."10-br-cams".netdevConfig = {
Kind = "bridge";
Name = "br-cams";
};
# Add Bridge Members
networks."20-eno0" = {
matchConfig.Name = "eno0";
networkConfig.Bridge = "br-lan";
linkConfig.RequiredForOnline = "enslaved";
};
networks."20-card0" = {
matchConfig.Name = "card0";
networkConfig = {
VLAN = [
"card0-wan"
"card0-cams"
];
Bridge = "br-lan";
};
linkConfig.RequiredForOnline = "enslaved";
};
networks."20-card0-wan" = {
matchConfig.Name = "card0-wan";
networkConfig.Bridge = "br-wan";
};
networks."20-card0-cams" = {
matchConfig.Name = "card0-cams";
networkConfig.Bridge = "br-cams";
};
# Actual Network Configs
networks."30-br-lan" = {
matchConfig.Name = "br-lan";
address = [ "192.168.2.50/24" ];
routes = [ { Gateway = "192.168.2.1"; } ];
networkConfig.IPv6AcceptRA = true;
linkConfig.RequiredForOnline = "routable";
};
# VPNs and Overlays
networks."90-tinc" = {
matchConfig.Name = "tinc.dotspace";
address = [ "10.86.84.104/32" ];
routes = [ { Destination = "10.86.84.0/24"; } ];
};
};
services.tinc.networks.dotspace = {
name = "blockhouse";
ed25519PrivateKeyFile = "/root/tinc/mlaga97space_ed25519_key.priv";
chroot = false;
settings.ConnectTo = [ "fortress" "casemate" "vm_docker_0" "vm_docker_1" "vm_docker_2" ];
};
##############################################################################
##############################################################################
##############################################################################
# Periodic Tasks
# TODO: Systemd services and timers, one day
services.cron = {
enable = true;
mailto = "";
systemCronJobs = [
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/DriveStats"
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/PublishStats"
"0 */6 * * * lauren_lagarde /home/lauren_lagarde/bin/GetNWSMeteogram"
"* * * * * lauren_lagarde /home/lauren_lagarde/bin/GetAllCameraImages"
# Collate LongCam
];
};
}
Reference in a new issue View git blame Copy permalink