
559 lines
16 KiB
Raw Normal View History

2023-06-26 15:25:26 +01:00
{ config, pkgs, ... }:
2023-06-26 15:25:26 +01:00
imports =
[ # Include the results of the hardware scan.
2023-07-14 16:32:54 +01:00
age.secrets.action-token = {
file = ../../secrets/vancouver-action-runner.age;
owner = "gitea-runner";
2023-09-10 12:04:39 +01:00
age.secrets.restic-b2-credentials = {
file = ../../secrets/vancouver-restic-b2.age;
group = "users";
mode = "770";
age.secrets.restic-password = {
file = ../../secrets/vancouver-restic-password.age;
group = "users";
mode = "770";
2023-09-13 23:01:51 +01:00
age.secrets.healthcheck-ping = {
file = ../../secrets/;
group = "users";
mode = "770";
2023-10-08 22:54:43 +01:00
age.secrets.cloudflare-dns = {
file = ../../secrets/cloudflare-dns.age;
owner = "acme";
2023-06-26 15:25:26 +01:00
nix = {
settings = {
auto-optimise-store = true;
experimental-features = ["nix-command" "flakes"];
boot = {
tmp.cleanOnBoot = true;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
supportedFilesystems = ["zfs"];
kernelModules = [ "coretemp" "kvm-amd" "it87" ];
zfs.extraPools = ["Primary"];
services = {
2023-09-10 12:04:39 +01:00
restic = {
backups = {
"gsimmer" = {
user = "gsimmer";
environmentFile = config.age.secrets.restic-b2-credentials.path;
repository = "";
paths = [
2023-09-10 21:30:45 +01:00
2023-09-13 23:01:51 +01:00
2023-09-10 12:04:39 +01:00
2023-09-10 21:30:45 +01:00
timerConfig = {
OnCalendar = "daily";
Persistent = true;
2023-09-13 23:01:51 +01:00
RandomizedDelaySec = "6h";
2023-09-10 21:30:45 +01:00
2023-09-13 23:01:51 +01:00
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
2023-09-10 21:30:45 +01:00
passwordFile = config.age.secrets.restic-password.path;
2023-09-13 23:01:51 +01:00
backupPrepareCommand = ''
2023-09-25 10:49:19 +01:00
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/gsimmer-backup/start
2023-09-13 23:01:51 +01:00
backupCleanupCommand = ''
2023-09-25 10:49:19 +01:00
output="$(journalctl --unit restic-backups-gsimmer.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/gsimmer-backup/$?" --data-raw "$output"
2023-09-13 23:01:51 +01:00
2023-09-10 21:30:45 +01:00
"becki" = {
user = "becki";
environmentFile = config.age.secrets.restic-b2-credentials.path;
repository = "";
paths = [
"\"/Primary/becki/VRChat\ Avatars\""
2023-09-10 21:30:45 +01:00
timerConfig = {
OnCalendar = "daily";
Persistent = true;
2023-09-13 23:01:51 +01:00
RandomizedDelaySec = "6h";
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
passwordFile = config.age.secrets.restic-password.path;
initialize = true;
backupPrepareCommand = ''
2023-09-25 10:49:19 +01:00
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/becki-backup/start
2023-09-13 23:01:51 +01:00
backupCleanupCommand = ''
2023-09-25 10:49:19 +01:00
output="$(journalctl --unit restic-backups-becki.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/becki-backup/$?" --data-raw "$output"
2023-09-13 23:01:51 +01:00
"apps" = {
user = "root";
environmentFile = config.age.secrets.restic-b2-credentials.path;
repository = "";
paths = [
timerConfig = {
OnCalendar = "daily";
Persistent = true;
RandomizedDelaySec = "12h";
2023-09-10 21:30:45 +01:00
2023-09-13 23:01:51 +01:00
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
backupPrepareCommand = ''
2023-09-25 10:49:19 +01:00
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null $(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/apps-backup/start
2023-09-13 23:01:51 +01:00
backupCleanupCommand = ''
2023-09-25 10:49:19 +01:00
output="$(journalctl --unit restic-backups-apps.service --since=today --boot --no-pager | ${pkgs.coreutils}/bin/tail --bytes 100000)"
${pkgs.curl}/bin/curl -fsS -m 10 --retry 5 -o /dev/null "$(${pkgs.coreutils}/bin/cat ${config.age.secrets.healthcheck-ping.path})/apps-backup/$?" --data-raw "$output"
2023-09-13 23:01:51 +01:00
2023-09-10 12:04:39 +01:00
passwordFile = config.age.secrets.restic-password.path;
initialize = true;
syncthing = {
enable = true;
overrideDevices = false;
overrideFolders = false;
user = "gsimmer";
dataDir = "/Primary/gabriel";
guiAddress = "";
2023-09-05 17:08:43 +01:00
prometheus.exporters = {
blackbox = {
enable = true;
configFile = "/var/lib/blackbox/config.yml";
node = {
enable = true;
listenAddress = "";
enabledCollectors = [
"systemd" "zfs" "processes"
coredns = {
enable = true;
config =
.:53 {
2023-08-05 13:15:42 +01:00
2023-09-05 17:08:43 +01:00
file /var/src/dns.db
2023-08-05 13:15:42 +01:00
forward .
bind tailscale0
pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
2023-06-26 15:25:26 +01:00
zfs.autoScrub.enable = true;
tailscale.enable = true;
openssh.enable = true;
xserver.videoDrivers = [ "nvidia" ];
nfs.server.enable = true;
samba-wsdd.enable = true;
samba = {
enable = true;
securityType = "user";
2023-08-15 09:13:41 +01:00
openFirewall = true;
2023-06-26 15:25:26 +01:00
extraConfig = ''
workgroup = WORKGROUP
server string = smbnix
netbios name = smbnix
security = user
#use sendfile = yes
#max protocol = smb2
# note: localhost is the ipv6 localhost ::1
hosts allow = 100. 192.168.50. localhost
hosts deny =
guest account = nobody
map to guest = bad user
shares = {
media = {
path = "/Primary/media";
browseable = "yes";
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0644";
"directory mask" = "0755";
becki = {
path = "/Primary/becki";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"admin users" = "becki";
shared = {
path = "/Primary/shared";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
gabriel = {
path = "/Primary/gabriel";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0644";
"directory mask" = "0755";
"admin users" = "gsimmer";
plex = {
enable = true;
openFirewall = true;
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedBrotliSettings = true;
recommendedZstdSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
2023-07-14 16:32:54 +01:00
# We can only proxy one port with Tailscale Funnel so we abuse locations instead.
virtualHosts."" = {
default = true;
enableACME = true;
addSSL = true;
acmeRoot = null;
locations."/" = {
root = "/var/www/";
extraConfig = ''
error_page 404 /404.html;
2023-07-14 16:32:54 +01:00
virtualHosts."" = {
enableACME = true;
addSSL = true;
acmeRoot = null;
locations."/" = {
extraConfig =
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100M;
proxyPass = "";
virtualHosts."" = {
enableACME = true;
addSSL = true;
acmeRoot = null;
locations."/" = {
extraConfig =
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100M;
proxyPass = "";
virtualHosts."" = {
enableACME = true;
addSSL = true;
acmeRoot = null;
locations."/" = {
extraConfig =
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
client_max_body_size 100M;
proxyPass = "";
2023-07-14 16:32:54 +01:00
gitea = {
enable = true;
stateDir = "/Primary/gitea";
package = pkgs.forgejo;
settings = {
APP_NAME = "Arch's Git Forge";
2023-07-14 16:32:54 +01:00
server = {
ROOT_URL = "";
2023-07-14 16:32:54 +01:00
HTTP_PORT = 8973;
service = {
actions = {
ENABLED = true;
2023-07-19 11:59:28 +01:00
federation = {
ENABLED = true;
2023-09-05 17:08:43 +01:00
metrics = {
ENABLED = true;
"repository.signing" = {
SIGNING_KEY = "default";
INITIAL_COMMIT = "always";
WIKI = "always";
CRUD_ACTIONS = "always";
MERGES = "always";
2023-09-25 10:49:56 +01:00
indexer = {
2023-07-15 18:30:28 +01:00
gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
2023-07-15 18:30:28 +01:00
instances = {
vancouver = {
name = "vancouver";
enable = true;
labels = [
2023-07-19 11:59:28 +01:00
2023-07-15 18:30:28 +01:00
url = "";
2023-09-07 19:10:23 +01:00
tokenFile = config.age.secrets.action-token.path;
settings = {
cache.port = 4328;
2023-07-15 18:30:28 +01:00
2023-08-25 21:15:33 +01:00
sanoid = {
enable = true;
datasets = {
"Primary/becki" = {
autoprune = true;
autosnap = true;
daily = 4;
monthly = 3;
yearly = 1;
"Primary/gabriel" = {
autoprune = true;
autosnap = true;
daily = 4;
monthly = 3;
yearly = 1;
"Primary/shared" = {
autoprune = true;
autosnap = true;
daily = 2;
monthly = 2;
"Primary/k3scluster" = {
autoprune = true;
autosnap = true;
daily = 2;
monthly = 2;
"Primary/gitea" = {
autoprune = true;
autosnap = true;
daily = 2;
monthly = 2;
2023-06-26 15:25:26 +01:00
networking = {
hostId = "e1e29bf4";
hostName = "vancouver";
domain = "";
firewall = {
trustedInterfaces = ["tailscale0" "virbr0"];
2023-06-26 15:25:26 +01:00
checkReversePath = "loose";
enable = true;
allowedTCPPorts = [ 22 53 80 443 2049 4328 5432 9100 22000 ];
allowedUDPPorts = [ 53 41641 22000 21027 ];
2023-06-26 15:25:26 +01:00
useDHCP = false;
bridges = {
"br0" = {
interfaces = [ "eno1" ];
interfaces.br0.ipv4.addresses = [
address = "";
prefixLength = 24;
defaultGateway = "";
nameservers = ["" ""];
2023-06-26 15:25:26 +01:00
nftables.enable = true;
environment.systemPackages = with pkgs; [
2023-07-14 16:32:54 +01:00
2023-06-26 15:25:26 +01:00
time.timeZone = "Europe/London";
nixpkgs.config.allowUnfree = true;
hardware = {
opengl.enable = true;
nvidia.modesetting.enable = true;
pulseaudio.enable = false;
programs = {
zsh.enable = true;
fish.enable = true;
environment.shells = with pkgs; [ zsh fish ];
users.users = {
gsimmer = {
shell =;
isNormalUser = true;
home = "/Primary/gabriel";
extraGroups = [ "wheel" "libvirtd" "qemu-libvirtd" ];
2023-07-30 22:40:43 +01:00
openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl {
url = "";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
2023-07-30 22:40:43 +01:00
in pkgs.lib.splitString "\n" (builtins.readFile
2023-06-26 15:25:26 +01:00
becki = {
shell =;
isNormalUser = true;
home = "/Primary/becki";
root.openssh.authorizedKeys.keys = let
authorizedKeys = pkgs.fetchurl {
url = "";
hash = "sha256-7PpFDgWVfp26c9PuW+2s3O8MBAODtHr4q7WU/l3BoG4=";
in pkgs.lib.splitString "\n" (builtins.readFile
2023-06-26 15:25:26 +01:00
home-manager.users.gsimmer = { pkgs, ... }: {
programs.git = {
userName = "Gabriel Simmer";
userEmail = "";
programs.bash.enable = false;
home.stateVersion = "23.05";
virtualisation = {
docker = {
enable = true;
2023-08-05 13:16:29 +01:00
rootless = {
enable = true;
setSocketVariable = true;
2023-06-26 15:25:26 +01:00
libvirtd.enable = true;
2023-09-05 17:08:43 +01:00
virtualisation.oci-containers.containers = {
speedtest = {
image = "";
ports = [ "9798:9798" ];
2023-06-26 15:25:26 +01:00
sound.enable = true;
security.rtkit.enable = true;
security.acme.acceptTerms = true; = "";
security.acme.certs."" = {
2023-08-05 13:15:42 +01:00
domain = "*";
2023-10-08 22:54:43 +01:00
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare-dns.path;
2023-06-26 15:25:26 +01:00
security.acme.certs."" = {
domain = "";
2023-10-08 22:54:43 +01:00
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare-dns.path;
security.acme.certs."" = {
domain = "";
2023-10-08 22:54:43 +01:00
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare-dns.path;
security.acme.certs."" = {
domain = "";
2023-10-08 22:54:43 +01:00
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.cloudflare-dns.path;
2023-06-26 15:25:26 +01:00
system.stateVersion = "23.05";