{ config, pkgs, ... }: { disabledModules = [ "services/misc/n8n.nix" ]; imports = [ # Include the results of the hardware scan. ./hardware.nix ]; nix = { settings = { auto-optimise-store = true; experimental-features = ["nix-command" "flakes"]; }; }; boot = { tmp.cleanOnBoot = true; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; supportedFilesystems = ["zfs"]; kernelModules = [ "coretemp" "kvm-amd" "it87" ]; zfs.extraPools = ["Primary"]; }; services = { coredns = { enable = true; config = '' .:53 { cache bind tailscale0 } git.gmem.ca { cache bind tailscale0 template IN A { answer "{{ .Name }} 0 IN A" } } ''; }; pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; }; zfs.autoScrub.enable = true; tailscale.enable = true; openssh.enable = true; xserver.videoDrivers = [ "nvidia" ]; n8n = { enable = true; openFirewall = true; webhookUrl = "https://vancouver.scorpion-ghost.ts.net/n8n/"; settings = { editorBaseUrl = "https://vancouver.scorpion-ghost.ts.net/n8n/"; }; }; nfs.server.enable = true; samba-wsdd.enable = true; samba = { enable = true; securityType = "user"; extraConfig = '' workgroup = WORKGROUP server string = smbnix netbios name = smbnix security = user #use sendfile = yes #max protocol = smb2 # note: localhost is the ipv6 localhost ::1 hosts allow = 100. 192.168.50. localhost hosts deny = guest account = nobody map to guest = bad user ''; shares = { media = { path = "/Primary/media"; browseable = "yes"; "read only" = "no"; "guest ok" = "yes"; "create mask" = "0644"; "directory mask" = "0755"; }; becki = { path = "/Primary/becki"; browseable = "yes"; "read only" = "no"; "guest ok" = "no"; "create mask" = "0644"; "directory mask" = "0755"; "admin users" = "becki"; }; shared = { path = "/Primary/shared"; browseable = "yes"; "read only" = "no"; "guest ok" = "no"; "create mask" = "0644"; "directory mask" = "0755"; }; gabriel = { path = "/Primary/gabriel"; browseable = "yes"; "read only" = "no"; "guest ok" = "no"; "create mask" = "0644"; "directory mask" = "0755"; "admin users" = "gsimmer"; }; }; }; plex = { enable = true; openFirewall = true; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedBrotliSettings = true; recommendedZstdSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; # We can only proxy one port with Tailscale Funnel so we abuse locations instead. virtualHosts."vancouver.gmem.ca" = { default = true; enableACME = true; addSSL = true; acmeRoot = null; locations."/" = { root = "/var/www/"; extraConfig = '' error_page 404 /404.html; ''; }; locations."/git" = { extraConfig = '' return 301 $scheme://git.gmem.ca; ''; }; locations."/n8n/" = { proxyPass = ""; proxyWebsockets = true; # needed if you need to use WebSocket extraConfig = '' proxy_pass_header Authorization; ''; }; }; virtualHosts."git.gmem.ca" = { enableACME = true; addSSL = true; acmeRoot = null; locations."/" = { extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ''; proxyPass = ""; }; }; }; gitea = { enable = true; stateDir = "/Primary/gitea"; package = pkgs.forgejo; settings = { server = { ROOT_URL = "https://git.gmem.ca/"; HTTP_PORT = 8973; }; service = { DISABLE_REGISTRATION = true; COOKIE_SECURE = true; }; actions = { ENABLED = true; }; federation = { ENABLED = true; }; }; }; gitea-actions-runner = { package = pkgs.forgejo-actions-runner; instances = { vancouver = { name = "vancouver"; enable = true; labels = [ "debian-latest:docker://node:18-bullseye" "nix:docker://nixos/nix" ]; url = "https://git.gmem.ca/"; }; }; }; }; networking = { hostId = "e1e29bf4"; hostName = "vancouver"; domain = "gmem.ca"; firewall = { trustedInterfaces = ["tailscale0"]; checkReversePath = "loose"; enable = true; allowedTCPPorts = [ 22 53 80 443 ]; allowedUDPPorts = [ 53 ]; }; nftables.enable = true; }; environment.systemPackages = with pkgs; [ vim wget git htop tailscale home-manager lm_sensors screen nix-output-monitor cifs-utils cloudflared bat # atuin ]; time.timeZone = "Europe/London"; nixpkgs.config.allowUnfree = true; hardware = { opengl.enable = true; nvidia.modesetting.enable = true; pulseaudio.enable = false; }; programs = { zsh.enable = true; fish.enable = true; }; environment.shells = with pkgs; [ zsh fish ]; users.users = { gsimmer = { shell = pkgs.fish; isNormalUser = true; home = "/Primary/gabriel"; extraGroups = [ "wheel" "libvirtd" "qemu-libvirtd" ]; openssh.authorizedKeys.keys = let authorizedKeys = pkgs.fetchurl { url = "https://gmem.ca/ssh"; sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9"; }; in pkgs.lib.splitString "\n" (builtins.readFile authorizedKeys); }; becki = { shell = pkgs.fish; isNormalUser = true; home = "/Primary/becki"; }; root.openssh.authorizedKeys.keys = let authorizedKeys = pkgs.fetchurl { url = "https://gmem.ca/ssh"; sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9"; }; in pkgs.lib.splitString "\n" (builtins.readFile authorizedKeys); }; home-manager.users.gsimmer = { pkgs, ... }: { programs.git = { userName = "Gabriel Simmer"; userEmail = "git@gmem.ca"; }; programs.bash.enable = false; home.stateVersion = "23.05"; }; virtualisation = { docker = { enable = true; }; libvirtd.enable = true; }; sound.enable = true; security.rtkit.enable = true; security.acme.acceptTerms = true; security.acme.defaults.email = "acme@gmem.ca"; security.acme.certs."git.gmem.ca" = { domain = "git.gmem.ca"; dnsProvider = "route53"; credentialsFile = "/var/lib/secrets/credentials"; }; security.acme.certs."vancouver.gmem.ca" = { domain = "vancouver.gmem.ca"; dnsProvider = "route53"; credentialsFile = "/var/lib/secrets/credentials"; }; system.stateVersion = "23.05"; }