{ config, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware.nix ]; nix = { settings = { auto-optimise-store = true; experimental-features = ["nix-command" "flakes"]; }; }; boot = { tmp.cleanOnBoot = true; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; supportedFilesystems = ["zfs"]; kernelModules = [ "coretemp" "kvm-amd" "it87" ]; zfs.extraPools = ["Primary"]; }; services = { prometheus.exporters = { blackbox = { enable = true; configFile = "/var/lib/blackbox/config.yml"; }; node = { enable = true; listenAddress = "100.116.48.47"; enabledCollectors = [ "systemd" "zfs" "processes" ]; }; }; coredns = { enable = true; config = '' .:53 { health file /var/src/dns.db git.gmem.ca food.gmem.ca forward . 45.90.28.116 45.90.30.116 bind tailscale0 } ''; }; pipewire = { enable = true; alsa.enable = true; alsa.support32Bit = true; pulse.enable = true; jack.enable = true; }; zfs.autoScrub.enable = true; tailscale.enable = true; openssh.enable = true; xserver.videoDrivers = [ "nvidia" ]; nfs.server.enable = true; samba-wsdd.enable = true; samba = { enable = true; securityType = "user"; openFirewall = true; extraConfig = '' workgroup = WORKGROUP server string = smbnix netbios name = smbnix security = user #use sendfile = yes #max protocol = smb2 # note: localhost is the ipv6 localhost ::1 hosts allow = 100. 192.168.50. 127.0.0.1 localhost hosts deny = 0.0.0.0/0 guest account = nobody map to guest = bad user ''; shares = { media = { path = "/Primary/media"; browseable = "yes"; "read only" = "no"; "guest ok" = "yes"; "create mask" = "0644"; "directory mask" = "0755"; }; becki = { path = "/Primary/becki"; browseable = "yes"; "read only" = "no"; "guest ok" = "no"; "create mask" = "0644"; "directory mask" = "0755"; "admin users" = "becki"; }; shared = { path = "/Primary/shared"; browseable = "yes"; "read only" = "no"; "guest ok" = "no"; "create mask" = "0644"; "directory mask" = "0755"; }; gabriel = { path = "/Primary/gabriel"; browseable = "yes"; "read only" = "no"; "guest ok" = "no"; "create mask" = "0644"; "directory mask" = "0755"; "admin users" = "gsimmer"; }; }; }; plex = { enable = true; openFirewall = true; }; nginx = { enable = true; recommendedGzipSettings = true; recommendedBrotliSettings = true; recommendedZstdSettings = true; recommendedOptimisation = true; recommendedTlsSettings = true; # We can only proxy one port with Tailscale Funnel so we abuse locations instead. virtualHosts."vancouver.gmem.ca" = { default = true; enableACME = true; addSSL = true; acmeRoot = null; locations."/" = { root = "/var/www/"; extraConfig = '' error_page 404 /404.html; ''; }; }; virtualHosts."git.gmem.ca" = { enableACME = true; addSSL = true; acmeRoot = null; locations."/" = { extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 100M; ''; proxyPass = "http://127.0.0.1:8973/"; }; }; virtualHosts."request-media.gmem.ca" = { enableACME = true; addSSL = true; acmeRoot = null; locations."/" = { extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 100M; ''; proxyPass = "http://127.0.0.1:5055/"; }; }; virtualHosts."flood.gmem.ca" = { enableACME = true; addSSL = true; acmeRoot = null; locations."/" = { extraConfig = '' proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; client_max_body_size 100M; ''; proxyPass = "http://192.168.50.187:3000/"; }; }; }; gitea = { enable = true; stateDir = "/Primary/gitea"; package = pkgs.forgejo; settings = { DEFAULT = { APP_NAME = "Arch's Git Forge"; }; server = { ROOT_URL = "https://git.gmem.ca/"; HTTP_PORT = 8973; }; service = { DISABLE_REGISTRATION = true; COOKIE_SECURE = true; }; actions = { ENABLED = true; }; federation = { ENABLED = true; }; metrics = { ENABLED = true; }; }; }; gitea-actions-runner = { package = pkgs.forgejo-actions-runner; instances = { vancouver = { name = "vancouver"; enable = true; labels = [ "debian-latest:docker://node:18-bullseye" "docker:docker://gitea/act_runner:nightly-dind-rootless" "nix:docker://nixos/nix" ]; url = "https://git.gmem.ca/"; token = "ilTf824bWmTbDtjr0oE2riSzaoUliS54RwjrVDdR"; settings = { cache.port = 4328; }; }; }; }; sanoid = { enable = true; datasets = { "Primary/becki" = { autoprune = true; autosnap = true; daily = 4; monthly = 3; yearly = 1; }; "Primary/gabriel" = { autoprune = true; autosnap = true; daily = 4; monthly = 3; yearly = 1; }; "Primary/shared" = { autoprune = true; autosnap = true; daily = 2; monthly = 2; }; "Primary/k3scluster" = { autoprune = true; autosnap = true; daily = 2; monthly = 2; }; "Primary/gitea" = { autoprune = true; autosnap = true; daily = 2; monthly = 2; }; }; }; }; networking = { hostId = "e1e29bf4"; hostName = "vancouver"; domain = "gmem.ca"; firewall = { trustedInterfaces = ["tailscale0" "virbr0"]; checkReversePath = "loose"; enable = true; allowedTCPPorts = [ 22 53 80 443 2049 4328 5432 9100 ]; allowedUDPPorts = [ 53 41641 ]; }; useDHCP = false; bridges = { "br0" = { interfaces = [ "eno1" ]; }; }; interfaces.br0.ipv4.addresses = [ { address = "192.168.50.229"; prefixLength = 24; } ]; defaultGateway = "192.168.50.1"; nameservers = ["45.90.28.116" "45.90.30.116"]; nftables.enable = true; }; environment.systemPackages = with pkgs; [ vim wget git htop tailscale home-manager lm_sensors screen nix-output-monitor cifs-utils cloudflared bat virtiofsd ]; time.timeZone = "Europe/London"; nixpkgs.config.allowUnfree = true; hardware = { opengl.enable = true; nvidia.modesetting.enable = true; pulseaudio.enable = false; }; programs = { zsh.enable = true; fish.enable = true; }; environment.shells = with pkgs; [ zsh fish ]; users.users = { gsimmer = { shell = pkgs.fish; isNormalUser = true; home = "/Primary/gabriel"; extraGroups = [ "wheel" "libvirtd" "qemu-libvirtd" ]; openssh.authorizedKeys.keys = let authorizedKeys = pkgs.fetchurl { url = "https://gmem.ca/ssh"; sha256 = "0vm0q5fzx55mmgw7md430c20rvywmknmpvnkffx9szlm0l74bypc"; }; in pkgs.lib.splitString "\n" (builtins.readFile authorizedKeys); }; becki = { shell = pkgs.fish; isNormalUser = true; home = "/Primary/becki"; }; root.openssh.authorizedKeys.keys = let authorizedKeys = pkgs.fetchurl { url = "https://gmem.ca/ssh"; sha256 = "0iwrm80hsadr0midy0h3da4x0sbci76a92g8f9wnz5pj38gimdi9"; }; in pkgs.lib.splitString "\n" (builtins.readFile authorizedKeys); }; home-manager.users.gsimmer = { pkgs, ... }: { programs.git = { userName = "Gabriel Simmer"; userEmail = "git@gmem.ca"; }; programs.bash.enable = false; home.stateVersion = "23.05"; }; virtualisation = { docker = { enable = true; rootless = { enable = true; setSocketVariable = true; }; }; libvirtd.enable = true; }; virtualisation.oci-containers.containers = { speedtest = { image = "ghcr.io/miguelndecarvalho/speedtest-exporter"; ports = [ "9798:9798" ]; }; }; sound.enable = true; security.rtkit.enable = true; security.acme.acceptTerms = true; security.acme.defaults.email = "acme@gmem.ca"; security.acme.certs."git.gmem.ca" = { domain = "*.gmem.ca"; dnsProvider = "route53"; credentialsFile = "/var/lib/secrets/credentials"; }; security.acme.certs."vancouver.gmem.ca" = { domain = "vancouver.gmem.ca"; dnsProvider = "route53"; credentialsFile = "/var/lib/secrets/credentials"; }; security.acme.certs."request-media.gmem.ca" = { domain = "request-media.gmem.ca"; dnsProvider = "route53"; credentialsFile = "/var/lib/secrets/credentials"; }; security.acme.certs."flood.gmem.ca" = { domain = "flood.gmem.ca"; dnsProvider = "route53"; credentialsFile = "/var/lib/secrets/credentials"; }; system.stateVersion = "23.05"; }