home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

sakhalin.nix (5418B)


      1 { pkgs, lib, ... }:
      2 
      3 with lib;
      4 let
      5   hostname = "sakhalin";
      6   secretPath = ../../secrets/machines.nix;
      7   secretCondition = (builtins.pathExists secretPath);
      8 
      9   ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
     10   ips = lists.optionals secretCondition ([ "${ip}/24" ]);
     11   endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
     12   endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
     13   endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
     14 
     15   metadata = importTOML ../../ops/hosts.toml;
     16 in
     17 {
     18   imports = [
     19     ../hardware/gigabyte-brix.nix
     20     # (import ../../nix).home-manager-stable
     21     # ../modules/default.stable.nix
     22     (import ../../users/vincent)
     23     (import ../../users/root)
     24   ];
     25 
     26   fileSystems."/" = {
     27     device = "/dev/disk/by-uuid/92ce650d-873e-41c1-a44e-71c2b9191b9d";
     28     fsType = "ext4";
     29     options = [ "noatime" "discard" ];
     30   };
     31   fileSystems."/boot" = {
     32     device = "/dev/disk/by-uuid/B226-075A";
     33     fsType = "vfat";
     34   };
     35   fileSystems."/home" = {
     36     device = "/dev/disk/by-uuid/4f614c00-d94d-42f9-8386-3ecd396aa246";
     37     fsType = "ext4";
     38     options = [ "noatime" "discard" ];
     39   };
     40   fileSystems."/mnt/gaia" = {
     41     device = "/dev/disk/by-uuid/88d3d686-d451-4ba9-bd6e-373601ed2683";
     42     fsType = "ext4";
     43     options = [ "noatime" ];
     44   };
     45   fileSystems."/mnt/toshito" = {
     46     device = "/dev/disk/by-uuid/3c7cf84e-2486-417d-9de8-4b7757d483e4";
     47     fsType = "ext4";
     48     options = [ "noatime" ];
     49   };
     50   swapDevices = [{ device = "/dev/disk/by-uuid/9eb067d1-b329-4fbb-ae27-38abfbe7c108"; }];
     51 
     52   networking = {
     53     hostName = hostname;
     54     firewall.enable = false; # we are in safe territory :D
     55     bridges.br1.interfaces = [ "enp0s31f6" ];
     56     useDHCP = false;
     57     interfaces.br1 = {
     58       useDHCP = true;
     59     };
     60   };
     61 
     62   modules = {
     63     profiles.home = true;
     64     services = {
     65       syncthing = {
     66         enable = true;
     67         guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384";
     68       };
     69       avahi.enable = true;
     70       ssh.enable = true;
     71     };
     72     virtualisation.libvirt = { enable = true; nested = true; listenTCP = true; };
     73   };
     74 
     75   fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; };
     76   fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; };
     77 
     78   services = {
     79     tarsnap = {
     80       enable = true;
     81       archives = {
     82         documents = {
     83           directories = [ "/home/vincent/desktop/documents" ];
     84           period = "daily";
     85           keyfile = "/etc/nixos/assets/tarsnap.documents.key";
     86         };
     87         org = {
     88           directories = [ "/home/vincent/desktop/org" ];
     89           period = "daily";
     90           keyfile = "/etc/nixos/assets/tarsnap.org.key";
     91         };
     92       };
     93     };
     94     nfs.server = {
     95       enable = true;
     96       exports = ''
     97         /export                      192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check)
     98         /export/gaia                 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check)
     99         /export/toshito              192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check)
    100       '';
    101     };
    102     # nix-binary-cache = {
    103     #   enable = true;
    104     #   domain = "nix.cache.home";
    105     #   aliases = [ "cache.sakhalin.home" ];
    106     # };
    107     dockerRegistry = {
    108       enable = true;
    109       listenAddress = "0.0.0.0";
    110       enableGarbageCollect = true;
    111     };
    112     wireguard = {
    113       enable = true;
    114       ips = ips;
    115       endpoint = endpointIP;
    116       endpointPort = endpointPort;
    117       endpointPublicKey = endpointPublicKey;
    118     };
    119   };
    120   security.apparmor.enable = true;
    121   security.pam.enableSSHAgentAuth = true;
    122   environment.systemPackages = with pkgs; [ yt-dlp ];
    123   # -----------------------------------
    124   environment.etc."vrsync".text = ''
    125     /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/
    126     /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/
    127     /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/
    128     /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/
    129     /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/
    130   '';
    131   systemd.services.vrsync = {
    132     description = "vrsync - sync folders to NAS";
    133     requires = [ "network-online.target" ];
    134     after = [ "network-online.target" ];
    135 
    136     unitConfig.X-StopOnRemoval = false;
    137     restartIfChanged = false;
    138 
    139     path = with pkgs; [ rsync coreutils bash openssh ];
    140     script = ''
    141       ${pkgs.vrsync}/bin/vrsync
    142     '';
    143 
    144     startAt = "hourly";
    145     serviceConfig = {
    146       Type = "oneshot";
    147       OnFailure = "status-email-root@%n.service";
    148     };
    149   };
    150   # mr -i u daily
    151   systemd.services.mr = {
    152     description = "Update configs daily";
    153     requires = [ "network-online.target" ];
    154     after = [ "network-online.target" ];
    155 
    156     restartIfChanged = false;
    157     unitConfig.X-StopOnRemoval = false;
    158 
    159     serviceConfig = {
    160       Type = "oneshot";
    161       User = "vincent";
    162       OnFailure = "status-email-root@%n.service";
    163     };
    164 
    165     path = with pkgs; [ git mr ];
    166     script = ''
    167       set -e
    168        cd /mnt/gaia/src/configs/
    169        mr -t run git reset --hard
    170        mr -t u
    171     '';
    172 
    173     startAt = "daily";
    174   };
    175 }