sakhalin.nix (5418B)
1 { pkgs, lib, ... }: 2 3 with lib; 4 let 5 hostname = "sakhalin"; 6 secretPath = ../../secrets/machines.nix; 7 secretCondition = (builtins.pathExists secretPath); 8 9 ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; 10 ips = lists.optionals secretCondition ([ "${ip}/24" ]); 11 endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; 12 endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; 13 endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; 14 15 metadata = importTOML ../../ops/hosts.toml; 16 in 17 { 18 imports = [ 19 ../hardware/gigabyte-brix.nix 20 # (import ../../nix).home-manager-stable 21 # ../modules/default.stable.nix 22 (import ../../users/vincent) 23 (import ../../users/root) 24 ]; 25 26 fileSystems."/" = { 27 device = "/dev/disk/by-uuid/92ce650d-873e-41c1-a44e-71c2b9191b9d"; 28 fsType = "ext4"; 29 options = [ "noatime" "discard" ]; 30 }; 31 fileSystems."/boot" = { 32 device = "/dev/disk/by-uuid/B226-075A"; 33 fsType = "vfat"; 34 }; 35 fileSystems."/home" = { 36 device = "/dev/disk/by-uuid/4f614c00-d94d-42f9-8386-3ecd396aa246"; 37 fsType = "ext4"; 38 options = [ "noatime" "discard" ]; 39 }; 40 fileSystems."/mnt/gaia" = { 41 device = "/dev/disk/by-uuid/88d3d686-d451-4ba9-bd6e-373601ed2683"; 42 fsType = "ext4"; 43 options = [ "noatime" ]; 44 }; 45 fileSystems."/mnt/toshito" = { 46 device = "/dev/disk/by-uuid/3c7cf84e-2486-417d-9de8-4b7757d483e4"; 47 fsType = "ext4"; 48 options = [ "noatime" ]; 49 }; 50 swapDevices = [{ device = "/dev/disk/by-uuid/9eb067d1-b329-4fbb-ae27-38abfbe7c108"; }]; 51 52 networking = { 53 hostName = hostname; 54 firewall.enable = false; # we are in safe territory :D 55 bridges.br1.interfaces = [ "enp0s31f6" ]; 56 useDHCP = false; 57 interfaces.br1 = { 58 useDHCP = true; 59 }; 60 }; 61 62 modules = { 63 profiles.home = true; 64 services = { 65 syncthing = { 66 enable = true; 67 guiAddress = "${metadata.hosts.sakhalin.wireguard.addrs.v4}:8384"; 68 }; 69 avahi.enable = true; 70 ssh.enable = true; 71 }; 72 virtualisation.libvirt = { enable = true; nested = true; listenTCP = true; }; 73 }; 74 75 fileSystems."/export/gaia" = { device = "/mnt/gaia"; options = [ "bind" ]; }; 76 fileSystems."/export/toshito" = { device = "/mnt/toshito"; options = [ "bind" ]; }; 77 78 services = { 79 tarsnap = { 80 enable = true; 81 archives = { 82 documents = { 83 directories = [ "/home/vincent/desktop/documents" ]; 84 period = "daily"; 85 keyfile = "/etc/nixos/assets/tarsnap.documents.key"; 86 }; 87 org = { 88 directories = [ "/home/vincent/desktop/org" ]; 89 period = "daily"; 90 keyfile = "/etc/nixos/assets/tarsnap.org.key"; 91 }; 92 }; 93 }; 94 nfs.server = { 95 enable = true; 96 exports = '' 97 /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check) 98 /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check) 99 /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check) 100 ''; 101 }; 102 # nix-binary-cache = { 103 # enable = true; 104 # domain = "nix.cache.home"; 105 # aliases = [ "cache.sakhalin.home" ]; 106 # }; 107 dockerRegistry = { 108 enable = true; 109 listenAddress = "0.0.0.0"; 110 enableGarbageCollect = true; 111 }; 112 wireguard = { 113 enable = true; 114 ips = ips; 115 endpoint = endpointIP; 116 endpointPort = endpointPort; 117 endpointPublicKey = endpointPublicKey; 118 }; 119 }; 120 security.apparmor.enable = true; 121 security.pam.enableSSHAgentAuth = true; 122 environment.systemPackages = with pkgs; [ yt-dlp ]; 123 # ----------------------------------- 124 environment.etc."vrsync".text = '' 125 /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/ 126 /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/ 127 /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/ 128 /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/ 129 /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/ 130 ''; 131 systemd.services.vrsync = { 132 description = "vrsync - sync folders to NAS"; 133 requires = [ "network-online.target" ]; 134 after = [ "network-online.target" ]; 135 136 unitConfig.X-StopOnRemoval = false; 137 restartIfChanged = false; 138 139 path = with pkgs; [ rsync coreutils bash openssh ]; 140 script = '' 141 ${pkgs.vrsync}/bin/vrsync 142 ''; 143 144 startAt = "hourly"; 145 serviceConfig = { 146 Type = "oneshot"; 147 OnFailure = "status-email-root@%n.service"; 148 }; 149 }; 150 # mr -i u daily 151 systemd.services.mr = { 152 description = "Update configs daily"; 153 requires = [ "network-online.target" ]; 154 after = [ "network-online.target" ]; 155 156 restartIfChanged = false; 157 unitConfig.X-StopOnRemoval = false; 158 159 serviceConfig = { 160 Type = "oneshot"; 161 User = "vincent"; 162 OnFailure = "status-email-root@%n.service"; 163 }; 164 165 path = with pkgs; [ git mr ]; 166 script = '' 167 set -e 168 cd /mnt/gaia/src/configs/ 169 mr -t run git reset --hard 170 mr -t u 171 ''; 172 173 startAt = "daily"; 174 }; 175 }