home

My NixOS systems configurations.
Log | Files | Refs | LICENSE

shikoku.nix (6008B)


      1 { config, lib, pkgs, ... }:
      2 
      3 with lib;
      4 let
      5   hostname = "shikoku";
      6   secretPath = ../../secrets/machines.nix;
      7   secretCondition = (builtins.pathExists secretPath);
      8 
      9   ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}";
     10   ips = lists.optionals secretCondition ([ "${ip}/24" ]);
     11   endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP;
     12   endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0;
     13   endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey;
     14 
     15   metadata = importTOML ../../ops/hosts.toml;
     16 
     17   gpuIDs = [
     18     "10de:1b80" # Graphics
     19     "10de:10f0" # Audio
     20   ];
     21 in
     22 {
     23   imports = [
     24     # (import ../../nix).home-manager-stable
     25     #../modules/default.stable.nix
     26     (import ../../users/vincent)
     27     (import ../../users/root)
     28   ];
     29 
     30   boot.supportedFilesystems = [ "zfs" ];
     31   networking = {
     32     hostId = builtins.substring 0 8 (builtins.hashString "md5" config.networking.hostName);
     33     hostName = hostname;
     34     bridges.br1.interfaces = [ "enp0s31f6" ];
     35     firewall.enable = false; # we are in safe territory :D
     36     useDHCP = false;
     37     interfaces.br1 = {
     38       useDHCP = true;
     39     };
     40   };
     41 
     42   # TODO: check if it's done elsewhere
     43   boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ];
     44   boot.initrd.kernelModules = [
     45     "vfio_pci"
     46     "vfio"
     47     "vfio_iommu_type1"
     48     
     49     "nvidia"
     50     "nvidia_modeset"
     51     "nvidia_uvm"
     52     "nvidia_drm"
     53   ];
     54   boot.kernelModules = [ "kvm-intel" ];
     55   boot.extraModulePackages = [
     56     config.boot.kernelPackages.nvidiaPackages.stable
     57   ];
     58   boot.kernelParams = [
     59     "intel_iommu=on"
     60     "kvm_intel.nested=1"
     61     ("vfio-pci.ids=" + lib.concatStringsSep "," gpuIDs)
     62   ];
     63 
     64   hardware.opengl.enable = true;
     65   virtualisation.spiceUSBRedirection.enable = true;
     66   # TODO: check if it's done elsewhere
     67   hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
     68 
     69   fileSystems."/" = {
     70     device = "/dev/disk/by-uuid/73fd8864-f6af-4fdd-b826-0dfdeacd3c19";
     71     fsType = "ext4";
     72     options = [ "noatime" "discard" ];
     73   };
     74 
     75   fileSystems."/boot" = {
     76     device = "/dev/disk/by-uuid/829D-BFD1";
     77     fsType = "vfat";
     78   };
     79 
     80   # Extra data
     81   # HDD:   b58e59a4-92e7-4278-97ba-6fe361913f50
     82   fileSystems."/data" = {
     83     device = "/dev/disk/by-uuid/b58e59a4-92e7-4278-97ba-6fe361913f50";
     84     fsType = "ext4";
     85     options = [ "noatime" ];
     86   };
     87   # ZFS Pool
     88   # SSD1:  469077df-049f-4f5d-a34f-1f5449d782ec
     89   # SSD2:  e11a3b63-791c-418b-9f4b-5ae0199f1f97
     90   # NVME2: 3d2dff80-f2b1-4c48-8e76-12b01fdf4137
     91   # boot.zfs.extraPools = [ "tank" ];
     92   # networking.hostId = "03129692bea040488878aa0133e54914";
     93   # networking.hostId = "03129692";
     94   # fileSystems."/tank/data" =
     95   #   {
     96   #     device = "tank/data";
     97   #     fsType = "zfs";
     98   #     options = [ "zfsutil" ];
     99   #   };
    100   # 
    101   # fileSystems."/tank/virt" =
    102   #   {
    103   #     device = "tank/virt";
    104   #     fsType = "zfs";
    105   #     options = [ "zfsutil" ];
    106   #   };
    107 
    108   swapDevices = [{
    109     device = "/dev/disk/by-uuid/a9ec44e6-0c1d-4f60-9f5c-81a7eaa8e8fd";
    110   }];
    111 
    112   modules = {
    113     core.binfmt.enable = true;
    114     dev = {
    115       enable = false;
    116       containers = {
    117         docker = {
    118           enable = true;
    119           package = pkgs.docker_27;
    120         };
    121         podman.enable = true;
    122         buildkit = {
    123           enable = true;
    124           grpcAddress = [
    125             "unix:///run/buildkit/buildkitd.sock"
    126             "tcp://aomi.home:1234"
    127             "tcp://${metadata.hosts.shikoku.addrs.v4}:1234"
    128             "tcp://${metadata.hosts.shikoku.wireguard.addrs.v4}:1234"
    129           ];
    130         };
    131       };
    132     };
    133     services = {
    134       syncthing = {
    135         enable = true;
    136         guiAddress = "${metadata.hosts.shikoku.wireguard.addrs.v4}:8384";
    137       };
    138       avahi.enable = true;
    139       ssh.enable = true;
    140     };
    141     virtualisation.libvirt = { enable = true; nested = true; listenTCP = true; };
    142     profiles.home = true;
    143   };
    144 
    145   # environment.systemPackages = [ pkgs.python310Packages.aria2p ];
    146 
    147   programs.ssh.setXAuthLocation = true;
    148 
    149   sops.secrets.aria2RPCSecret = {
    150     mode = "444";
    151     owner = "aria2";
    152     group = "aria2";
    153   };
    154   
    155   services = {
    156     aria2 = {
    157       enable = true;
    158       openPorts = true;
    159       extraArguments = "--max-concurrent-downloads=20";
    160       downloadDir = "/data/downloads";
    161       rpcSecretFile = "${pkgs.writeText "aria" "aria2rpc\n"}";
    162       # rpcSecretFile = config.sops.secrets.aria2RPCSecret.path;
    163     };
    164     bazarr = {
    165       enable = true;
    166       # Use reverse proxy instead
    167       openFirewall = true;
    168     };
    169     radarr = {
    170       enable = true;
    171       # Use reverse proxy instead
    172       openFirewall = true;
    173     };
    174     sonarr = {
    175       enable = true;
    176       # Use reverse proxy instead
    177       openFirewall = true;
    178     };
    179     prowlarr = {
    180       enable = true;
    181       # Use reverse proxy instead
    182       openFirewall = true;
    183     };
    184     readarr = {
    185       enable = true;
    186       # Use reverse proxy instead
    187       openFirewall = true;
    188     };
    189     lidarr = {
    190       enable = true;
    191       # Use reverse proxy instead
    192       openFirewall = true;
    193     };
    194     netdata.enable = true;
    195     smartd = {
    196       enable = true;
    197       devices = [{ device = "/dev/nvme0n1"; }];
    198     };
    199     dockerRegistry = {
    200       enable = true;
    201       listenAddress = "0.0.0.0";
    202       port = 5000;
    203       enableDelete = true;
    204       enableGarbageCollect = true;
    205       garbageCollectDates = "daily";
    206     };
    207     wireguard = {
    208       enable = true;
    209       ips = ips;
    210       endpoint = endpointIP;
    211       endpointPort = endpointPort;
    212       endpointPublicKey = endpointPublicKey;
    213     };
    214   };
    215 
    216   # Move this to a "builder" role
    217   users.extraUsers.builder = {
    218     isNormalUser = true;
    219     uid = 1018;
    220     extraGroups = [ ];
    221     openssh.authorizedKeys.keys = [ (builtins.readFile ../../secrets/builder.pub) ];
    222   };
    223   nix.settings.trusted-users = [ "root" "vincent" "builder" ];
    224 
    225   security.pam.sshAgentAuth.enable = true;
    226 }