shikoku.nix (6008B)
1 { config, lib, pkgs, ... }: 2 3 with lib; 4 let 5 hostname = "shikoku"; 6 secretPath = ../../secrets/machines.nix; 7 secretCondition = (builtins.pathExists secretPath); 8 9 ip = strings.optionalString secretCondition (import secretPath).wireguard.ips."${hostname}"; 10 ips = lists.optionals secretCondition ([ "${ip}/24" ]); 11 endpointIP = strings.optionalString secretCondition (import secretPath).wg.endpointIP; 12 endpointPort = if secretCondition then (import secretPath).wg.listenPort else 0; 13 endpointPublicKey = strings.optionalString secretCondition (import secretPath).wireguard.kerkouane.publicKey; 14 15 metadata = importTOML ../../ops/hosts.toml; 16 17 gpuIDs = [ 18 "10de:1b80" # Graphics 19 "10de:10f0" # Audio 20 ]; 21 in 22 { 23 imports = [ 24 # (import ../../nix).home-manager-stable 25 #../modules/default.stable.nix 26 (import ../../users/vincent) 27 (import ../../users/root) 28 ]; 29 30 boot.supportedFilesystems = [ "zfs" ]; 31 networking = { 32 hostId = builtins.substring 0 8 (builtins.hashString "md5" config.networking.hostName); 33 hostName = hostname; 34 bridges.br1.interfaces = [ "enp0s31f6" ]; 35 firewall.enable = false; # we are in safe territory :D 36 useDHCP = false; 37 interfaces.br1 = { 38 useDHCP = true; 39 }; 40 }; 41 42 # TODO: check if it's done elsewhere 43 boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usb_storage" "usbhid" "sd_mod" "sr_mod" ]; 44 boot.initrd.kernelModules = [ 45 "vfio_pci" 46 "vfio" 47 "vfio_iommu_type1" 48 49 "nvidia" 50 "nvidia_modeset" 51 "nvidia_uvm" 52 "nvidia_drm" 53 ]; 54 boot.kernelModules = [ "kvm-intel" ]; 55 boot.extraModulePackages = [ 56 config.boot.kernelPackages.nvidiaPackages.stable 57 ]; 58 boot.kernelParams = [ 59 "intel_iommu=on" 60 "kvm_intel.nested=1" 61 ("vfio-pci.ids=" + lib.concatStringsSep "," gpuIDs) 62 ]; 63 64 hardware.opengl.enable = true; 65 virtualisation.spiceUSBRedirection.enable = true; 66 # TODO: check if it's done elsewhere 67 hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; 68 69 fileSystems."/" = { 70 device = "/dev/disk/by-uuid/73fd8864-f6af-4fdd-b826-0dfdeacd3c19"; 71 fsType = "ext4"; 72 options = [ "noatime" "discard" ]; 73 }; 74 75 fileSystems."/boot" = { 76 device = "/dev/disk/by-uuid/829D-BFD1"; 77 fsType = "vfat"; 78 }; 79 80 # Extra data 81 # HDD: b58e59a4-92e7-4278-97ba-6fe361913f50 82 fileSystems."/data" = { 83 device = "/dev/disk/by-uuid/b58e59a4-92e7-4278-97ba-6fe361913f50"; 84 fsType = "ext4"; 85 options = [ "noatime" ]; 86 }; 87 # ZFS Pool 88 # SSD1: 469077df-049f-4f5d-a34f-1f5449d782ec 89 # SSD2: e11a3b63-791c-418b-9f4b-5ae0199f1f97 90 # NVME2: 3d2dff80-f2b1-4c48-8e76-12b01fdf4137 91 # boot.zfs.extraPools = [ "tank" ]; 92 # networking.hostId = "03129692bea040488878aa0133e54914"; 93 # networking.hostId = "03129692"; 94 # fileSystems."/tank/data" = 95 # { 96 # device = "tank/data"; 97 # fsType = "zfs"; 98 # options = [ "zfsutil" ]; 99 # }; 100 # 101 # fileSystems."/tank/virt" = 102 # { 103 # device = "tank/virt"; 104 # fsType = "zfs"; 105 # options = [ "zfsutil" ]; 106 # }; 107 108 swapDevices = [{ 109 device = "/dev/disk/by-uuid/a9ec44e6-0c1d-4f60-9f5c-81a7eaa8e8fd"; 110 }]; 111 112 modules = { 113 core.binfmt.enable = true; 114 dev = { 115 enable = false; 116 containers = { 117 docker = { 118 enable = true; 119 package = pkgs.docker_27; 120 }; 121 podman.enable = true; 122 buildkit = { 123 enable = true; 124 grpcAddress = [ 125 "unix:///run/buildkit/buildkitd.sock" 126 "tcp://aomi.home:1234" 127 "tcp://${metadata.hosts.shikoku.addrs.v4}:1234" 128 "tcp://${metadata.hosts.shikoku.wireguard.addrs.v4}:1234" 129 ]; 130 }; 131 }; 132 }; 133 services = { 134 syncthing = { 135 enable = true; 136 guiAddress = "${metadata.hosts.shikoku.wireguard.addrs.v4}:8384"; 137 }; 138 avahi.enable = true; 139 ssh.enable = true; 140 }; 141 virtualisation.libvirt = { enable = true; nested = true; listenTCP = true; }; 142 profiles.home = true; 143 }; 144 145 # environment.systemPackages = [ pkgs.python310Packages.aria2p ]; 146 147 programs.ssh.setXAuthLocation = true; 148 149 sops.secrets.aria2RPCSecret = { 150 mode = "444"; 151 owner = "aria2"; 152 group = "aria2"; 153 }; 154 155 services = { 156 aria2 = { 157 enable = true; 158 openPorts = true; 159 extraArguments = "--max-concurrent-downloads=20"; 160 downloadDir = "/data/downloads"; 161 rpcSecretFile = "${pkgs.writeText "aria" "aria2rpc\n"}"; 162 # rpcSecretFile = config.sops.secrets.aria2RPCSecret.path; 163 }; 164 bazarr = { 165 enable = true; 166 # Use reverse proxy instead 167 openFirewall = true; 168 }; 169 radarr = { 170 enable = true; 171 # Use reverse proxy instead 172 openFirewall = true; 173 }; 174 sonarr = { 175 enable = true; 176 # Use reverse proxy instead 177 openFirewall = true; 178 }; 179 prowlarr = { 180 enable = true; 181 # Use reverse proxy instead 182 openFirewall = true; 183 }; 184 readarr = { 185 enable = true; 186 # Use reverse proxy instead 187 openFirewall = true; 188 }; 189 lidarr = { 190 enable = true; 191 # Use reverse proxy instead 192 openFirewall = true; 193 }; 194 netdata.enable = true; 195 smartd = { 196 enable = true; 197 devices = [{ device = "/dev/nvme0n1"; }]; 198 }; 199 dockerRegistry = { 200 enable = true; 201 listenAddress = "0.0.0.0"; 202 port = 5000; 203 enableDelete = true; 204 enableGarbageCollect = true; 205 garbageCollectDates = "daily"; 206 }; 207 wireguard = { 208 enable = true; 209 ips = ips; 210 endpoint = endpointIP; 211 endpointPort = endpointPort; 212 endpointPublicKey = endpointPublicKey; 213 }; 214 }; 215 216 # Move this to a "builder" role 217 users.extraUsers.builder = { 218 isNormalUser = true; 219 uid = 1018; 220 extraGroups = [ ]; 221 openssh.authorizedKeys.keys = [ (builtins.readFile ../../secrets/builder.pub) ]; 222 }; 223 nix.settings.trusted-users = [ "root" "vincent" "builder" ]; 224 225 security.pam.sshAgentAuth.enable = true; 226 }