# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware/samsehu.nix ]; # Use the `systemd-boot` boot loader boot.loader.systemd-boot.enable = true; # Added following instructions of openzfs configuration # randomly generated with `head -c4 /dev/urandom | od -A none -t x4` networking.hostId = "3e52e44f"; boot.supportedFilesystems = [ "zfs" ]; boot.zfs.forceImportRoot = false; networking.hostName = "samsehu"; # Define your hostname. # Pick only one of the below networking options. networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # Set your time zone. time.timeZone = "America/Denver"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; # console = { # font = "Lat2-Terminus16"; # keyMap = "us"; # useXkbConfig = true; # use xkb.options in tty. # }; # Enable CUPS to print documents. services.printing.enable = true; # Enable sound. sound.enable = true; hardware.pulseaudio.enable = true; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.geemili = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. packages = with pkgs; [ ]; }; users.users.desttinghim = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. packages = with pkgs; [ ]; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ helix wget git juanfont-headscale.headscale # install to allow debugging/control of headscale using the CLI ]; environment.variables = { EDITOR = "hx"; VISUAL = "hx"; }; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh = { enable = true; settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; settings.PermitRootLogin = "no"; }; services.cockpit = { enable = true; openFirewall = true; settings = { WebService = { Origins = "https://cockpit.samsehu.perli.casa wss://cockpit.samsehu.perli.casa"; ProtocolHeader = "X-Forwarded-Proto"; LoginTo = false; }; }; }; services.udisks2.enable = true; services.jellyfin.enable = true; services.blocky = { enable = true; settings = { ports.dns = 53; ports.http = 4000; upstreams = { # Picks 2 random resolvers and returns answer from fastest one. Read docs for more info. strategy = "parallel_best"; groups.default = [ # CloudFlare "https://one.one.one.one/dns-query" # OpenDNS "https://doh.opendns.com/dns-query" # Google "8.8.8.8" "8.8.4.4" "2001:4860:4860::8888" "2001:4860:4860::8844" # Comcast/Our ISP "75.75.75.75" "75.75.76.76" ]; }; bootstrapDns = { upstream = "https://one.one.one.one/dns-query"; ips = [ "1.1.1.1" "1.0.0.1" ]; }; blocking = { blackLists = { ads = ["https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"]; }; clientGroupsBlock = { default = [ "ads" ]; }; }; customDNS = { rewrite = { "cockpit.samsehu.perli.casa" = "samsehu.perli.casa"; "git.samsehu.perli.casa" = "samsehu.perli.casa"; "nextcloud.samsehu.perli.casa" = "samsehu.perli.casa"; }; mapping = { "samsehu.perli.casa" = "100.64.0.3"; }; }; }; }; services.forgejo = { enable = true; settings = { server.ROOT_URL = "https://git.samsehu.perli.casa/"; server.HTTP_ADDR = "127.0.0.1"; }; }; # lldap LDAP authentication server users.users.lldap = { # allocates the `uid` in the range 100-999, which indicates to software like login managers that it should not be displayed to the user. isSystemUser = true; group = "lldap"; }; users.groups.lldap = {}; services.lldap = { enable = true; settings = { ldap_base_dn = "dc=twins,dc=pearson"; # Sets the root administrator's user name ldap_user_dn = "admin"; http_host = "127.0.0.1"; }; environment = { LLDAP_LDAP_USER_PASS_FILE = config.age.secrets.LLDAP_DEFAULT_ADMIN_PASSWORD.path; }; }; # Dynamic DNS through duck dns users.users.dynamicdns = { # allocates the `uid` in the range 100-999, which indicates to software like login managers that it should not be displayed to the user. isSystemUser = true; group = "dynamicdns"; }; users.groups.dynamicdns = {}; systemd.services.dynamic-dns-updater = { serviceConfig.User = "dynamicdns"; path = [ pkgs.curl ]; script = "curl --silent --url-query domains=samsehuperli --url-query token@${config.age.secrets.samsehu_DUCK_DNS_TOKEN.path} https://www.duckdns.org/update"; startAt = "hourly"; }; systemd.timers.dynamic-dns-updater = { timerConfig.RandomizedDelaySec = "15m"; }; # Next cloud setup services.nginx.enable = false; services.nextcloud = { enable = true; home = "/zroot/nextcloud"; hostName = "nextcloud.samsehu.perli.casa"; config.trustedProxies = [ "127.0.0.1" ]; config.adminpassFile = "/var/nextcloud-admin-pass"; }; services.phpfpm.pools.nextcloud.settings = { "listen.owner" = config.services.caddy.user; "listen.group" = config.services.caddy.group; }; # Reverse proxy with Caddy services.caddy = { enable = true; globalConfig = '' # servers { # protocols h1 h2 # } email "fresh.car0178@geemili.xyz" ''; virtualHosts."lldap.samsehu.perli.casa".extraConfig = '' bind 100.64.0.3 reverse_proxy localhost:17170 ''; virtualHosts."headscale.samsehu.perli.casa".extraConfig = '' bind 100.64.0.3 192.168.0.69 reverse_proxy localhost:64639 ''; virtualHosts."cockpit.samsehu.perli.casa".extraConfig = '' bind 100.64.0.3 reverse_proxy localhost:9090 ''; virtualHosts."git.samsehu.perli.casa".extraConfig = '' bind 100.64.0.3 192.168.0.69 reverse_proxy localhost:3000 ''; virtualHosts."jellyfin.samsehu.perli.casa".extraConfig = '' reverse_proxy localhost:8096 ''; virtualHosts."nextcloud.samsehu.perli.casa".extraConfig = '' bind 100.64.0.3 192.168.0.69 php_fastcgi unix/${config.services.phpfpm.pools.nextcloud.socket} { root ${config.services.nextcloud.package} capture_stderr header_up Host {upstream.hostport} } ''; }; # Headscale for access to the network while away from home services.headscale = { enable = true; package = pkgs.juanfont-headscale.headscale; settings = { server_url = "https://headscale.samsehu.perli.casa"; listen_addr = "127.0.0.1:64639"; metrics_listen_addr = "127.0.0.1:64640"; tls_cert_path = null; tls_key_path = null; dns_config = { nameservers = [ "100.64.0.3" ]; magic_dns = true; base_domain = "ts.samsehu.perli.casa"; restricted_nameservers = { "samsehu.perli.casa" = [ "100.64.0.3" ]; }; # extra_records = [ # { name = "cockpit.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } # { name = "lldap.samsehu.perli.casa"; type = "A"; value = "100.64.0.3"; } # ]; }; acl_policy_path = pkgs.writeText "acl_policy.hujson" '' { "groups": { "group:servers": [ "samsehu", ], "group:admin": [ "geemili", "desttinghim", ], }, "acls": [ { "action": "accept", "src": ["group:admin"], "dst": ["*:*"], } ], "ssh": [ { "action": "accept", "src": ["group:admin"], "dst": ["group:servers"], "users": ["group:admin", "geemili", "desttinghim"], }, ], } ''; }; }; services.tailscale.enable = true; # Enable automatic upgrades system.autoUpgrade.enable = true; system.autoUpgrade.allowReboot = true; system.autoUpgrade.flake = "git+http://127.0.0.1:3000/Twins/server-configuration.git"; # Enable automatic garbage collection nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 30d"; }; nix.settings.trusted-users = [ "geemili" ]; # Open ports in the firewall. networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ # Blocky DNS 53 # Blocky API 4000 # Caddy HTTP and HTTPS 80 443 ]; networking.firewall.allowedUDPPorts = [ # Blocky DNS 53 # mDNS 5353 # Headscale UDP port for STUN protocol 3478 ]; # Use systemd-resolved and set networkmanager to allow mdns services.resolved = { enable = true; extraConfig = '' DNSStubListener=false ''; }; networking.networkmanager.connectionConfig."connection.mdns" = 2; # 2 == yes # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. # system.copySystemConfiguration = true; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # # Most users should NEVER change this value after the initial install, for any reason, # even if you've upgraded your system to a new NixOS release. # # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, # so changing it will NOT upgrade your system. # # This value being lower than the current NixOS release does NOT mean your system is # out of date, out of support, or vulnerable. # # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "23.11"; # Did you read the comment? }