nixos-systems/quinn/etc/nixos/configuration.nix

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).

{ config, lib, pkgs, ... }:

{
  imports =
    [ # Include the results of the hardware scan.
      ./hardware-configuration.nix
    ];

  # Use the systemd-boot EFI boot loader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;

  # networking.hostName = "nixos"; # Define your hostname.
  # Pick only one of the below networking options.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
  # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.

  # Set your time zone.
  time.timeZone = "America/Phoenix";

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";

  # Select internationalisation properties.
  # i18n.defaultLocale = "en_US.UTF-8";
  # console = {
  #   font = "Lat2-Terminus16";
  #   keyMap = "us";
  #   useXkbConfig = true; # use xkb.options in tty.
  # };

  # Enable the X11 windowing system.
  # services.xserver.enable = true;


  

  # Configure keymap in X11
  # services.xserver.xkb.layout = "us";
  # services.xserver.xkb.options = "eurosign:e,caps:escape";

  # Enable CUPS to print documents.
  # services.printing.enable = true;

  # Enable sound.
  # hardware.pulseaudio.enable = true;
  # OR
  # services.pipewire = {
  #   enable = true;
  #   pulse.enable = true;
  # };

  # Enable touchpad support (enabled default in most desktopManager).
  # services.libinput.enable = true;

  users.groups.scanner = {};
  users.groups.step = {};

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.eliribble = {
     isNormalUser = true;
     description = "Eli Ribble";
     extraGroups = [ "docker" "networkmanager" "podman" "wheel" ]; # Enable ‘sudo’ for the user.
  #   packages = with pkgs; [
  #     firefox
  #     tree
  #   ];
   };
  users.users.scanner = {
    group = "scanner";
    isNormalUser = false;
    isSystemUser = true;
    description = "User for the scanner to log in to samba";
  };
  users.users.step = {
    group = "step";
    isNormalUser = false;
    isSystemUser = true;
    description = "User for step-ca certs";
  };

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    chezmoi
    dig
    fish
    git
    htop
    #mongodb
    neovim
    nginx
    python3
    step-ca
    step-cli
    tmux
    #unifi8
    wget
  ];


  networking.hostName = "quinn";
  # Allow specific unfree packages
  nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
    "mongodb"
    "unifi-controller"
  ];

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # programs.mtr.enable = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };

  # Make neovim the default editor
  programs.neovim.enable = true;
  programs.neovim.defaultEditor = true;

  # List services that you want to enable:

  services.nginx = {
    enable = true;
    virtualHosts."pihole.home.arpa" = {
      addSSL = false;
      enableACME = false;
      locations."/".extraConfig = ''
        proxy_pass http://127.0.0.1:10000;
	client_body_buffer_size 128k;
        client_max_body_size 10G;

        #Timeout if the real server is dead
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

        # Advanced Proxy Config
        send_timeout 5m;
        proxy_read_timeout 360;
        proxy_send_timeout 360;
        proxy_connect_timeout 360;
        proxy_headers_hash_max_size 512;
        proxy_headers_hash_bucket_size 128;

        # Basic Proxy Config
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-Uri $request_uri;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Scheme $scheme;
        proxy_http_version 1.1;
        # proxy_set_header Connection "";
        proxy_cache_bypass $cookie_session;
        proxy_no_cache $cookie_session;
        proxy_buffers 64 256k;
        proxy_buffer_size 128k;
        proxy_busy_buffers_size 256k;

        # If behind reverse proxy, forwards the correct IP
        set_real_ip_from 10.0.0.0/8;
        set_real_ip_from 172.16.0.0/12;
        set_real_ip_from 192.168.0.0/16;
        set_real_ip_from fc00::/7;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;

      '';
    };
  };


  # Enable the OpenSSH daemon.
  services.openssh.enable = true;

  # Set up a samba share for the scanner
  services.samba = {
    enable = true;
    openFirewall = true;
    extraConfig = ''
      log file = /var/log/samba/%m
      log level = 1
      server role = standalone server
    '';
    shares = {
      scans = {
        path = "/mnt/shares/scans";
        browseable = "yes";
        "read only" = "no";
      };
    };
  };
  services.samba-wsdd = {
    enable = true;
    openFirewall = true;
  };
  # Enable Tailscale
  services.tailscale.enable = true;

  # Enable the Unifi controller service
  #services.unifi.enable = true;
  #services.unifi.unifiPackage = pkgs.unifi8;
  networking.extraHosts = ''
  127.0.0.1 home.arpa
  '';
  # Open ports in the firewall.
  networking.firewall = {
    enable = true;
    allowPing = true;
    allowedTCPPorts = [ 80 443 ];
    allowedUDPPortRanges = [
      #{ from = 4000; to = 4007; }
      #{ from = 8000; to = 8010; }
    ];
  };

  # Copy the NixOS configuration file and link it from the resulting system
  # (/run/current-system/configuration.nix). This is useful in case you
  # accidentally delete configuration.nix.
  # system.copySystemConfiguration = true;

  # This option defines the first version of NixOS you have installed on this particular machine,
  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
  #
  # Most users should NEVER change this value after the initial install, for any reason,
  # even if you've upgraded your system to a new NixOS release.
  #
  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
  # to actually do that.
  #
  # This value being lower than the current NixOS release does NOT mean your system is
  # out of date, out of support, or vulnerable.
  #
  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
  # and migrated your data accordingly.
  #
  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
  system.stateVersion = "24.05"; # Did you read the comment?

  # Create folders necessary for samba to work
  systemd.tmpfiles.rules = [
    "d /mnt/shares/scans 0775 scanner scanner - -"
  ];
  # Enable podman since we are on NixOS 21.05
  virtualisation.docker.enable = false;
  virtualisation.oci-containers.backend = "podman";
  virtualisation.oci-containers.containers = {
    pihole = {
      autoStart = true;
      environment = {
        TZ = "America/Phoenix";
	DNSMASQ_LISTENING = "all";
      };
      image = "docker.io/pihole/pihole:2024.07.0";
      ports = [
	"192.168.1.5:53:53/tcp"
	"192.168.1.5:53:53/udp"
	"192.168.1.5:67:67"
	"127.0.0.1:10000:80"
      ];
      volumes = [
        "/etc/pihole/config:/etc/pihole"
	"/etc/pihole/dnsmasq.d:/etc/dnsmasq.d"
      ];
    };
  };
  virtualisation.podman.enable = true;
  virtualisation.podman.dockerSocket.enable = true;
  virtualisation.podman.defaultNetwork.settings.dns_enabled = true;
}