2024-07-03 09:37:49 -07:00
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config , lib , pkgs , . . . }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
] ;
2024-08-21 12:18:01 -07:00
# Enable forwarding for containers
boot . kernel . sysctl = {
" n e t . i p v 6 . c o n f . a l l . f o r w a r d i n g " = 1 ;
} ;
2024-07-03 09:37:49 -07:00
# Use the systemd-boot EFI boot loader.
boot . loader . systemd-boot . enable = true ;
boot . loader . efi . canTouchEfiVariables = true ;
# networking.hostName = "nixos"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
2024-07-31 13:03:23 -07:00
time . timeZone = " A m e r i c a / P h o e n i x " ;
2024-07-03 09:37:49 -07:00
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# hardware.pulseaudio.enable = true;
# OR
# services.pipewire = {
# enable = true;
# pulse.enable = true;
# };
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
2024-07-31 10:04:56 -07:00
users . groups . scanner = { } ;
2024-07-22 10:10:32 -07:00
users . groups . step = { } ;
2024-07-03 09:37:49 -07:00
# Define a user account. Don't forget to set a password with ‘ ’
users . users . eliribble = {
isNormalUser = true ;
description = " E l i R i b b l e " ;
2024-07-31 13:03:48 -07:00
extraGroups = [ " d o c k e r " " n e t w o r k m a n a g e r " " p o d m a n " " s c a n n e r " " w h e e l " ] ; # Enable ‘ ’
2024-07-03 09:37:49 -07:00
# packages = with pkgs; [
# firefox
# tree
# ];
} ;
2024-07-31 10:04:56 -07:00
users . users . scanner = {
group = " s c a n n e r " ;
isNormalUser = false ;
isSystemUser = true ;
description = " U s e r f o r t h e s c a n n e r t o l o g i n t o s a m b a " ;
} ;
2024-07-22 10:10:32 -07:00
users . users . step = {
group = " s t e p " ;
isNormalUser = false ;
isSystemUser = true ;
description = " U s e r f o r s t e p - c a c e r t s " ;
} ;
2024-07-03 09:37:49 -07:00
# List packages installed in system profile. To search, run:
# $ nix search wget
environment . systemPackages = with pkgs ; [
chezmoi
2024-07-19 20:57:53 -07:00
dig
2024-07-03 09:37:49 -07:00
fish
git
htop
2024-08-16 17:47:09 -07:00
lsof
2024-07-03 09:37:49 -07:00
#mongodb
2024-08-21 09:30:23 -07:00
ndisc6
2024-07-03 09:37:49 -07:00
neovim
2024-07-21 14:19:41 -07:00
nginx
2024-07-31 13:04:03 -07:00
poetry
2024-07-03 09:37:49 -07:00
python3
2024-07-22 10:10:32 -07:00
step-ca
step-cli
2024-07-03 09:37:49 -07:00
tmux
#unifi8
wget
] ;
2024-07-19 20:57:29 -07:00
2024-07-03 09:37:49 -07:00
networking . hostName = " q u i n n " ;
# Allow specific unfree packages
nixpkgs . config . allowUnfreePredicate = pkg : builtins . elem ( lib . getName pkg ) [
" m o n g o d b "
" u n i f i - c o n t r o l l e r "
] ;
2024-08-21 09:30:23 -07:00
# Enable the helpful "command-not-found" that tells which packages may have the command in question.
# This makes system configuration troubleshooting much faster since I can attempt a basic command 'foo'
# and if 'foo' isn't installed it suggests an installation target.
# If you run 'command-not-found' and it complains about
# DBI connect('dbname=/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite','',...) failed: unable to open database file at /run/current-system/sw/bin/command-not-found line 13.
# cannot open database `/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite' at /run/current-system/sw/bin/command-not-found line 13.
#
# Then you can recreate the SQLite DB with 'sudo nix-channel --list' and making sure a channel like 'nixos https://nixos.org/channels/nixos-24.05' is present.
# Anything that ends in 'nixos-...' should work.
# Then run 'sudo nix-channel --update'
# See https://discourse.nixos.org/t/command-not-found-unable-to-open-database/3807/7
programs . command-not-found . enable = true ;
2024-07-03 09:37:49 -07:00
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
2024-08-15 21:31:37 -07:00
programs . mosh . enable = true ;
2024-07-03 09:37:49 -07:00
# Make neovim the default editor
programs . neovim . enable = true ;
programs . neovim . defaultEditor = true ;
# List services that you want to enable:
2024-07-21 14:19:41 -07:00
services . nginx = {
enable = true ;
2024-07-22 12:35:59 -07:00
virtualHosts . " p i h o l e . h o m e . a r p a " = {
2024-07-21 14:19:41 -07:00
addSSL = false ;
enableACME = false ;
locations . " / " . extraConfig = ''
proxy_pass http://127.0.0.1:10000 ;
2024-08-16 16:30:53 -07:00
client_body_buffer_size 1 2 8 k ;
2024-07-21 14:19:41 -07:00
client_max_body_size 1 0 G ;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 ;
# Advanced Proxy Config
send_timeout 5 m ;
proxy_read_timeout 360 ;
proxy_send_timeout 360 ;
proxy_connect_timeout 360 ;
proxy_headers_hash_max_size 512 ;
proxy_headers_hash_bucket_size 128 ;
# Basic Proxy Config
proxy_set_header Host $ host ;
proxy_set_header X-Real-IP $ remote_addr ;
proxy_set_header X-Forwarded-For $ proxy_add_x_forwarded_for ;
proxy_set_header X-Forwarded-Host $ host ;
proxy_set_header X-Forwarded-Proto $ scheme ;
proxy_set_header X-Forwarded-Server $ host ;
proxy_set_header X-Forwarded-Uri $ request_uri ;
proxy_set_header X-Forwarded-Ssl on ;
proxy_set_header X-Scheme $ scheme ;
proxy_http_version 1 .1 ;
# proxy_set_header Connection "";
proxy_cache_bypass $ cookie_session ;
proxy_no_cache $ cookie_session ;
proxy_buffers 64 2 5 6 k ;
proxy_buffer_size 1 2 8 k ;
proxy_busy_buffers_size 2 5 6 k ;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8 ;
set_real_ip_from 172.16.0.0/12 ;
set_real_ip_from 192.168.0.0/16 ;
set_real_ip_from fc00::/7 ;
real_ip_header X-Forwarded-For ;
real_ip_recursive on ;
'' ;
} ;
} ;
2024-07-07 09:08:40 -07:00
2024-07-03 09:37:49 -07:00
# Enable the OpenSSH daemon.
services . openssh . enable = true ;
2024-08-16 17:47:25 -07:00
# Disable the resolved stub listener, let Pihole do it
services . resolved = {
extraConfig = ''
DNSStubListener = no
'' ;
} ;
2024-07-31 10:04:56 -07:00
# Set up a samba share for the scanner
services . samba = {
enable = true ;
openFirewall = true ;
extraConfig = ''
2024-07-31 10:31:17 -07:00
log file = /var/log/samba / % m
log level = 1
server role = standalone server
2024-07-31 10:04:56 -07:00
'' ;
shares = {
2024-07-31 10:31:17 -07:00
scans = {
path = " / m n t / s h a r e s / s c a n s " ;
2024-07-31 10:04:56 -07:00
browseable = " y e s " ;
" r e a d o n l y " = " n o " ;
} ;
} ;
} ;
services . samba-wsdd = {
enable = true ;
openFirewall = true ;
} ;
2024-07-21 14:19:41 -07:00
# Enable Tailscale
services . tailscale . enable = true ;
2024-07-03 09:37:49 -07:00
# Enable the Unifi controller service
#services.unifi.enable = true;
#services.unifi.unifiPackage = pkgs.unifi8;
2024-07-31 10:05:26 -07:00
networking . extraHosts = ''
127 .0 .0 .1 home . arpa
'' ;
2024-07-03 09:37:49 -07:00
# Open ports in the firewall.
2024-07-22 12:35:34 -07:00
networking . firewall = {
2024-08-21 12:18:47 -07:00
enable = false ;
2024-07-31 10:06:25 -07:00
allowPing = true ;
2024-07-22 12:35:34 -07:00
allowedTCPPorts = [ 80 443 ] ;
allowedUDPPortRanges = [
#{ from = 4000; to = 4007; }
#{ from = 8000; to = 8010; }
] ;
} ;
2024-08-19 09:16:24 -07:00
# Add Google DNS so that we can still resolve DNS names when our Pihole is down.
networking . nameservers = [
" 8 . 8 . 8 . 8 "
" 2 0 0 1 : 4 8 6 0 : 4 8 6 0 : : 8 8 8 8 "
] ;
2024-08-15 21:34:13 -07:00
networking . useNetworkd = true ;
2024-07-03 09:37:49 -07:00
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system . stateVersion = " 2 4 . 0 5 " ; # Did you read the comment?
2024-08-15 21:34:13 -07:00
systemd . network . enable = true ;
2024-08-21 12:18:47 -07:00
systemd . network . netdevs . " 0 0 - c o n t a i n e r - i p v l a n " = {
2024-08-21 09:30:47 -07:00
netdevConfig = {
2024-08-21 12:18:47 -07:00
Name = " p o d i p v l a n " ;
Kind = " i p v l a n " ;
2024-08-21 09:30:47 -07:00
} ;
2024-08-21 12:18:47 -07:00
ipvlanConfig = {
Mode = " L 2 " ;
2024-08-21 09:30:47 -07:00
} ;
} ;
2024-08-15 21:34:13 -07:00
systemd . network . networks . " 1 0 - w a n " = {
matchConfig . Name = " e n p 2 s 0 " ;
2024-08-21 12:18:47 -07:00
dhcpV6Config = {
PrefixDelegationHint = " : : / 6 0 " ;
} ;
2024-08-15 21:34:13 -07:00
networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing
DHCP = " i p v 4 " ;
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true ;
} ;
2024-08-16 17:48:20 -07:00
addresses = [ {
addressConfig = {
Address = " f d 0 0 : : 2 / 6 4 " ;
} ;
} ] ;
2024-08-21 12:18:47 -07:00
ipv6PrefixDelegationConfig = {
Managed = true ;
} ;
ipv6AcceptRAConfig = {
DHCPv6Client = " a l w a y s " ;
Token = " p r e f i x s t a b l e " ;
} ;
2024-08-16 17:48:20 -07:00
2024-08-15 21:34:13 -07:00
# make routing on this interface a dependency for network-online.target
linkConfig . RequiredForOnline = " r o u t a b l e " ;
} ;
2024-08-21 12:18:47 -07:00
systemd . network . networks . " 2 0 - c o n t a i n e r - i p v l a n " = {
matchConfig = {
Name = " p o d i p v l a n " ;
Type = " i p v l a n " ;
} ;
dhcpPrefixDelegationConfig = {
SubnetId = 1 ;
} ;
dhcpV6Config = {
DUIDType = " u u i d " ;
} ;
networkConfig = {
IPv6DuplicateAddressDetection = 1 ;
LinkLocalAddressing = " i p v 6 " ;
} ;
} ;
systemd . services . systemd-networkd . environment . SYSTEMD_LOG_LEVEL = " d e b u g " ;
2024-08-15 21:34:13 -07:00
2024-07-31 17:33:53 -07:00
systemd . services . scan-uploader = {
enable = true ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
after = [ " n e t w o r k . t a r g e t " ] ;
description = " D a e m o n f o r u p l o a d i n g s c a n s w e g e t o v e r t h e n e t w o r k " ;
serviceConfig = {
User = " s c a n n e r " ;
WorkingDirectory = " / o p t / s r c / s c a n - u p l o a d e r " ;
ExecStart = " / o p t / s r c / s c a n - u p l o a d e r / v e / b i n / s c a n - u p l o a d e r - - p a p e r l e s s - u r l h t t p s : / / d o c s . t h e r i b b l e s . o r g - - p a p e r l e s s - a p i - k e y s e c r e t - s t u f f - - b a c k l o g / m n t / s h a r e s / s c a n s / " ;
} ;
} ;
2024-07-31 10:31:17 -07:00
# Create folders necessary for samba to work
systemd . tmpfiles . rules = [
" d / m n t / s h a r e s / s c a n s 0 7 7 5 s c a n n e r s c a n n e r - - "
] ;
2024-07-19 20:57:29 -07:00
# Enable podman since we are on NixOS 21.05
virtualisation . docker . enable = false ;
virtualisation . podman . enable = true ;
virtualisation . podman . dockerSocket . enable = true ;
2024-07-03 09:37:49 -07:00
}
