# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config, lib, pkgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; # Use the systemd-boot EFI boot loader. boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; # networking.hostName = "nixos"; # Define your hostname. # Pick only one of the below networking options. # networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. # networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. # Set your time zone. time.timeZone = "America/Phoenix"; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Select internationalisation properties. # i18n.defaultLocale = "en_US.UTF-8"; # console = { # font = "Lat2-Terminus16"; # keyMap = "us"; # useXkbConfig = true; # use xkb.options in tty. # }; # Enable the X11 windowing system. # services.xserver.enable = true; # Configure keymap in X11 # services.xserver.xkb.layout = "us"; # services.xserver.xkb.options = "eurosign:e,caps:escape"; # Enable CUPS to print documents. # services.printing.enable = true; # Enable sound. # hardware.pulseaudio.enable = true; # OR # services.pipewire = { # enable = true; # pulse.enable = true; # }; # Enable touchpad support (enabled default in most desktopManager). # services.libinput.enable = true; users.groups.scanner = {}; users.groups.step = {}; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.eliribble = { isNormalUser = true; description = "Eli Ribble"; extraGroups = [ "docker" "networkmanager" "podman" "scanner" "wheel" ]; # Enable ‘sudo’ for the user. # packages = with pkgs; [ # firefox # tree # ]; }; users.users.scanner = { group = "scanner"; isNormalUser = false; isSystemUser = true; description = "User for the scanner to log in to samba"; }; users.users.step = { group = "step"; isNormalUser = false; isSystemUser = true; description = "User for step-ca certs"; }; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ chezmoi dig fish git htop lsof #mongodb neovim nginx poetry python3 step-ca step-cli tmux #unifi8 wget ]; networking.hostName = "quinn"; # Allow specific unfree packages nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [ "mongodb" "unifi-controller" ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; programs.mosh.enable = true; # Make neovim the default editor programs.neovim.enable = true; programs.neovim.defaultEditor = true; # List services that you want to enable: services.nginx = { enable = true; virtualHosts."pihole.home.arpa" = { addSSL = false; enableACME = false; locations."/".extraConfig = '' proxy_pass http://127.0.0.1:10000; client_body_buffer_size 128k; client_max_body_size 10G; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; proxy_headers_hash_max_size 512; proxy_headers_hash_bucket_size 128; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Scheme $scheme; proxy_http_version 1.1; # proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; proxy_buffer_size 128k; proxy_busy_buffers_size 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.16.0.0/12; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; ''; }; }; # Enable the OpenSSH daemon. services.openssh.enable = true; # Disable the resolved stub listener, let Pihole do it services.resolved = { extraConfig = '' DNSStubListener=no ''; }; # Set up a samba share for the scanner services.samba = { enable = true; openFirewall = true; extraConfig = '' log file = /var/log/samba/%m log level = 1 server role = standalone server ''; shares = { scans = { path = "/mnt/shares/scans"; browseable = "yes"; "read only" = "no"; }; }; }; services.samba-wsdd = { enable = true; openFirewall = true; }; # Enable Tailscale services.tailscale.enable = true; # Enable the Unifi controller service #services.unifi.enable = true; #services.unifi.unifiPackage = pkgs.unifi8; networking.extraHosts = '' 127.0.0.1 home.arpa ''; # Open ports in the firewall. networking.firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 80 443 ]; allowedUDPPortRanges = [ #{ from = 4000; to = 4007; } #{ from = 8000; to = 8010; } ]; }; # Add Google DNS so that we can still resolve DNS names when our Pihole is down. networking.nameservers = [ "8.8.8.8" "2001:4860:4860::8888" ]; networking.useNetworkd = true; # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. # system.copySystemConfiguration = true; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # # Most users should NEVER change this value after the initial install, for any reason, # even if you've upgraded your system to a new NixOS release. # # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how # to actually do that. # # This value being lower than the current NixOS release does NOT mean your system is # out of date, out of support, or vulnerable. # # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.stateVersion = "24.05"; # Did you read the comment? systemd.network.enable = true; systemd.network.networks."10-wan" = { matchConfig.Name = "enp2s0"; networkConfig = { # start a DHCP Client for IPv4 Addressing/Routing DHCP = "ipv4"; # accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC) IPv6AcceptRA = true; }; addresses = [{ addressConfig = { Address="fd00::2/64"; }; } { addressConfig = { Address="::/0"; Scope="global"; }; }]; # make routing on this interface a dependency for network-online.target linkConfig.RequiredForOnline = "routable"; }; systemd.services.scan-uploader = { enable = true; wantedBy = [ "multi-user.target" ]; after = [ "network.target" ]; description = "Daemon for uploading scans we get over the network"; serviceConfig = { User = "scanner"; WorkingDirectory = "/opt/src/scan-uploader"; ExecStart = "/opt/src/scan-uploader/ve/bin/scan-uploader --paperless-url https://docs.theribbles.org --paperless-api-key secret-stuff --backlog /mnt/shares/scans/"; }; }; # Create folders necessary for samba to work systemd.tmpfiles.rules = [ "d /mnt/shares/scans 0775 scanner scanner - -" ]; # Enable podman since we are on NixOS 21.05 virtualisation.docker.enable = false; virtualisation.oci-containers.backend = "podman"; virtualisation.oci-containers.containers = { pihole = { autoStart = true; environment = { TZ = "America/Phoenix"; DNSMASQ_LISTENING = "all"; }; extraOptions = ["--network=bridge"]; image = "docker.io/pihole/pihole:2024.07.0"; ports = [ "53:53/tcp" "53:53/udp" "67:67" "127.0.0.1:10000:80" ]; volumes = [ "/etc/pihole/config:/etc/pihole" "/etc/pihole/dnsmasq.d:/etc/dnsmasq.d" ]; }; }; virtualisation.podman.enable = true; virtualisation.podman.dockerSocket.enable = true; virtualisation.podman.defaultNetwork.settings = { dns_enabled = false; ipv6_enabled = true; subnets = [{ gateway = "10.88.0.1"; subnet = "10.88.0.0/16"; } { gateway = "fd00::1:8:1"; subnet = "fd00::1:8:0/122"; }]; }; }