eliribble
/
nixos-systems
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
nixos-systems/quinn/etc/nixos/configuration.nix

362 lines
11 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ config, lib, pkgs, ... }:
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
];
# Enable forwarding for containers
boot.kernel.sysctl = {
"net.ipv6.conf.all.forwarding" = 1;
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# networking.hostName = "nixos"; # Define your hostname.
# Pick only one of the below networking options.
# networking.wireless.enable = true; # Enables wireless support via wpa_supplicant.
# networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
# Set your time zone.
time.timeZone = "America/Phoenix";
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
# Select internationalisation properties.
# i18n.defaultLocale = "en_US.UTF-8";
# console = {
# font = "Lat2-Terminus16";
# keyMap = "us";
# useXkbConfig = true; # use xkb.options in tty.
# };
# Enable the X11 windowing system.
# services.xserver.enable = true;
# Configure keymap in X11
# services.xserver.xkb.layout = "us";
# services.xserver.xkb.options = "eurosign:e,caps:escape";
# Enable CUPS to print documents.
# services.printing.enable = true;
# Enable sound.
# hardware.pulseaudio.enable = true;
# OR
# services.pipewire = {
# enable = true;
# pulse.enable = true;
# };
# Enable touchpad support (enabled default in most desktopManager).
# services.libinput.enable = true;
users.groups.scanner = {};
users.groups.step = {};
# Define a user account. Don't forget to set a password with passwd.
users.users.eliribble = {
isNormalUser = true;
description = "Eli Ribble";
extraGroups = [ "docker" "networkmanager" "podman" "scanner" "wheel" ]; # Enable sudo for the user.
# packages = with pkgs; [
# firefox
# tree
# ];
};
users.users.scanner = {
group = "scanner";
isNormalUser = false;
isSystemUser = true;
description = "User for the scanner to log in to samba";
};
users.users.step = {
group = "step";
isNormalUser = false;
isSystemUser = true;
description = "User for step-ca certs";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
chezmoi
dig
fish
git
htop
lsof
#mongodb
ndisc6
neovim
nginx
poetry
python3
step-ca
step-cli
tmux
#unifi8
wget
];
networking.hostName = "quinn";
# Allow specific unfree packages
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"mongodb"
"unifi-controller"
];
# Enable the helpful "command-not-found" that tells which packages may have the command in question.
# This makes system configuration troubleshooting much faster since I can attempt a basic command 'foo'
# and if 'foo' isn't installed it suggests an installation target.
# If you run 'command-not-found' and it complains about
# DBI connect('dbname=/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite','',...) failed: unable to open database file at /run/current-system/sw/bin/command-not-found line 13.
# cannot open database `/nix/var/nix/profiles/per-user/root/channels/nixos/programs.sqlite' at /run/current-system/sw/bin/command-not-found line 13.
#
# Then you can recreate the SQLite DB with 'sudo nix-channel --list' and making sure a channel like 'nixos https://nixos.org/channels/nixos-24.05' is present.
# Anything that ends in 'nixos-...' should work.
# Then run 'sudo nix-channel --update'
# See https://discourse.nixos.org/t/command-not-found-unable-to-open-database/3807/7
programs.command-not-found.enable = true;
# Some programs need SUID wrappers, can be configured further or are
# started in user sessions.
# programs.mtr.enable = true;
# programs.gnupg.agent = {
# enable = true;
# enableSSHSupport = true;
# };
programs.mosh.enable = true;
# Make neovim the default editor
programs.neovim.enable = true;
programs.neovim.defaultEditor = true;
# List services that you want to enable:
services.nginx = {
enable = true;
virtualHosts."pihole.home.arpa" = {
addSSL = false;
enableACME = false;
locations."/".extraConfig = ''
proxy_pass http://127.0.0.1:10000;
client_body_buffer_size 128k;
client_max_body_size 10G;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Scheme $scheme;
proxy_http_version 1.1;
# proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
proxy_buffer_size 128k;
proxy_busy_buffers_size 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.16.0.0/12;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
};
};
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Disable the resolved stub listener, let Pihole do it
services.resolved = {
extraConfig = ''
DNSStubListener=no
'';
};
# Set up a samba share for the scanner
services.samba = {
enable = true;
openFirewall = true;
extraConfig = ''
log file = /var/log/samba/%m
log level = 1
server role = standalone server
'';
shares = {
scans = {
path = "/mnt/shares/scans";
browseable = "yes";
"read only" = "no";
};
};
};
services.samba-wsdd = {
enable = true;
openFirewall = true;
};
# Enable Tailscale
services.tailscale.enable = true;
# Enable the Unifi controller service
#services.unifi.enable = true;
#services.unifi.unifiPackage = pkgs.unifi8;
networking.extraHosts = ''
127.0.0.1 home.arpa
'';
# Open ports in the firewall.
networking.firewall = {
enable = false;
allowPing = true;
allowedTCPPorts = [ 80 443 ];
allowedUDPPortRanges = [
#{ from = 4000; to = 4007; }
#{ from = 8000; to = 8010; }
];
};
# Add Google DNS so that we can still resolve DNS names when our Pihole is down.
networking.nameservers = [
"8.8.8.8"
"2001:4860:4860::8888"
];
networking.useNetworkd = true;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
# to actually do that.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
systemd.network.enable = true;
systemd.network.netdevs."00-container-ipvlan" = {
netdevConfig = {
Name = "podipvlan";
Kind = "ipvlan";
};
ipvlanConfig = {
Mode = "L2";
};
};
systemd.network.networks."10-wan" = {
matchConfig.Name = "enp2s0";
dhcpV6Config = {
PrefixDelegationHint = "::/60";
};
networkConfig = {
# start a DHCP Client for IPv4 Addressing/Routing
DHCP = "ipv4";
# accept Router Advertisements for Stateless IPv6 Autoconfiguraton (SLAAC)
IPv6AcceptRA = true;
};
addresses = [{
addressConfig = {
Address="fd00::2/64";
};
}];
ipv6PrefixDelegationConfig = {
Managed = true;
};
ipv6AcceptRAConfig = {
DHCPv6Client="always";
Token="prefixstable";
};
# make routing on this interface a dependency for network-online.target
linkConfig.RequiredForOnline = "routable";
};
systemd.network.networks."20-container-ipvlan" = {
matchConfig = {
Name = "podipvlan";
Type = "ipvlan";
};
dhcpPrefixDelegationConfig = {
SubnetId=1;
};
dhcpV6Config = {
DUIDType="uuid";
};
networkConfig = {
IPv6DuplicateAddressDetection=1;
LinkLocalAddressing="ipv6";
};
};
systemd.services.systemd-networkd.environment.SYSTEMD_LOG_LEVEL = "debug";
systemd.services.scan-uploader = {
enable = true;
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
description = "Daemon for uploading scans we get over the network";
serviceConfig = {
User = "scanner";
WorkingDirectory = "/opt/src/scan-uploader";
ExecStart = "/opt/src/scan-uploader/ve/bin/scan-uploader --paperless-url https://docs.theribbles.org --paperless-api-key secret-stuff --backlog /mnt/shares/scans/";
};
};
# Create folders necessary for samba to work
systemd.tmpfiles.rules = [
"d /mnt/shares/scans 0775 scanner scanner - -"
];
# Enable podman since we are on NixOS 21.05
virtualisation.docker.enable = false;
virtualisation.podman.enable = true;
virtualisation.podman.dockerSocket.enable = true;
}
Reference in New Issue View Git Blame Copy Permalink