From fbb4defab89715ce8195bae62beedd5f7236c02c Mon Sep 17 00:00:00 2001 From: Tibo De Peuter Date: Wed, 12 Jun 2024 09:13:42 +0200 Subject: [PATCH] Initial commit --- hosts/Isabel/.keep | 0 hosts/Niko/default.nix | 282 ++++++++++++++++++++++++++ hosts/Niko/hardware-configuration.nix | 45 ++++ 3 files changed, 327 insertions(+) create mode 100644 hosts/Isabel/.keep create mode 100644 hosts/Niko/default.nix create mode 100644 hosts/Niko/hardware-configuration.nix diff --git a/hosts/Isabel/.keep b/hosts/Isabel/.keep new file mode 100644 index 0000000..e69de29 diff --git a/hosts/Niko/default.nix b/hosts/Niko/default.nix new file mode 100644 index 0000000..8855d07 --- /dev/null +++ b/hosts/Niko/default.nix @@ -0,0 +1,282 @@ +{ config, pkgs, ... }: + +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ]; + + # Use the systemd-boot EFI boot loader. + boot.loader = { + systemd-boot.enable = true; + efi = { + canTouchEfiVariables = true; + efiSysMountPoint = "/boot/efi"; + }; + }; + + console = { + font = "Lat2-Terminus16"; + keyMap = "us"; + }; + + # List packages installed in the system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + curl + git + tmux + vim + wget + ]; + + hardware = { + enableRedistributableFirmware = true; + enableAllFirmware = true; + pulseaudio.enable = true; + opengl.enable = true; + }; + + # Select internationalisation properties. + i18n.defaultLocale = "en_GB.utf8"; + + networking = { + hostName = "Niko"; + domain = "depeuter.dev"; + + enableIPv6 = true; + + # Open ports in the firewall. + firewall = { + enable = true; + }; + + networkmanager.enable = true; + }; + + nix = { + package = pkgs.nixFlakes; + extraOptions = '' + experimental-features = nix-command flakes + ''; + settings.trusted-users = [ + config.users.users.admin.name + ]; + }; + + nixpkgs.config.allowUnfree = true; + + # List services that you want to enable: + services = { + displayManager = { + enable = true; + autoLogin = { + enable = true; + user = config.users.users.jellyfin-mpv-shim.name; + }; + }; + xserver = { + enable = true; + displayManager.startx.enable = true; + }; + + openssh = { + # Enable the OpenSSH daemon. + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "no"; + }; + }; + }; + + sound.enable = true; + + # Set your time zone. + time.timeZone = "Europe/Brussels"; + + users = { + # Define users groups + groups = { + # The group used to deploy rebuilds without password authentication + deploy = { }; + }; + + # Define a user account. Don't forget to set a password with 'passwd'. + users = { + admin = { + description = "System Administrator"; + isNormalUser = true; + extraGroups = [ + config.users.groups.wheel.name # Enable 'sudo' for the user. + config.users.groups.deploy.name + ]; + initialPassword = "ChangeMe"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPrG+ldRBdCeHEXrsy/qHXIJYg8xQXVuiUR0DxhFjYNg" + ]; + }; + + jellyfin-mpv-shim = { + description = "Jellyfin MPV Shim User"; + isNormalUser = true; + extraGroups = [ + config.users.groups.audio.name + config.users.groups.video.name + ]; + packages = with pkgs; [ + jellyfin-mpv-shim + ]; + }; + }; + }; + + security.sudo = { + enable = true; + extraRules = [ + { + groups = [ config.users.groups.deploy.name ]; + commands = [ + { + command = "/nix/store/*/bin/switch-to-configuration"; + options = [ "NOPASSWD" ]; + } + { + command = "/run/current-system/sw/bin/nix-store"; + options = [ "NOPASSWD" ]; + } + { + command = ''/bin/sh -c "readlink -e /nix/var/nix/profiles/system || readlink -e /run/current-system"''; + options = [ "NOPASSWD" ]; + } + { + command = "${config.system.build.nixos-rebuild}/bin/nixos-rebuild"; + options = [ "NOPASSWD" ]; + } + ]; + } + ]; + }; + + system.stateVersion = "24.05"; + + virtualisation = { + docker = { + enable = true; + autoPrune.enable = true; + }; + + oci-containers = { + backend = "docker"; + containers = { + reverse-proxy = { + hostname = "traefik"; + image = "traefik:v3.0"; + cmd = [ + "--api.insecure=true" + # Add Docker provider + "--providers.docker=true" + "--providers.docker.exposedByDefault=false" + # Add web entrypoint + "--entrypoints.web.address=:80/tcp" + "--entrypoints.web.http.redirections.entrypoint.to=websecure" + "--entrypoints.web.http.redirections.entrypoint.scheme=https" + # Add websecure entrypoint + "--entrypoints.websecure.address=:443/tcp" + "--entrypoints.websecure.http.tls=true" + "--entrypoints.websecure.http.tls.certResolver=letsencrypt" + "--entrypoints.websecure.http.tls.domains[0].main=depeuter.dev" + "--entrypoints.websecure.http.tls.domains[0].sans=*.depeuter.dev" + "--entrypoints.websecure.http.tls.domains[1].sans=*.niko.depeuter.dev" + # Certificates + "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" + "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" + "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be" + "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + ]; + ports = [ + "80:80/tcp" + "443:443/tcp" + # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true) + ]; + environment = { + "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2"; + }; + environmentFiles = [ + ]; + volumes = [ + "/var/run/docker.sock:/var/run/docker.sock:ro" # So that Traefik can listen to the Docker events + "letsencrypt:/letsencrypt" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.traefik.rule" = "Host(`traefik.niko.depeuter.dev`)"; + "traefik.http.services.traefik.loadbalancer.server.port" = "8080"; + }; + autoStart = true; + }; + technitium-dns = { + hostname = "technitium-dns"; + image = "technitium/dns-server:12.1"; + ports = [ + # "5380:5380/tcp" #DNS web console (HTTP) + # "53443:53443/tcp" #DNS web console (HTTPS) + "53:53/udp" #DNS service + "53:53/tcp" #DNS service + # "853:853/udp" #DNS-over-QUIC service + # "853:853/tcp" #DNS-over-TLS service + # "443:443/udp" #DNS-over-HTTPS service (HTTP/3) + # "443:443/tcp" #DNS-over-HTTPS service (HTTP/1.1, HTTP/2) + # "80:80/tcp" #DNS-over-HTTP service (use with reverse proxy or certbot certificate renewal) + # "8053:8053/tcp" #DNS-over-HTTP service (use with reverse proxy) + # "67:67/udp" #DHCP service + ]; + environment = { + # The primary domain name used by this DNS Server to identify itself. + DNS_SERVER_DOMAIN = config.networking.hostName; + # DNS Server will use IPv6 for querying whenever possible with this option enabled. + DNS_SERVER_PREFER_IPV6 = "true"; + # The TCP port number for the DNS web console over HTTP protocol. + # DNS_SERVER_WEB_SERVICE_HTTP_PORT=5380 + # The TCP port number for the DNS web console over HTTPS protocol. + # DNS_SERVER_WEB_SERVICE_HTTPS_PORT=53443 + # Enables HTTPS for the DNS web console. + # DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS=false + # Enables self signed TLS certificate for the DNS web console. + # DNS_SERVER_WEB_SERVICE_USE_SELF_SIGNED_CERT=false + # Enables DNS server optional protocol DNS-over-HTTP on TCP port 8053 to be used with a TLS terminating reverse proxy like nginx. + # DNS_SERVER_OPTIONAL_PROTOCOL_DNS_OVER_HTTP=false + # Recursion options: Allow, Deny, AllowOnlyForPrivateNetworks, UseSpecifiedNetworks. + #nDNS_SERVER_RECURSION=AllowOnlyForPrivateNetworks + # Comma separated list of IP addresses or network addresses to deny recursion. Valid only for `UseSpecifiedNetworks` recursion option. + # DNS_SERVER_RECURSION_DENIED_NETWORKS=1.1.1.0/24 + # Comma separated list of IP addresses or network addresses to allow recursion. Valid only for `UseSpecifiedNetworks` recursion option. + # DNS_SERVER_RECURSION_ALLOWED_NETWORKS=127.0.0.1, 192.168.1.0/24 + # Sets the DNS server to block domain names using Blocked Zone and Block List Zone. + DNS_SERVER_ENABLE_BLOCKING = "false"; + # Specifies if the DNS Server should respond with TXT records containing a blocked domain report for TXT type requests. + # DNS_SERVER_ALLOW_TXT_BLOCKING_REPORT=false + # A comma separated list of block list URLs. + # DNS_SERVER_BLOCK_LIST_URLS= + #Comma separated list of forwarder addresses. + DNS_SERVER_FORWARDERS="195.130.130.2,195.130.131.2"; + # Forwarder protocol options: Udp, Tcp, Tls, Https, HttpsJson. + # DNS_SERVER_FORWARDER_PROTOCOL=Tcp + # Enable this option to use local time instead of UTC for logging. + # DNS_SERVER_LOG_USING_LOCAL_TIME=true + }; + volumes = [ + "dns:/etc/dns" + ]; + labels = { + "traefik.enable" = "true"; + "traefik.http.routers.technitium-dns.rule" = "Host(`dns.niko.depeuter.dev`)"; + "traefik.http.services.technitium-dns.loadbalancer.server.port" = "5380"; + "traefik.tls.options.default.minVersion" = "VersionTLS13"; + }; + autoStart = true; + }; + }; + }; + }; +} diff --git a/hosts/Niko/hardware-configuration.nix b/hosts/Niko/hardware-configuration.nix new file mode 100644 index 0000000..bf837af --- /dev/null +++ b/hosts/Niko/hardware-configuration.nix @@ -0,0 +1,45 @@ +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot = { + initrd = { + availableKernelModules = [ + "xhci_pci" + "ahci" + "usb_storage" + "sd_mod" + "iwlwifi" + ]; + }; + kernelModules = [ ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = { + device = "/dev/disk/by-uuid/20b7eff3-fca5-4b60-a5a9-13219f70ce23"; + fsType = "ext4"; + }; + + "/boot/efi" = { + device = "/dev/disk/by-uuid/0B6D-0DCD"; + fsType = "vfat"; + }; + }; + + swapDevices = [ + { device = "/dev/disk/by-uuid/f3679da0-45b3-45c0-a1d0-af8d771a7dbf"; } + ]; + + networking = { + hostId = "7a139e16"; + useDHCP = lib.mkDefault true; + }; + + powerManagement.cpuFreqGovernor = lib.mkDefault "powersave"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}