nix-config/hosts/Niko/default.nix

{ config, pkgs, ... }:

{
  imports = [
    # Include the results of the hardware scan.
    ./hardware-configuration.nix
  ];

  homelab = {
    apps.technitiumDNS.enable = true;
    users.deploy.enable = true;
  };

  # Use the systemd-boot EFI boot loader.
  boot.loader = {
    systemd-boot.enable = true;
    efi = {
      canTouchEfiVariables = true;
      efiSysMountPoint = "/boot/efi";
    };
  };

  console = {
    font = "Lat2-Terminus16";
    keyMap = "us";
  };

  # List packages installed in the system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    cifs-utils
  ];

  hardware = {
    enableRedistributableFirmware = true;
    enableAllFirmware = true;
    pulseaudio.enable = true;
    opengl.enable = true;
  };

  # Select internationalisation properties.
  i18n.defaultLocale = "en_GB.utf8";

  networking = {
    hostName = "Niko";
    domain = "depeuter.dev";

    enableIPv6 = true;

    # Open ports in the firewall.
    firewall = {
      enable = true;
    };

    networkmanager.enable = true;

    extraHosts = ''
      192.168.0.11 jelly.depeuter.dev
    '';
  };

  nixpkgs.config.allowUnfree = true;

  # List services that you want to enable:
  services = {
    # Cage, a wayland kiosk service
    cage = {
      enable = true;
      environment = {
        # Do not fail when there are no input devices.
        # WLR_LIBINPUT_NO_DEVICES = "1";
      };
      extraArguments = [
        "-d" # Don't draw client side decorations, when possible
        # "-m" "last" # Use only the last connected output
        "-s" # Allow VT switching
      ];
      program = "/home/jellyfin-mpv-shim/start.sh";
      user = config.users.users.jellyfin-mpv-shim.name;
    };

    tailscale = {
      enable = true;
      useRoutingFeatures = "server";
      authKeyFile = "/etc/nixos/tailscale-authkey";
      extraUpFlags = [
        "--advertise-routes=192.168.0.0/24"
        "--exit-node"
      ];
    };

    # Fix DNS issues. See:
    # https://github.com/tailscale/tailscale/issues/4254
    # resolved.enable = true;
  };

  sound.enable = true;

  # Define a user account. Don't forget to set a password with 'passwd'.
  users.users.jellyfin-mpv-shim = {
    description = "Jellyfin MPV Shim User";
    isNormalUser = true;
    extraGroups = [
      config.users.groups.audio.name
      config.users.groups.video.name
    ];
    packages = with pkgs; [
      jellyfin-mpv-shim
      mpv
      socat
    ];
  };

  systemd.services."cage-tty1".serviceConfig.Restart = "always";

  system.stateVersion = "24.05";

  virtualisation = {
    # Enable Android emulator
    # waydroid.enable = true;

    docker = {
      enable = true;
      autoPrune.enable = true;
    };

    oci-containers = {
      backend = "docker";
      containers = {
        reverse-proxy = {
          hostname = "traefik";
          image = "traefik:v3.0";
          cmd = [
            "--api.insecure=true"
            # Add Docker provider
            "--providers.docker=true"
            "--providers.docker.exposedByDefault=false"
            # Add web entrypoint
            "--entrypoints.web.address=:80/tcp"
            "--entrypoints.web.http.redirections.entrypoint.to=websecure"
            "--entrypoints.web.http.redirections.entrypoint.scheme=https"
            # Add websecure entrypoint
            "--entrypoints.websecure.address=:443/tcp"
            "--entrypoints.websecure.http.tls=true"
            "--entrypoints.websecure.http.tls.certResolver=letsencrypt"
            "--entrypoints.websecure.http.tls.domains[0].main=depeuter.dev"
            "--entrypoints.websecure.http.tls.domains[0].sans=*.depeuter.dev"
            "--entrypoints.websecure.http.tls.domains[1].sans=*.niko.depeuter.dev"
            # Certificates
            "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
            "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
            "--certificatesresolvers.letsencrypt.acme.email=tibo.depeuter@telenet.be"
            "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
          ];
          ports = [
            "80:80/tcp"
            "443:443/tcp"
            # "8080:8080/tcp" # The Web UI (enabled by --api.insecure=true)
          ];
          environment = {
            # TODO Hide this!
            "CLOUDFLARE_DNS_API_TOKEN" = "6Vz64Op_a6Ls1ljGeBxFoOVfQ-yB-svRbf6OyPv2";
          };
          environmentFiles = [
          ];
          volumes = [
            "/var/run/docker.sock:/var/run/docker.sock:ro" # So that Traefik can listen to the Docker events
            "letsencrypt:/letsencrypt"
          ];
          labels = {
            "traefik.enable" = "true";
            "traefik.http.routers.traefik.rule" = "Host(`traefik.niko.depeuter.dev`)";
            "traefik.http.services.traefik.loadbalancer.server.port" = "8080";
          };
          autoStart = true;
        };
      };
    };
  };
}