# hosts/valefar/configuration.nix (or default.nix) { config, lib, pkgs, modulesPath, inputs, ... }: { # ============================================================================= # IMPORTS # ============================================================================= imports = [ # Host-specific hardware ./hardware.nix ./secrets.nix # Common modules shared across hosts ../../common/system.nix ../../common/users.nix ../../common/services.nix ../../common/efi.nix # Common secrets ../../host-secrets.nix # Hardware-specific (commented out) # ../../common/nvidia.nix ]; # ============================================================================= # SYSTEM CONFIGURATION # ============================================================================= system.stateVersion = "24.11"; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; # Intel microcode updates hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; # ============================================================================= # CUSTOM MODULES # ============================================================================= modules.garage.enable = true; modules.forgejo.enable = true; modules.immich.enable = true; # ============================================================================= # NETWORKING # ============================================================================= networking = { hostName = "valefar"; hostId = "2a07da90"; firewall.enable = false; firewall.trustedInterfaces = [ "tailscale0" ]; nameservers = [ "10.0.0.210" "1.1.1.1" ]; useDHCP = true; firewall.allowedTCPPorts = [ 22 80 443 2049 2456 2457 9000 9001 9002 ]; firewall.allowedUDPPorts = [ 2049 ]; }; # DNS resolution services.resolved = { enable = true; dnssec = "false"; domains = [ "~." ]; fallbackDns = [ "10.0.0.210" "1.1.1.1" ]; dnsovertls = "false"; }; # ============================================================================= # BOOT & FILESYSTEMS # ============================================================================= boot = { supportedFilesystems = [ "zfs" ]; kernelModules = [ "nct6775" "coretemp" ]; zfs = { extraPools = [ "garage" "storage" ]; devNodes = "/dev/disk/by-id"; forceImportAll = true; }; }; # ============================================================================= # ZFS CONFIGURATION # ============================================================================= # ZFS import services systemd.services.zfs-import-cache.enable = false; systemd.services.zfs-import-scan = { enable = true; after = [ "systemd-udev-settle.service" ]; wants = [ "systemd-udev-settle.service" ]; }; # ZFS mount points systemd.mounts = [ { what = "garage"; where = "/garage"; type = "zfs"; after = [ "zfs-import-scan.service" ]; wants = [ "zfs-import-scan.service" ]; } { what = "storage"; where = "/storage"; type = "zfs"; after = [ "zfs-import-scan.service" ]; wants = [ "zfs-import-scan.service" ]; } ]; # ZFS maintenance services.zfs = { autoScrub.enable = true; trim.enable = true; }; # ============================================================================= # DIRECTORY STRUCTURE # ============================================================================= systemd.tmpfiles.rules = [ "d /storage/immich 0755 immich immich -" "d /storage/immich/photos 0755 immich immich -" "Z /storage/immich 0755 immich immich -" # Recursively fix ownership of existing files ]; # ============================================================================= # NFS SERVER # ============================================================================= services.nfs.server = { enable = true; exports = '' /storage *(rw,sync,no_subtree_check,no_root_squash) ''; }; # ============================================================================= # SERVICES # ============================================================================= services.vscode-server = { enable = true; nodejsPackage = pkgs.nodejs_20; }; # ============================================================================= # VIRTUALIZATION # ============================================================================= virtualisation.docker = { enable = true; enableOnBoot = true; package = pkgs.docker.override { buildGoModule = pkgs.buildGo123Module; }; }; # ============================================================================= # PACKAGES # ============================================================================= environment.systemPackages = with pkgs; [ lm_sensors code-server inputs.agenix.packages.x86_64-linux.default ]; # ============================================================================= # COMMENTED OUT / DISABLED # ============================================================================= # Remote unlock via SSH (commented out) # boot.kernelParams = [ "ip=dhcp" ]; # boot.initrd = { # availableKernelModules = [ "r8169" ]; # network = { # enable = true; # ssh = { # enable = true; # port = 22; # authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJ0pU82lV9dSjkgYbdh9utZ5CDM2dPN70S5fBqN1m3Pb" ]; # hostKeys = [ "/etc/secrets/initrd/ssh_host_rsa_key" ]; # shell = "/bin/cryptsetup-askpass"; # }; # }; # }; }