# Edit this configuration file to define what should be installed on # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { config, lib, pkgs, specialArgs, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix specialArgs.inputs.vscode-server.nixosModules.default ]; # System basics time.timeZone = "Europe/Vienna"; # Bootloader and kernel boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.kernelParams = [ "vga=791" "nomodeset" ]; boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; # "net.bridge.bridge-nf-call-iptables" = 1; # "net.bridge.bridge-nf-call-ip6tables" = 1; }; # Console and locale console = { font = "Lat2-Terminus16"; keyMap = "de"; # useXkbConfig = true; # use xkb.options in tty. }; # i18n.defaultLocale = "en_US.UTF-8"; # Networking networking.hostName = "nixos-server"; networking.useDHCP = false; networking.interfaces.eth0.ipv4.addresses = [ { address = "192.168.69.69"; prefixLength = 24; } ]; networking.defaultGateway = "192.168.69.1"; networking.nameservers = [ "1.1.1.1" ]; networking.firewall.enable = true; networking.firewall.allowedTCPPorts = [ 22 80 443 2222 # forgejo ssh 3000 # forgejo frontend 8123 # homeassistant 5580 # homeassistant matter 2283 # immich 3003 # immich ml 9000 ]; # Users users.users.root = { openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at" ]; }; users.users.immich.extraGroups = [ "video" "render" ]; # Security # security.sudo.wheelNeedsPassword = false; # Packages environment.systemPackages = with pkgs; [ vim nano wget curl git htop docker-compose nixd nixfmt systemd inetutils nil ]; # Enable SSH for root services.openssh = { enable = true; settings = { PasswordAuthentication = false; KbdInteractiveAuthentication = false; PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only }; }; hardware.bluetooth.enable = true; services.blueman.enable = true; security.acme = { acceptTerms = true; defaults.email = "mail@kempinger.xyz"; certs."kempinger.at".domain = "*.kempinger.at"; }; services.resolved.enable = true; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts."192.168.69.69" = { default = true; root = "/srv/website/public_html"; locations."/" = { index = "index.html"; }; }; virtualHosts."kempinger.at" = { root = "/srv/website/public_html"; locations."/" = { index = "index.html"; }; forceSSL = true; enableACME = true; }; virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = { forceSSL = true; enableACME = true; extraConfig = '' client_max_body_size 512M; ''; locations."/".proxyPass = "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; }; virtualHosts."bilder.kempinger.at" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://[::1]:${toString config.services.immich.port}"; proxyWebsockets = true; recommendedProxySettings = true; extraConfig = '' client_max_body_size 50000M; proxy_read_timeout 600s; proxy_send_timeout 600s; send_timeout 600s; ''; }; }; }; services.forgejo = { enable = true; database.type = "postgres"; # Enable support for Git Large File Storage lfs.enable = true; settings = { server = { DOMAIN = "git.kempinger.at"; # You need to specify this to remove the port from URLs in the web UI. ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/"; HTTP_PORT = 3000; DISABLE_SSH = false; SSH_PORT = 2222; START_SSH_SERVER = true; }; # You can temporarily allow registration to create an admin user. service.DISABLE_REGISTRATION = true; # Add support for actions, based on act: https://github.com/nektos/act actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "github"; }; # Sending emails is completely optional # You can send a test email from the web UI at: # Profile Picture > Site Administration > Configuration > Mailer Configuration # mailer = { # ENABLED = true; # SMTP_ADDR = "mail.kempinger.at"; # FROM = "noreply@${srv.DOMAIN}"; # USER = "noreply@${srv.DOMAIN}"; # }; }; }; # systemd.services.forgejo.preStart = # '' # ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true # ''; # Virtualisation virtualisation = { containers.enable = true; podman = { enable = true; dockerCompat = true; defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other. }; }; #services.matter-server.enable = true; virtualisation.oci-containers = { backend = "podman"; containers.homeassistant = { #autoStart = true; volumes = [ "home-assistant:/config" "/run/dbus:/run/dbus:ro" ]; environment.TZ = "Europe/Berlin"; # Note: The image will not be updated on rebuilds, unless the version label changes image = "ghcr.io/home-assistant/home-assistant:stable"; extraOptions = [ # Use the host network namespace for all sockets "--network=host" # Pass devices into the container, so Home Assistant can discover and make use of them #"--device=/dev/ttyACM0:/dev/ttyACM0" "--privileged" ]; }; containers.matter-server = { #autoStart = true; volumes = [ "matter-server:/config" "/run/dbus:/run/dbus:ro" ]; environment.TZ = "Europe/Berlin"; # Note: The image will not be updated on rebuilds, unless the version label changes image = "ghcr.io/home-assistant-libs/python-matter-server:stable"; extraOptions = [ "--network=host" "--privileged" ]; }; }; services.immich = { enable = true; accelerationDevices = null; port = 2283; #host = "immich.kempinger.at"; #openFirewall = true; }; # Nix settings nix.settings.experimental-features = [ "nix-command" "flakes" ]; nix.gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 7d"; }; # Documentation for stateVersion # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. # # Most users should NEVER change this value after the initial install, for any reason, # even if you've upgraded your system to a new NixOS release. # # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how # to actually do that. # # This value being lower than the current NixOS release does NOT mean your system is # out of date, out of support, or vulnerable. # # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, # and migrated your data accordingly. # # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . system.configurationRevision = lib.mkIf (specialArgs.inputs.self ? rev) specialArgs.inputs.self.rev; system.stateVersion = "25.05"; # Did you read the comment? }