diff --git a/flake.lock b/flake.lock index 56cefbb..ac4b4ba 100644 --- a/flake.lock +++ b/flake.lock @@ -109,22 +109,6 @@ "type": "github" } }, - "nixpkgs-safe": { - "locked": { - "lastModified": 1764283775, - "narHash": "sha256-Z+uaM0oj4++O2h6I54EmNE90xvd/jDeOEvW4vpW4GTE=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ae6ee9e9de6f149f675349e43d6786875d22b3d1", - "type": "github" - }, - "original": { - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "ae6ee9e9de6f149f675349e43d6786875d22b3d1", - "type": "github" - } - }, "pre-commit": { "inputs": { "flake-compat": "flake-compat", @@ -153,7 +137,6 @@ "lanzaboote": "lanzaboote", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", - "nixpkgs-safe": "nixpkgs-safe", "rust-overlay": "rust-overlay" } }, diff --git a/flake.nix b/flake.nix index e161606..14f8351 100644 --- a/flake.nix +++ b/flake.nix @@ -1,5 +1,5 @@ { - description = "kemptop flake"; + description = "kempingers general flake"; inputs = { nixpkgs = { @@ -7,7 +7,7 @@ }; nixos-hardware.url = "github:NixOS/nixos-hardware"; - + lanzaboote = { url = "github:nix-community/lanzaboote"; inputs = { @@ -18,21 +18,35 @@ rust-overlay = { url = "github:oxalica/rust-overlay"; inputs.nixpkgs.follows = "nixpkgs"; - }; - }; - - outputs = { self, nixpkgs, nixos-hardware, lanzaboote,rust-overlay }@inputs: { - nixosConfigurations = { - kemptop = nixpkgs.lib.nixosSystem { - system = "x86_64-linux"; - modules = [ - - lanzaboote.nixosModules.lanzaboote - ./kemptop/configuration.nix - nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen5 - ]; - specialArgs = { inherit inputs; }; - }; }; }; + + outputs = + { + self, + nixpkgs, + nixos-hardware, + lanzaboote, + rust-overlay, + }@inputs: + { + nixosConfigurations = { + kemptop = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + lanzaboote.nixosModules.lanzaboote + ./kemptop/configuration.nix + nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen5 + ]; + specialArgs = { inherit inputs; }; + }; + heimserver = nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + ./heimserver/configuration.nix + ]; + specialArgs = { inherit inputs; }; + }; + }; + }; } diff --git a/heimserver/configuration.nix b/heimserver/configuration.nix new file mode 100644 index 0000000..b79a65e --- /dev/null +++ b/heimserver/configuration.nix @@ -0,0 +1,425 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + specialArgs, + ... +}: + +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + specialArgs.inputs.vscode-server.nixosModules.default + ]; + + # System basics + time.timeZone = "Europe/Vienna"; + + # Bootloader and kernel + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + boot.kernelParams = [ + "vga=791" + "nomodeset" + ]; + boot.kernel.sysctl = { + "net.ipv4.ip_forward" = 1; + # "net.bridge.bridge-nf-call-iptables" = 1; + # "net.bridge.bridge-nf-call-ip6tables" = 1; + }; + + boot.supportedFilesystems = [ "zfs" ]; + boot.zfs.forceImportRoot = false; + + # Console and locale + console = { + font = "Lat2-Terminus16"; + keyMap = "de"; + # useXkbConfig = true; # use xkb.options in tty. + }; + # i18n.defaultLocale = "en_US.UTF-8"; + + # Networking + networking.hostName = "nixos-server"; + networking.useDHCP = false; + networking.hostId = "5506a8e7"; + networking.interfaces.eth0.ipv4.addresses = [ + { + address = "192.168.69.69"; + prefixLength = 24; + } + ]; + networking.defaultGateway = "192.168.69.1"; + #networking.nameservers = [ "1.1.1.1" ]; + networking.firewall.enable = true; + networking.firewall.allowedTCPPorts = [ + 22 + 53 + 80 + 443 + 2222 # forgejo ssh + 8184 # forgejo frontend + 8123 # homeassistant + 5580 # homeassistant matter + 2283 # immich + 3003 # immich ml + 1984 # frigate go2rtc + 8971 # frigate + 8554 # frigate rtsp + 8555 # frigate rtsp + 2055 # ntopng sink + 8182 # ntopng frontend + 3000 # adguardhome frontend + 8183 # adguardhome frontend + 9000 + ]; + networking.firewall.allowedUDPPorts = [ + 53 + 8555 # frigate rtsp + 2055 # ntopng sink + ]; + + # Users + users.users.root = { + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at" + ]; + }; + + users.users.immich.extraGroups = [ + "video" + "render" + ]; + # Security + # security.sudo.wheelNeedsPassword = false; + + # Packages + environment.systemPackages = with pkgs; [ + vim + nano + wget + curl + git + htop + docker-compose + nixd + nixfmt + systemd + inetutils + smartmontools + parted + borgbackup + + nil + ]; + # Enable SSH for root + services.openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + KbdInteractiveAuthentication = false; + PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only + }; + }; + + hardware.bluetooth.enable = true; + services.blueman.enable = true; + + security.acme = { + acceptTerms = true; + defaults.email = "mail@kempinger.xyz"; + certs."kempinger.at".domain = "*.kempinger.at"; + }; + + #services.resolved.enable = true; + + services.fail2ban.enable = true; + + services.nginx = { + enable = true; + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + virtualHosts."192.168.69.69" = { + default = true; + root = "/srv/website/public_html"; + locations."/" = { + index = "index.html"; + }; + }; + virtualHosts."kempinger.at" = { + root = "/srv/website/public_html"; + locations."/" = { + index = "index.html"; + }; + forceSSL = true; + enableACME = true; + }; + virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = + "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}"; + }; + virtualHosts."bilder.kempinger.at" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://[::1]:${toString config.services.immich.port}"; + proxyWebsockets = true; + recommendedProxySettings = true; + extraConfig = '' + client_max_body_size 50000M; + proxy_read_timeout 600s; + proxy_send_timeout 600s; + send_timeout 600s; + ''; + }; + }; + }; + + services.forgejo = { + enable = true; + database.type = "postgres"; + # Enable support for Git Large File Storage + lfs.enable = true; + settings = { + server = { + DOMAIN = "git.kempinger.at"; + # You need to specify this to remove the port from URLs in the web UI. + ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/"; + HTTP_PORT = 8184; + DISABLE_SSH = false; + SSH_PORT = 2222; + START_SSH_SERVER = true; + }; + + # You can temporarily allow registration to create an admin user. + service.DISABLE_REGISTRATION = true; + # Add support for actions, based on act: https://github.com/nektos/act + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + # Sending emails is completely optional + # You can send a test email from the web UI at: + # Profile Picture > Site Administration > Configuration > Mailer Configuration + # mailer = { + # ENABLED = true; + # SMTP_ADDR = "mail.kempinger.at"; + # FROM = "noreply@${srv.DOMAIN}"; + # USER = "noreply@${srv.DOMAIN}"; + # }; + }; + dump = { + enable = true; + backupDir = "/backup/forgejo"; + age = "6 months"; + interval = "weekly"; + }; + }; + + # services.borgbackup.jobs."forgejo" = { + # paths = config.services.forgejo.repositoryRoot; + # repo = "/backup/forgejo"; + # startAt = "Sat 04:00"; + # compression = "zstd"; + # encryption.mode = "none"; + # prune.keep = { + # last = 2; + # }; + # }; + + services.immich = { + enable = true; + accelerationDevices = null; + port = 2283; + }; + + services.borgbackup.jobs."immich" = { + paths = config.services.immich.mediaLocation; + repo = "/backup/immich"; + startAt = "Sat 04:00"; + compression = "zstd"; + encryption.mode = "none"; + prune.keep = { + last = 2; + }; + }; + + # systemd.services.forgejo.preStart = + # '' + # ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true + # ''; + + # Virtualisation + virtualisation = { + containers.enable = true; + podman = { + enable = true; + dockerCompat = true; + defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other. + }; + }; + + #services.matter-server.enable = true; + + virtualisation.oci-containers = { + backend = "podman"; + containers.homeassistant = { + #autoStart = true; + volumes = [ + "home-assistant:/config" + "/run/dbus:/run/dbus:ro" + "/backup/home-assistant:/config/backups" + ]; + environment.TZ = "Europe/Berlin"; + # Note: The image will not be updated on rebuilds, unless the version label changes + image = "ghcr.io/home-assistant/home-assistant:stable"; + extraOptions = [ + # Use the host network namespace for all sockets + "--network=host" + # Pass devices into the container, so Home Assistant can discover and make use of them + #"--device=/dev/ttyACM0:/dev/ttyACM0" + "--privileged" + ]; + }; + containers.matter-server = { + #autoStart = true; + volumes = [ + "matter-server:/config" + "/run/dbus:/run/dbus:ro" + ]; + environment.TZ = "Europe/Berlin"; + # Note: The image will not be updated on rebuilds, unless the version label changes + image = "ghcr.io/home-assistant-libs/python-matter-server:stable"; + extraOptions = [ + "--network=host" + "--privileged" + ]; + }; + + containers.frigate = { + #autoStart = true; + volumes = [ + "frigate:/config" + "/run/dbus:/run/dbus:ro" + "/etc/localtime:/etc/localtime:ro" + ]; + environment.FRIGATE_RTSP_PASSWORD = "password123"; + # Note: The image will not be updated on rebuilds, unless the version label changes + image = "ghcr.io/blakeblackshear/frigate:stable"; + extraOptions = [ + "--shm-size=512m" + "--network=host" + ]; + }; + containers.mosquitto = { + #autoStart = true; + volumes = [ + "mosquitto:/mosquitto" + "/run/dbus:/run/dbus:ro" + "/etc/localtime:/etc/localtime:ro" + ]; + # Note: The image will not be updated on rebuilds, unless the version label changes + image = "eclipse-mosquitto"; + extraOptions = [ + "--network=host" + ]; + }; + containers.netflow2ng = { + # Note: The image will not be updated on rebuilds, unless the version label changes + image = "synfinatic/netflow2ng:v0.1.0"; + cmd = [ + "-a" + "0.0.0.0:2055" + "-m" + "0.0.0.0:8181" + "-z" + "tcp://127.0.0.1:5556" + "--log-level" + "debug" + "--tlv" + ]; + extraOptions = [ + "--network=host" + ]; + }; + }; + + services.ntopng = { + enable = true; + httpPort = 8182; + interfaces = [ "tcp://0.0.0.0:5556" ]; + extraConfig = '' + --dns-mode 1 + --local-networks "185.27.122.0/24=WAN,192.168.69.0/24=LAN"''; + }; + + services.influxdb.enable = true; + + services.geoipupdate = { + enable = true; + settings = { + AccountID = 1284637; + DatabaseDirectory = "/var/lib/GeoIP"; + LicenseKey = { + _secret = "/root/maxmind_license_key"; + }; + EditionIDs = [ + "GeoLite2-ASN" + "GeoLite2-City" + "GeoLite2-Country" + ]; + }; + }; + + services.adguardhome = { + enable = true; + # You can select any ip and port, just make sure to open firewalls where needed + host = "0.0.0.0"; + port = 8183; + }; + + # Nix settings + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + nix.gc = { + automatic = true; + dates = "weekly"; + options = "--delete-older-than 7d"; + }; + + # Documentation for stateVersion + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + + system.configurationRevision = lib.mkIf (specialArgs.inputs.self ? rev) specialArgs.inputs.self.rev; + system.stateVersion = "25.05"; # Did you read the comment? +} diff --git a/heimserver/hardware-configuration.nix b/heimserver/hardware-configuration.nix new file mode 100644 index 0000000..736eb1d --- /dev/null +++ b/heimserver/hardware-configuration.nix @@ -0,0 +1,50 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot.initrd.availableKernelModules = [ + "nvme" + "ahci" + "xhci_pci" + "usbhid" + "usb_storage" + "sd_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-amd" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/79665f95-3f79-499d-98f2-99077f2b8d52"; + fsType = "ext4"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/467A-A4E4"; + fsType = "vfat"; + options = [ + "fmask=0022" + "dmask=0022" + ]; + }; + + swapDevices = [ ]; + + fileSystems."/backup" = { + device = "backup"; + fsType = "zfs"; + }; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/kemptop/configuration.nix b/kemptop/configuration.nix index c1f08ba..9f193c7 100644 --- a/kemptop/configuration.nix +++ b/kemptop/configuration.nix @@ -34,36 +34,17 @@ }) ]; }; - + supportedFilesystems = [ "ntfs" ]; # Enable "Silent boot" consoleLogLevel = 3; initrd.verbose = false; initrd.systemd.enable = true; - #bad: 6.12.62 #bad: 6.17.12 #good: 6.12.59 #bad: 6.12.60 - #kernelPackages = (import inputs.nixpkgs-safe {system = "x86_64-linux"; }).linuxPackages; - #kernelPackages = pkgs.linuxPackages_6_17; - kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_12.override { # (#4) - argsOverride = rec { - src = pkgs.fetchFromGitHub { - owner = "torvalds"; - repo = "linux"; - # (#1) -> put the bisect revision here - rev = "17c3a66d7ea2d303f783796d62f99e2e23b68c90"; - # (#2) -> clear the sha; run a build, get the sha, populate the sha - sha256 = "sha256-2XyrJmaZPa2TaVrwwjXM0z3Dyj794FDdmOTyRuH3z/A="; - }; - - dontStrip = true; - # (#3) `head Makefile` from the kernel and put the right version numbers here - version = "6.12.59"; - modDirVersion = "6.12.59"; - }; -}); + kernelPackages = pkgs.linuxPackages_latest; kernelParams = [ "quiet" "splash" @@ -80,8 +61,8 @@ #loader.systemd-boot.configurationLimit = 3; lanzaboote = { - enable = true; - pkiBundle = "/var/lib/sbctl"; + enable = true; + pkiBundle = "/var/lib/sbctl"; }; }; @@ -122,20 +103,20 @@ usbutils inetutils pciutils - git + git pkg-config openssl tree rustc cargo - rustfmt + rustfmt edid-decode file acpica-tools - ethtool - cmake + ethtool + cmake zip - texlive.combined.scheme-full + texlive.combined.scheme-full distrobox lshw sbctl @@ -151,10 +132,10 @@ gnumake xz android-tools - - # GUI programs - - android-studio-full + + # GUI programs + + android-studio-full zed-editor nautilus zoom-us @@ -162,16 +143,16 @@ prismlauncher qdirstat zenmap - mission-center + mission-center seahorse texstudio - (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true;}) {}) + (pkgs.wrapFirefox (pkgs.firefox-unwrapped.override { pipewireSupport = true; }) { }) google-chrome tor-browser zathura vlc jetbrains.idea - + # Libreoffice libreoffice-qt hunspell @@ -192,8 +173,7 @@ nixd rust-analyzer #cargotom - - + #niri #alacritty fuzzel swaylock mako swayidle ]; @@ -210,7 +190,7 @@ services.pipewire.enable = true; services.fprintd.enable = true; services.flatpak.enable = true; - services.printing.enable = true; + services.printing.enable = true; services.hardware.bolt.enable = true; services.printing.drivers = [ pkgs.hplipWithPlugin ]; services.avahi = { @@ -220,22 +200,21 @@ }; services.gnome.gnome-keyring.enable = true; # secret service - security.pam.services.login.enableGnomeKeyring = true; security.pam.services.login.fprintAuth = true; security.polkit.enable = true; # polkit - + programs.nix-ld = { - enable = true; - libraries = pkgs.steam-run.args.multiPkgs pkgs; -}; + enable = true; + libraries = pkgs.steam-run.args.multiPkgs pkgs; + }; #programs.niri.enable = true; #security.pam.services.swaylock = {}; #programs.waybar.enable = true; # top bar - programs.firefox.enable = true; - programs.wireshark.enable = true; + programs.firefox.enable = true; + programs.wireshark.enable = true; programs.wireshark.package = pkgs.wireshark; programs.fish = { enable = true; @@ -254,19 +233,18 @@ }; programs.virt-manager.enable = true; - + virtualisation.podman = { enable = true; dockerCompat = true; }; - virtualisation.libvirtd.enable = true; - + virtualisation.libvirtd.enable = true; systemd.user.extraConfig = '' DefaultEnvironment="PATH=/run/wrappers/bin:/home/%u/.nix-profile/bin:/nix/profile/bin:/home/%u/.local/state/nix/profile/bin:/etc/profiles/per-user/%u/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin" ''; - powerManagement.powertop.enable = true; + powerManagement.powertop.enable = true; # This option defines the first version of NixOS you have installed on this particular machine, # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.