add all components for the heimserver

flake.lock

@@ -109,22 +109,6 @@
         "type": "github"
       }
     },
-    "nixpkgs-safe": {
-      "locked": {
-        "lastModified": 1764283775,
-        "narHash": "sha256-Z+uaM0oj4++O2h6I54EmNE90xvd/jDeOEvW4vpW4GTE=",
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ae6ee9e9de6f149f675349e43d6786875d22b3d1",
-        "type": "github"
-      },
-      "original": {
-        "owner": "NixOS",
-        "repo": "nixpkgs",
-        "rev": "ae6ee9e9de6f149f675349e43d6786875d22b3d1",
-        "type": "github"
-      }
-    },
     "pre-commit": {
       "inputs": {
         "flake-compat": "flake-compat",
@@ -153,7 +137,6 @@
         "lanzaboote": "lanzaboote",
         "nixos-hardware": "nixos-hardware",
         "nixpkgs": "nixpkgs",
-        "nixpkgs-safe": "nixpkgs-safe",
         "rust-overlay": "rust-overlay"
       }
     },

flake.nix

@@ -1,5 +1,5 @@
 {
-  description = "kemptop flake";
+  description = "kempingers general flake";
 
   inputs = {
     nixpkgs = {
@@ -21,18 +21,32 @@
     };
   };
 
-  outputs = { self, nixpkgs, nixos-hardware, lanzaboote,rust-overlay }@inputs: {
+  outputs =
+    {
+      self,
+      nixpkgs,
+      nixos-hardware,
+      lanzaboote,
+      rust-overlay,
+    }@inputs:
+    {
       nixosConfigurations = {
         kemptop = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
           modules = [
-        
             lanzaboote.nixosModules.lanzaboote
             ./kemptop/configuration.nix
             nixos-hardware.nixosModules.lenovo-thinkpad-p14s-amd-gen5
           ];
           specialArgs = { inherit inputs; };
         };
+        heimserver = nixpkgs.lib.nixosSystem {
+          system = "x86_64-linux";
+          modules = [
+            ./heimserver/configuration.nix
+          ];
+          specialArgs = { inherit inputs; };
+        };
       };
     };
 }

heimserver/configuration.nix

@@ -0,0 +1,425 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{
+  config,
+  lib,
+  pkgs,
+  specialArgs,
+  ...
+}:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    specialArgs.inputs.vscode-server.nixosModules.default
+  ];
+
+  # System basics
+  time.timeZone = "Europe/Vienna";
+
+  # Bootloader and kernel
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernelParams = [
+    "vga=791"
+    "nomodeset"
+  ];
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+    # "net.bridge.bridge-nf-call-iptables" = 1;
+    # "net.bridge.bridge-nf-call-ip6tables" = 1;
+  };
+
+  boot.supportedFilesystems = [ "zfs" ];
+  boot.zfs.forceImportRoot = false;
+
+  # Console and locale
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "de";
+    # useXkbConfig = true; # use xkb.options in tty.
+  };
+  # i18n.defaultLocale = "en_US.UTF-8";
+
+  # Networking
+  networking.hostName = "nixos-server";
+  networking.useDHCP = false;
+  networking.hostId = "5506a8e7";
+  networking.interfaces.eth0.ipv4.addresses = [
+    {
+      address = "192.168.69.69";
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "192.168.69.1";
+  #networking.nameservers = [ "1.1.1.1" ];
+  networking.firewall.enable = true;
+  networking.firewall.allowedTCPPorts = [
+    22
+    53
+    80
+    443
+    2222 # forgejo ssh
+    8184 # forgejo frontend
+    8123 # homeassistant
+    5580 # homeassistant matter
+    2283 # immich
+    3003 # immich ml
+    1984 # frigate go2rtc
+    8971 # frigate
+    8554 # frigate rtsp
+    8555 # frigate rtsp
+    2055 # ntopng sink
+    8182 # ntopng frontend
+    3000 # adguardhome frontend
+    8183 # adguardhome frontend
+    9000
+  ];
+  networking.firewall.allowedUDPPorts = [
+    53
+    8555 # frigate rtsp
+    2055 # ntopng sink
+  ];
+
+  # Users
+  users.users.root = {
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINGHadFhDCUU/ta3p1FQgpm7NExHkyHNrJbNJP6np5w9 kempinger@ins.jku.at"
+    ];
+  };
+
+  users.users.immich.extraGroups = [
+    "video"
+    "render"
+  ];
+  # Security
+  # security.sudo.wheelNeedsPassword = false;
+
+  # Packages
+  environment.systemPackages = with pkgs; [
+    vim
+    nano
+    wget
+    curl
+    git
+    htop
+    docker-compose
+    nixd
+    nixfmt
+    systemd
+    inetutils
+    smartmontools
+    parted
+    borgbackup
+
+    nil
+  ];
+  # Enable SSH for root
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      KbdInteractiveAuthentication = false;
+      PermitRootLogin = "prohibit-password"; # Allow root with SSH keys only
+    };
+  };
+
+  hardware.bluetooth.enable = true;
+  services.blueman.enable = true;
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "mail@kempinger.xyz";
+    certs."kempinger.at".domain = "*.kempinger.at";
+  };
+
+  #services.resolved.enable = true;
+
+  services.fail2ban.enable = true;
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    recommendedProxySettings = true;
+    virtualHosts."192.168.69.69" = {
+      default = true;
+      root = "/srv/website/public_html";
+      locations."/" = {
+        index = "index.html";
+      };
+    };
+    virtualHosts."kempinger.at" = {
+      root = "/srv/website/public_html";
+      locations."/" = {
+        index = "index.html";
+      };
+      forceSSL = true;
+      enableACME = true;
+    };
+    virtualHosts.${config.services.forgejo.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass =
+        "http://localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+    virtualHosts."bilder.kempinger.at" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://[::1]:${toString config.services.immich.port}";
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+        extraConfig = ''
+          client_max_body_size 50000M;
+          proxy_read_timeout   600s;
+          proxy_send_timeout   600s;
+          send_timeout         600s;
+        '';
+      };
+    };
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    # Enable support for Git Large File Storage
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.kempinger.at";
+        # You need to specify this to remove the port from URLs in the web UI.
+        ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}/";
+        HTTP_PORT = 8184;
+        DISABLE_SSH = false;
+        SSH_PORT = 2222;
+        START_SSH_SERVER = true;
+      };
+
+      # You can temporarily allow registration to create an admin user.
+      service.DISABLE_REGISTRATION = true;
+      # Add support for actions, based on act: https://github.com/nektos/act
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+      # Sending emails is completely optional
+      # You can send a test email from the web UI at:
+      # Profile Picture > Site Administration > Configuration >  Mailer Configuration
+      # mailer = {
+      #   ENABLED = true;
+      #   SMTP_ADDR = "mail.kempinger.at";
+      #   FROM = "noreply@${srv.DOMAIN}";
+      #   USER = "noreply@${srv.DOMAIN}";
+      # };
+    };
+    dump = {
+      enable = true;
+      backupDir = "/backup/forgejo";
+      age = "6 months";
+      interval = "weekly";
+    };
+  };
+
+  # services.borgbackup.jobs."forgejo" = {
+  #   paths = config.services.forgejo.repositoryRoot;
+  #   repo = "/backup/forgejo";
+  #   startAt = "Sat 04:00";
+  #   compression = "zstd";
+  #   encryption.mode = "none";
+  #   prune.keep = {
+  #     last = 2;
+  #   };
+  # };
+
+  services.immich = {
+    enable = true;
+    accelerationDevices = null;
+    port = 2283;
+  };
+
+  services.borgbackup.jobs."immich" = {
+    paths = config.services.immich.mediaLocation;
+    repo = "/backup/immich";
+    startAt = "Sat 04:00";
+    compression = "zstd";
+    encryption.mode = "none";
+    prune.keep = {
+      last = 2;
+    };
+  };
+
+  # systemd.services.forgejo.preStart =
+  #   ''
+  #     ${lib.getExe cfg.package} admin user create --admin --email "root@localhost" --username crazychaoz --password temp123 || true
+  #     '';
+
+  # Virtualisation
+  virtualisation = {
+    containers.enable = true;
+    podman = {
+      enable = true;
+      dockerCompat = true;
+      defaultNetwork.settings.dns_enabled = true; # Required for containers under podman-compose to be able to talk to each other.
+    };
+  };
+
+  #services.matter-server.enable = true;
+
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers.homeassistant = {
+      #autoStart = true;
+      volumes = [
+        "home-assistant:/config"
+        "/run/dbus:/run/dbus:ro"
+        "/backup/home-assistant:/config/backups"
+      ];
+      environment.TZ = "Europe/Berlin";
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "ghcr.io/home-assistant/home-assistant:stable";
+      extraOptions = [
+        # Use the host network namespace for all sockets
+        "--network=host"
+        # Pass devices into the container, so Home Assistant can discover and make use of them
+        #"--device=/dev/ttyACM0:/dev/ttyACM0"
+        "--privileged"
+      ];
+    };
+    containers.matter-server = {
+      #autoStart = true;
+      volumes = [
+        "matter-server:/config"
+        "/run/dbus:/run/dbus:ro"
+      ];
+      environment.TZ = "Europe/Berlin";
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "ghcr.io/home-assistant-libs/python-matter-server:stable";
+      extraOptions = [
+        "--network=host"
+        "--privileged"
+      ];
+    };
+
+    containers.frigate = {
+      #autoStart = true;
+      volumes = [
+        "frigate:/config"
+        "/run/dbus:/run/dbus:ro"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      environment.FRIGATE_RTSP_PASSWORD = "password123";
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "ghcr.io/blakeblackshear/frigate:stable";
+      extraOptions = [
+        "--shm-size=512m"
+        "--network=host"
+      ];
+    };
+    containers.mosquitto = {
+      #autoStart = true;
+      volumes = [
+        "mosquitto:/mosquitto"
+        "/run/dbus:/run/dbus:ro"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "eclipse-mosquitto";
+      extraOptions = [
+        "--network=host"
+      ];
+    };
+    containers.netflow2ng = {
+      # Note: The image will not be updated on rebuilds, unless the version label changes
+      image = "synfinatic/netflow2ng:v0.1.0";
+      cmd = [
+        "-a"
+        "0.0.0.0:2055"
+        "-m"
+        "0.0.0.0:8181"
+        "-z"
+        "tcp://127.0.0.1:5556"
+        "--log-level"
+        "debug"
+        "--tlv"
+      ];
+      extraOptions = [
+        "--network=host"
+      ];
+    };
+  };
+
+  services.ntopng = {
+    enable = true;
+    httpPort = 8182;
+    interfaces = [ "tcp://0.0.0.0:5556" ];
+    extraConfig = ''
+      --dns-mode 1
+      --local-networks "185.27.122.0/24=WAN,192.168.69.0/24=LAN"'';
+  };
+
+  services.influxdb.enable = true;
+
+  services.geoipupdate = {
+    enable = true;
+    settings = {
+      AccountID = 1284637;
+      DatabaseDirectory = "/var/lib/GeoIP";
+      LicenseKey = {
+        _secret = "/root/maxmind_license_key";
+      };
+      EditionIDs = [
+        "GeoLite2-ASN"
+        "GeoLite2-City"
+        "GeoLite2-Country"
+      ];
+    };
+  };
+
+  services.adguardhome = {
+    enable = true;
+    # You can select any ip and port, just make sure to open firewalls where needed
+    host = "0.0.0.0";
+    port = 8183;
+  };
+
+  # Nix settings
+  nix.settings.experimental-features = [
+    "nix-command"
+    "flakes"
+  ];
+  nix.gc = {
+    automatic = true;
+    dates = "weekly";
+    options = "--delete-older-than 7d";
+  };
+
+  # Documentation for stateVersion
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+
+  system.configurationRevision = lib.mkIf (specialArgs.inputs.self ? rev) specialArgs.inputs.self.rev;
+  system.stateVersion = "25.05"; # Did you read the comment?
+}

heimserver/hardware-configuration.nix

@@ -0,0 +1,50 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "nvme"
+    "ahci"
+    "xhci_pci"
+    "usbhid"
+    "usb_storage"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/79665f95-3f79-499d-98f2-99077f2b8d52";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/467A-A4E4";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  swapDevices = [ ];
+
+  fileSystems."/backup" = {
+    device = "backup";
+    fsType = "zfs";
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

kemptop/configuration.nix

@@ -41,29 +41,10 @@
     consoleLogLevel = 3;
     initrd.verbose = false;
     initrd.systemd.enable = true;
-    #bad:  6.12.62
     #bad:  6.17.12
     #good: 6.12.59
     #bad:  6.12.60
-    #kernelPackages = (import inputs.nixpkgs-safe {system = "x86_64-linux"; }).linuxPackages;
+    kernelPackages = pkgs.linuxPackages_latest;
-    #kernelPackages = pkgs.linuxPackages_6_17;
-    kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_12.override { # (#4)
-  argsOverride = rec {
-    src = pkgs.fetchFromGitHub {
-      owner = "torvalds";
-      repo = "linux";
-      # (#1) -> put the bisect revision here
-      rev = "17c3a66d7ea2d303f783796d62f99e2e23b68c90";
-     # (#2) -> clear the sha; run a build, get the sha, populate the sha
-      sha256 = "sha256-2XyrJmaZPa2TaVrwwjXM0z3Dyj794FDdmOTyRuH3z/A=";
-    };
-    
-    dontStrip = true;
-    # (#3) `head Makefile` from the kernel and put the right version numbers here
-    version = "6.12.59";
-    modDirVersion = "6.12.59";
-  };
-});
     kernelParams = [
       "quiet"
       "splash"
@@ -193,7 +174,6 @@
     rust-analyzer
     #cargotom
 
-    
     #niri
     #alacritty fuzzel swaylock mako swayidle
   ];
@@ -220,7 +200,6 @@
   };
   services.gnome.gnome-keyring.enable = true; # secret service
 
-
   security.pam.services.login.enableGnomeKeyring = true;
   security.pam.services.login.fprintAuth = true;
   security.polkit.enable = true; # polkit
@@ -261,7 +240,6 @@
   };
   virtualisation.libvirtd.enable = true;
 
-
   systemd.user.extraConfig = ''
     DefaultEnvironment="PATH=/run/wrappers/bin:/home/%u/.nix-profile/bin:/nix/profile/bin:/home/%u/.local/state/nix/profile/bin:/etc/profiles/per-user/%u/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin"
   '';