{ config, lib, pkgs, hostname, username, eth_interface, service_configs, options, ... }: { imports = [ ./modules/hardware.nix ./modules/zfs.nix ./modules/impermanence.nix ./modules/usb-secrets.nix ./modules/age-secrets.nix ./modules/secureboot.nix ./modules/no-rgb.nix ./modules/security.nix ./modules/ntfy-alerts.nix ./services/postgresql.nix ./services/jellyfin.nix ./services/caddy.nix ./services/immich.nix ./services/gitea.nix ./services/minecraft.nix ./services/wg.nix ./services/qbittorrent.nix ./services/jellyfin-qbittorrent-monitor.nix ./services/bitmagnet.nix ./services/arr/prowlarr.nix ./services/arr/sonarr.nix ./services/arr/radarr.nix ./services/arr/bazarr.nix ./services/arr/jellyseerr.nix ./services/arr/recyclarr.nix ./services/arr/init.nix ./services/soulseek.nix ./services/ups.nix ./services/bitwarden.nix ./services/matrix.nix ./services/coturn.nix ./services/livekit.nix ./services/monero.nix ./services/xmrig.nix # KEEP UNTIL 2028 ./services/caddy_senior_project.nix ./services/graphing-calculator.nix ./services/ssh.nix ./services/syncthing.nix ./services/ntfy.nix ./services/ntfy-alerts.nix ]; services.kmscon.enable = true; systemd.targets = { sleep.enable = false; suspend.enable = false; hibernate.enable = false; hybrid-sleep.enable = false; }; # Disable serial getty on ttyS0 to prevent dmesg warnings systemd.services."serial-getty@ttyS0".enable = false; # srvos enables vim, i don't want to use vim, disable it here: programs.vim = { defaultEditor = false; } // lib.optionalAttrs (options.programs.vim ? enable) { enable = false; }; powerManagement = { powertop.enable = true; enable = true; cpuFreqGovernor = "powersave"; }; # https://github.com/NixOS/nixpkgs/issues/101459#issuecomment-758306434 security.pam.loginLimits = [ { domain = "*"; type = "soft"; item = "nofile"; value = "4096"; } ]; nix = { # optimize the store optimise.automatic = true; # garbage collection gc = { automatic = true; dates = "weekly"; options = "--delete-older-than 7d"; }; }; hardware.intelgpu.driver = "xe"; boot = { # 6.12 LTS until 2026 kernelPackages = pkgs.linuxPackages_6_12_hardened; loader = { # Use the systemd-boot EFI boot loader. efi.canTouchEfiVariables = true; # 1s timeout timeout = 1; }; initrd = { compressor = "zstd"; supportedFilesystems = [ "f2fs" ]; }; # BBR congestion control handles variable-latency VPN connections much # better than CUBIC by probing bandwidth continuously rather than # reacting to packet loss. kernelModules = [ "tcp_bbr" ]; kernel.sysctl = { # Use BBR + fair queuing for smooth throughput through the WireGuard VPN "net.core.default_qdisc" = "fq"; "net.ipv4.tcp_congestion_control" = "bbr"; # Disable slow-start after idle: prevents TCP from resetting window # size on each burst cycle (the primary cause of the 0 -> 40 MB/s spikes) "net.ipv4.tcp_slow_start_after_idle" = 0; # Larger socket buffers to accommodate the VPN bandwidth-delay product # (22ms RTT * target throughput). Current 2.5MB max is too small. "net.core.rmem_max" = 16777216; "net.core.wmem_max" = 16777216; "net.ipv4.tcp_rmem" = "4096 87380 16777216"; "net.ipv4.tcp_wmem" = "4096 65536 16777216"; # Higher backlog for the large number of concurrent torrent connections "net.core.netdev_max_backlog" = 5000; # Minecraft server optimizations # Disable autogroup for better scheduling of game server threads "kernel.sched_autogroup_enabled" = 0; # Huge pages for Minecraft JVM (4000MB heap / 2MB per page + ~200 overhead) "vm.nr_hugepages" = 2200; }; }; environment.etc = { "issue".text = ""; }; # Set your time zone. time.timeZone = "America/New_York"; hardware.graphics = { enable = true; extraPackages = with pkgs; [ libva-vdpau-driver intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) vpl-gpu-rt # QSV on 11th gen or newer ]; }; #fwupd for updating firmware services.fwupd = { enable = true; extraRemotes = [ "lvfs-testing" ]; }; environment.systemPackages = with pkgs; [ helix lm_sensors bottom htop doas-sudo-shim neofetch borgbackup smartmontools ripgrep intel-gpu-tools iotop iftop tmux wget powertop lsof reflac pfetch-rs sbctl # add `skdump` libatasmart ]; networking = { nameservers = [ "1.1.1.1" "9.9.9.9" ]; hostName = hostname; hostId = "0f712d56"; firewall.enable = true; firewall.trustedInterfaces = [ "wg-br" ]; useDHCP = false; enableIPv6 = false; interfaces.${eth_interface} = { ipv4.addresses = [ { address = "192.168.1.50"; # address = "10.1.1.102"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "fe80::9e6b:ff:fe4d:abb"; prefixLength = 64; } ]; }; defaultGateway = { #address = "10.1.1.1"; address = "192.168.1.1"; interface = eth_interface; }; # TODO! fix this # defaultGateway6 = { # address = "fe80::/64"; # interface = eth_interface; # }; }; users.groups.${service_configs.media_group} = { }; users.users.${username} = { isNormalUser = true; extraGroups = [ "wheel" "video" "render" service_configs.media_group ]; hashedPasswordFile = config.age.secrets.hashedPass.path; }; # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell programs.fish.enable = true; programs.bash = { interactiveShellInit = '' if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] then shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" exec ${pkgs.fish}/bin/fish $LOGIN_OPTION fi ''; }; security = { #lets use doas and not sudo! doas.enable = true; sudo.enable = false; # Configure doas doas.extraRules = [ { users = [ username ]; keepEnv = true; persist = true; } ]; }; services.murmur = { enable = true; openFirewall = true; welcometext = "meow meow meow meow meow :3 xd"; password = builtins.readFile ./secrets/murmur_password; }; # services.botamusique = { # enable = true; # settings = { # server = {port = config.services.murmur.port; # password = config.services.murmur.password; # }; # }; # }; # systemd.tmpfiles.rules = [ # "Z /tank/music 775 ${username} users" # ]; system.stateVersion = "24.11"; }