{ config, lib, pkgs, hostname, username, eth_interface, service_configs, ... }: { imports = [ ./hardware.nix ./services/jellyfin.nix ./services/caddy.nix ./services/immich.nix ./services/gitea.nix ./services/minecraft.nix ./services/wg.nix ./services/qbittorrent.nix ./services/bitmagnet.nix ./services/matrix.nix ./services/owntracks.nix ]; systemd.targets = { sleep.enable = false; suspend.enable = false; hibernate.enable = false; hybrid-sleep.enable = false; }; powerManagement = { powertop.enable = true; enable = true; cpuFreqGovernor = "powersave"; }; nix = { # optimize the store optimise.automatic = true; # enable flakes! settings = { experimental-features = [ "nix-command" "flakes" ]; }; }; # https://github.com/viperML/nh programs.nh = { enable = true; clean.enable = true; clean.extraArgs = "--keep-since 4d --keep 3"; }; boot = { kernelPackages = pkgs.linuxPackages; zfs.package = pkgs.zfs_unstable; kernelParams = [ # 2048MB "zfs.zfs_arc_max=2048000000" ]; supportedFilesystems = [ "zfs" ]; zfs.extraPools = [ "tank" ]; loader = { # Use the systemd-boot EFI boot loader. efi.canTouchEfiVariables = true; # 1s timeout timeout = 1; }; initrd = { compressor = "zstd"; }; loader.systemd-boot.enable = lib.mkForce false; lanzaboote = { enable = true; pkiBundle = "/var/lib/sbctl"; }; }; system.activationScripts = { # extract all my secureboot keys "secureboot-keys".text = '' #!/bin/sh rm -fr ${config.boot.lanzaboote.pkiBundle} || true mkdir -p ${config.boot.lanzaboote.pkiBundle} ${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${config.boot.lanzaboote.pkiBundle} ''; }; # encryption key for zpool (VERY IMPORTANT) boot.initrd.secrets."/etc/zfs-key" = /etc/nixos/secrets/zfs-key; environment.etc = { "issue".text = ""; }; # Set your time zone. time.timeZone = "America/New_York"; # Enable the OpenSSH daemon. services.openssh = { enable = true; settings = { PasswordAuthentication = false; PermitRootLogin = "no"; }; }; hardware.graphics = { enable = true; extraPackages = with pkgs; [ vaapiVdpau intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) vpl-gpu-rt # QSV on 11th gen or newer ]; }; #fwupd for updating firmware services.fwupd = { enable = true; extraRemotes = [ "lvfs-testing" ]; }; environment.systemPackages = with pkgs; [ helix nixfmt-rfc-style lm_sensors bottom htop doas-sudo-shim neofetch borgbackup smartmontools nil ripgrep intel-gpu-tools tmux wget powertop (pkgs.writeScriptBin "mc-console" '' #!/bin/sh ${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach '') (pkgs.writeScriptBin "disk-smart-test" '' #!/bin/sh set -e if [[ $EUID -ne 0 ]]; then echo "This command requires root." exit 2 fi DISKS=$(${pkgs.coreutils}/bin/ls /dev/sd* | ${pkgs.gnugrep}/bin/grep -v "[0-9]$") for i in $DISKS; do ${pkgs.coreutils}/bin/echo -n "$i " ${pkgs.smartmontools}/bin/smartctl -a "$i" | ${pkgs.gnugrep}/bin/grep "SMART overall-health self-assessment test result:" | ${pkgs.coreutils}/bin/cut -d' ' -f6 done '') (pkgs.writeShellApplication { name = "reflac"; runtimeInputs = with pkgs; [ flac ]; excludeShellChecks = [ "2086" ]; text = builtins.readFile ( pkgs.fetchurl { url = "https://raw.githubusercontent.com/chungy/reflac/refs/heads/master/reflac"; sha256 = "61c6cc8be3d276c6714e68b55e5de0e6491f50bbf195233073dbce14a1e278a7"; } ); }) pfetch-rs sbctl ]; services.zfs = { autoScrub.enable = true; trim.enable = true; autoSnapshot = { enable = true; frequent = 4; # 15-minutes hourly = 24; daily = 7; weekly = 4; monthly = 12; }; }; systemd.services.no-rgb = let no-rgb = pkgs.writeScriptBin "no-rgb" '' #!/bin/sh set -e NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.gnugrep}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l) for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do ${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000 done ''; in { description = "disable rgb"; serviceConfig = { ExecStart = "${no-rgb}/bin/no-rgb"; Type = "oneshot"; }; wantedBy = [ "multi-user.target" ]; }; services.hardware.openrgb = { enable = true; package = pkgs.openrgb-with-all-plugins; motherboard = "amd"; }; services.udev.packages = [ pkgs.openrgb-with-all-plugins ]; hardware.i2c.enable = true; networking = { nameservers = [ "1.1.1.1" "9.9.9.9" ]; hostName = hostname; hostId = "0f712d56"; firewall.enable = true; useDHCP = false; # enableIPv6 = false; interfaces.${eth_interface} = { ipv4.addresses = [ { address = "10.1.1.102"; prefixLength = 24; } ]; ipv6.addresses = [ { address = "fe80::9e6b:ff:fe4d:abb"; prefixLength = 64; } ]; }; defaultGateway = { address = "10.1.1.1"; interface = eth_interface; }; # TODO! fix this # defaultGateway6 = { # address = "fe80::/64"; # interface = eth_interface; # }; }; users.users.${username} = { isNormalUser = true; extraGroups = [ "wheel" "video" "render" "postgres" "owntracks" ]; hashedPasswordFile = "/etc/nixos/secrets/hashedPass"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop ]; }; # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell programs.fish.enable = true; programs.bash = { interactiveShellInit = '' if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]] then shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION="" exec ${pkgs.fish}/bin/fish $LOGIN_OPTION fi ''; }; security = { #lets use doas and not sudo! doas.enable = true; sudo.enable = false; # Configure doas doas.extraRules = [ { users = [ username ]; keepEnv = true; persist = true; } ]; }; services.murmur = { enable = true; openFirewall = true; welcometext = "meow meow meow meow meow :3 xd"; password = builtins.readFile ./secrets/murmur_password; }; # services.botamusique = { # enable = true; # settings = { # server = {port = config.services.murmur.port; # password = config.services.murmur.password; # }; # }; # }; services.postgresql = { enable = true; package = pkgs.postgresql_16; dataDir = "/tank/services/sql"; }; systemd.tmpfiles.rules = [ "d ${config.services.postgresql.dataDir} 0700 postgres postgres" ]; system.stateVersion = "24.11"; }