{ config, pkgs, lib, ... }: let interfaces = import ./interfaces.nix; disks = { slot1 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K"; slot2 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A"; slot3 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104926N"; slot4 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104934H"; slot5 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0W206517Y"; }; removableEfi = true; devNodes = "/dev/disk/by-id/"; datasets = { "bpool/nixos/root" = "/boot"; "rpool/filebitch" = "/filebitch"; "rpool/navidrome" = "/var/lib/private/navidrome"; "rpool/navidrome/music" = "/var/lib/navidrome/music"; "rpool/nixos/home" = "/home"; "rpool/nixos/root" = "/"; "rpool/nixos/var/lib" = "/var/lib"; "rpool/nixos/var/lib/qBittorrent" = "/var/lib/qBittorrent"; "rpool/nixos/var/lib/qBittorrent/downloads" = "/var/lib/qBittorrent/downloads"; "rpool/nixos/var/log" = "/var/log"; }; partitionScheme = { efiBoot = "-part1"; bootPool = "-part2"; luksDev = "-part3"; biosBoot = "-part4"; }; efiSystemPartitions = map (diskName: diskName + partitionScheme.efiBoot) (lib.attrValues disks); in with lib; { imports = [ ../../users/jalr ./services ./ports.nix ]; config = { system.stateVersion = "25.11"; security.sudo.wheelNeedsPassword = false; networking = { hostName = "iron"; hostId = "b141e72f"; useDHCP = false; networkmanager.enable = false; bridges = { "${interfaces.lan}" = { interfaces = [ "enp2s4" "enp3s5" ]; }; }; vlans = { iot = { id = 20; interface = interfaces.lan; }; }; interfaces = { "${interfaces.lan}".ipv4.addresses = [{ address = "192.168.42.1"; prefixLength = 24; }]; iot.ipv4.addresses = [{ address = "10.20.0.1"; prefixLength = 20; }]; "${interfaces.wan}" = { useDHCP = true; }; }; nat = { enable = true; externalInterface = interfaces.wan; internalInterfaces = [ interfaces.lan "virbr0" ]; }; firewall = { allowedTCPPorts = [ 5201 ]; extraForwardRules = '' tcp flags syn tcp option maxseg size set rt mtu ''; interfaces.virbr0 = { allowedTCPPorts = [ 53 ]; allowedUDPPorts = [ 53 67 ]; }; }; }; services.radvd = { enable = true; config = '' interface ${interfaces.lan} { AdvSendAdvert on; prefix ::/64 { AdvOnLink on; AdvAutonomous on; AdvRouterAddr on; }; }; ''; }; networking.dhcpcd.extraConfig = '' noipv6rs waitip 6 interface ${interfaces.wan} ipv6rs ia_na 1 ia_pd 2 ${interfaces.lan}/0 ''; jalr.luksUsbUnlock = { enable = true; devices = builtins.mapAttrs (_: _: { keyPath = "iron.key"; usbDevice = "by-label/RAM_USB"; waitForDevice = 10; }) disks; }; boot = { kernel.sysctl = { "net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.enp0s25.accept_ra" = 1; }; initrd = { availableKernelModules = [ "ahci" "ehci_pci" "sd_mod" "sdhci_pci" "usb_storage" "xhci_pci" ]; systemd.enable = true; luks.devices = builtins.mapAttrs (_: dev: { device = "${devNodes}${dev}${partitionScheme.luksDev}"; allowDiscards = true; }) disks; }; supportedFilesystems = [ "zfs" ]; zfs = { inherit devNodes; forceImportRoot = false; }; loader = { efi = { canTouchEfiVariables = if removableEfi then false else true; efiSysMountPoint = "/boot/efis/" + (head (lib.attrValues disks)) + partitionScheme.efiBoot; }; generationsDir.copyKernels = true; grub = { enable = true; devices = map (diskName: devNodes + diskName) (attrValues disks); efiInstallAsRemovable = removableEfi; copyKernels = true; efiSupport = true; zfsSupport = true; extraConfig = '' serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1 terminal_input --append serial terminal_output --append serial ''; extraInstallCommands = toString (map (diskName: '' ${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${partitionScheme.efiBoot} '') (tail (attrValues disks))); }; }; kernelParams = [ "console=ttyS0,115200" "console=tty1" ]; }; fileSystems = mkMerge (mapAttrsToList (dataset: mountpoint: { "${mountpoint}" = { device = "${dataset}"; fsType = "zfs"; options = [ "X-mount.mkdir" "noatime" ]; neededForBoot = true; }; }) datasets ++ map (esp: { "/boot/efis/${esp}" = { device = "${devNodes}/${esp}"; fsType = "vfat"; options = [ "x-systemd.idle-timeout=1min" "x-systemd.automount" "noauto" "nofail" "noatime" "X-mount.mkdir" ]; }; }) efiSystemPartitions) // { "/proc" = { device = "/proc"; options = [ "nosuid" "noexec" "nodev" "hidepid=2" ]; }; }; hardware = { enableRedistributableFirmware = true; graphics = { enable = true; extraPackages = [ pkgs.intel-vaapi-driver ]; }; }; virtualisation.containers.storage.settings = { storage = { driver = "zfs"; graphroot = "/var/lib/containers/storage"; runroot = "/run/containers/storage"; options.zfs.fsname = "rpool/nixos/podman"; }; }; zramSwap = { enable = true; algorithm = "zstd"; memoryPercent = 60; priority = 1; }; services.zfs = { trim.enable = false; }; }; }