243 lines
6.1 KiB
Nix
243 lines
6.1 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
interfaces = import ./interfaces.nix;
|
|
disks = {
|
|
slot1 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K";
|
|
slot2 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A";
|
|
slot3 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104926N";
|
|
slot4 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104934H";
|
|
slot5 = "ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0W206517Y";
|
|
};
|
|
removableEfi = true;
|
|
devNodes = "/dev/disk/by-id/";
|
|
datasets = {
|
|
"bpool/nixos/root" = "/boot";
|
|
"rpool/filebitch" = "/filebitch";
|
|
"rpool/navidrome" = "/var/lib/private/navidrome";
|
|
"rpool/navidrome/music" = "/var/lib/navidrome/music";
|
|
"rpool/nixos/home" = "/home";
|
|
"rpool/nixos/root" = "/";
|
|
"rpool/nixos/var/lib" = "/var/lib";
|
|
"rpool/nixos/var/lib/qBittorrent" = "/var/lib/qBittorrent";
|
|
"rpool/nixos/var/lib/qBittorrent/downloads" = "/var/lib/qBittorrent/downloads";
|
|
"rpool/nixos/var/log" = "/var/log";
|
|
};
|
|
partitionScheme = {
|
|
efiBoot = "-part1";
|
|
bootPool = "-part2";
|
|
luksDev = "-part3";
|
|
biosBoot = "-part4";
|
|
};
|
|
efiSystemPartitions = map (diskName: diskName + partitionScheme.efiBoot) (lib.attrValues disks);
|
|
in
|
|
with lib; {
|
|
imports = [
|
|
../../users/jalr
|
|
./services
|
|
./ports.nix
|
|
];
|
|
config = {
|
|
system.stateVersion = "23.11";
|
|
|
|
security.sudo.wheelNeedsPassword = false;
|
|
|
|
networking = {
|
|
hostName = "iron";
|
|
hostId = "b141e72f";
|
|
useDHCP = false;
|
|
networkmanager.enable = false;
|
|
|
|
bridges = {
|
|
"${interfaces.lan}" = {
|
|
interfaces = [ "enp2s4" "enp3s5" ];
|
|
};
|
|
};
|
|
vlans = {
|
|
iot = {
|
|
id = 20;
|
|
interface = interfaces.lan;
|
|
};
|
|
};
|
|
interfaces = {
|
|
"${interfaces.lan}".ipv4.addresses = [{
|
|
address = "192.168.42.1";
|
|
prefixLength = 24;
|
|
}];
|
|
iot.ipv4.addresses = [{
|
|
address = "10.20.0.1";
|
|
prefixLength = 20;
|
|
}];
|
|
"${interfaces.wan}" = {
|
|
useDHCP = true;
|
|
};
|
|
};
|
|
|
|
nat = {
|
|
enable = true;
|
|
externalInterface = interfaces.wan;
|
|
internalInterfaces = [
|
|
interfaces.lan
|
|
"virbr0"
|
|
];
|
|
};
|
|
|
|
firewall = {
|
|
allowedTCPPorts = [ 5201 ];
|
|
extraForwardRules = ''
|
|
tcp flags syn tcp option maxseg size set rt mtu
|
|
'';
|
|
interfaces.virbr0 = {
|
|
allowedTCPPorts = [ 53 ];
|
|
allowedUDPPorts = [ 53 67 ];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.radvd = {
|
|
enable = true;
|
|
config = ''
|
|
interface ${interfaces.lan} {
|
|
AdvSendAdvert on;
|
|
prefix ::/64 {
|
|
AdvOnLink on;
|
|
AdvAutonomous on;
|
|
AdvRouterAddr on;
|
|
};
|
|
};
|
|
'';
|
|
};
|
|
|
|
networking.dhcpcd.extraConfig = ''
|
|
noipv6rs
|
|
waitip 6
|
|
|
|
interface ${interfaces.wan}
|
|
ipv6rs
|
|
ia_na 1
|
|
ia_pd 1/::/64 ${interfaces.lan}/0/64
|
|
'';
|
|
|
|
jalr.luksUsbUnlock = {
|
|
enable = true;
|
|
devices = builtins.mapAttrs
|
|
(_: _: {
|
|
keyPath = "iron.key";
|
|
usbDevice = "by-label/RAM_USB";
|
|
waitForDevice = 10;
|
|
})
|
|
disks;
|
|
};
|
|
|
|
boot = {
|
|
kernel.sysctl = {
|
|
"net.ipv6.conf.all.forwarding" = 1;
|
|
};
|
|
initrd = {
|
|
availableKernelModules = [
|
|
"ahci"
|
|
"ehci_pci"
|
|
"sd_mod"
|
|
"sdhci_pci"
|
|
"usb_storage"
|
|
"xhci_pci"
|
|
];
|
|
systemd.enable = true;
|
|
luks.devices = builtins.mapAttrs
|
|
(_: dev: {
|
|
device = "${devNodes}${dev}${partitionScheme.luksDev}";
|
|
allowDiscards = true;
|
|
})
|
|
disks;
|
|
};
|
|
supportedFilesystems = [ "zfs" ];
|
|
zfs = {
|
|
inherit devNodes;
|
|
forceImportRoot = false;
|
|
};
|
|
loader = {
|
|
efi = {
|
|
canTouchEfiVariables = if removableEfi then false else true;
|
|
efiSysMountPoint = "/boot/efis/" + (head (lib.attrValues disks))
|
|
+ partitionScheme.efiBoot;
|
|
};
|
|
generationsDir.copyKernels = true;
|
|
grub = {
|
|
enable = true;
|
|
devices = map (diskName: devNodes + diskName) (attrValues disks);
|
|
efiInstallAsRemovable = removableEfi;
|
|
copyKernels = true;
|
|
efiSupport = true;
|
|
zfsSupport = true;
|
|
extraConfig = ''
|
|
serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
|
|
terminal_input --append serial
|
|
terminal_output --append serial
|
|
'';
|
|
extraInstallCommands = toString (map
|
|
(diskName: ''
|
|
${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${partitionScheme.efiBoot}
|
|
'')
|
|
(tail (attrValues disks)));
|
|
};
|
|
};
|
|
kernelParams = [
|
|
"console=ttyS0,115200"
|
|
"console=tty1"
|
|
];
|
|
};
|
|
|
|
fileSystems = mkMerge
|
|
(mapAttrsToList
|
|
(dataset: mountpoint: {
|
|
"${mountpoint}" = {
|
|
device = "${dataset}";
|
|
fsType = "zfs";
|
|
options = [ "X-mount.mkdir" "noatime" ];
|
|
neededForBoot = true;
|
|
};
|
|
})
|
|
datasets ++ map
|
|
(esp: {
|
|
"/boot/efis/${esp}" = {
|
|
device = "${devNodes}/${esp}";
|
|
fsType = "vfat";
|
|
options = [
|
|
"x-systemd.idle-timeout=1min"
|
|
"x-systemd.automount"
|
|
"noauto"
|
|
"nofail"
|
|
"noatime"
|
|
"X-mount.mkdir"
|
|
];
|
|
};
|
|
})
|
|
efiSystemPartitions) // {
|
|
"/proc" = {
|
|
device = "/proc";
|
|
options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
|
|
};
|
|
};
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
virtualisation.containers.storage.settings = {
|
|
storage = {
|
|
driver = "zfs";
|
|
graphroot = "/var/lib/containers/storage";
|
|
runroot = "/run/containers/storage";
|
|
options.zfs.fsname = "rpool/nixos/podman";
|
|
};
|
|
};
|
|
|
|
zramSwap = {
|
|
enable = true;
|
|
algorithm = "zstd";
|
|
memoryPercent = 60;
|
|
priority = 1;
|
|
};
|
|
|
|
services.zfs = {
|
|
trim.enable = false;
|
|
};
|
|
};
|
|
}
|