nixos-configuration/hosts/iron/configuration.nix

{ inputs, config, pkgs, lib, ... }:
let
  zfsKernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
  disks = [
    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103837K"
    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R103838A"
    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104926N"
    "ata-Samsung_SSD_870_QVO_8TB_S5SSNG0R104934H"
    "ata-Samsung_SSD_870_QVO_8TB_S5SSNJ0W206517Y"
  ];
  removableEfi = true;
  devNodes = "/dev/disk/by-id/";
  datasets = {
    "bpool/nixos/root" = "/boot";
    "rpool/filebitch" = "/filebitch";
    "rpool/navidrome" = "/var/lib/private/navidrome";
    "rpool/navidrome/music" = "/var/lib/private/navidrome/music";
    "rpool/nixos/home" = "/home";
    "rpool/nixos/root" = "/";
    "rpool/nixos/var/lib" = "/var/lib";
    "rpool/nixos/var/lib/qbittorrent" = "/var/lib/qbittorrent";
    "rpool/nixos/var/lib/qbittorrent/downloads" = "/var/lib/qbittorrent/downloads";
    "rpool/nixos/var/log" = "/var/log";
  };
  partitionScheme = {
    efiBoot = "-part1";
    bootPool = "-part2";
    luksDev = "-part3";
    biosBoot = "-part4";
  };
  efiSystemPartitions = (map (diskName: diskName + partitionScheme.efiBoot) disks);
  iptablesAppendIfMissing = rule: "iptables -C " + rule + " || iptables -A " + rule;
in
with lib; {
  imports = [
    ../../home-manager/users/jalr.nix
    ./services
  ];
  config = {
    system.stateVersion = "23.11";

    security.sudo.wheelNeedsPassword = false;

    networking = {
      hostName = "iron";
      hostId = "b141e72f";
      useDHCP = false;
      networkmanager.enable = false;

      vlans = {
        iot = {
          id = 20;
          interface = "enp2s4";
        };
      };
      interfaces = {
        enp2s4.ipv4.addresses = [{
          address = "192.168.42.1";
          prefixLength = 24;
        }];
        iot.ipv4.addresses = [{
          address = "10.20.0.1";
          prefixLength = 20;
        }];
        enp3s5 = {
          useDHCP = true;
        };
      };

      nat = {
        enable = true;
        externalInterface = "enp3s5";
        internalInterfaces = [
          "enp2s4"
        ];
      };

      firewall = {
        extraCommands = lib.concatStringsSep "\n" [
          (iptablesAppendIfMissing "FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu")
        ];
      };
    };

    services.radvd = {
      enable = true;
      config = ''
        interface enp2s4 {
          AdvSendAdvert on;
          prefix ::/64 {
            AdvOnLink on;
            AdvAutonomous on;
            AdvRouterAddr on;
          };
        };
      '';
    };

    networking.dhcpcd.extraConfig = ''
      noipv6rs
      waitip 6

      interface enp3s5
        ipv6rs
        ia_na 1
        ia_pd 1/::/64 enp2s4/0/64
    '';

    boot = {
      kernelPackages = zfsKernelPackages;
      kernel.sysctl = {
        "net.ipv6.conf.all.forwarding" = 1;
      };
      initrd = {
        availableKernelModules = [ "ahci" ];
        systemd.enable = true;
        luks.devices = lib.listToAttrs (
          map
            (dev: {
              name = "LUKS-${dev}${partitionScheme.luksDev}";
              value = {
                device = "${devNodes}${dev}${partitionScheme.luksDev}";
                allowDiscards = true;
              };
            })
            disks
        );
      };
      supportedFilesystems = [ "zfs" ];
      zfs = {
        devNodes = devNodes;
        forceImportRoot = false;
      };
      loader = {
        efi = {
          canTouchEfiVariables = (if removableEfi then false else true);
          efiSysMountPoint = ("/boot/efis/" + (head disks)
            + partitionScheme.efiBoot);
        };
        generationsDir.copyKernels = true;
        grub = {
          enable = true;
          devices = (map (diskName: devNodes + diskName) disks);
          efiInstallAsRemovable = removableEfi;
          copyKernels = true;
          efiSupport = true;
          zfsSupport = true;
          extraConfig = ''
            serial --unit=0 --speed=115200 --word=8 --parity=no --stop=1
            terminal_input --append serial
            terminal_output --append serial
          '';
          extraInstallCommands = (toString (map
            (diskName: ''
              ${pkgs.coreutils-full}/bin/cp -r ${config.boot.loader.efi.efiSysMountPoint}/EFI /boot/efis/${diskName}${partitionScheme.efiBoot}
            '')
            (tail disks)));
        };
      };
      kernelParams = [
        "console=ttyS0,115200"
        "console=tty1"
      ];
    };

    fileSystems = mkMerge
      (mapAttrsToList
        (dataset: mountpoint: {
          "${mountpoint}" = {
            device = "${dataset}";
            fsType = "zfs";
            options = [ "X-mount.mkdir" "noatime" ];
            neededForBoot = true;
          };
        })
        datasets ++ map
        (esp: {
          "/boot/efis/${esp}" = {
            device = "${devNodes}/${esp}";
            fsType = "vfat";
            options = [
              "x-systemd.idle-timeout=1min"
              "x-systemd.automount"
              "noauto"
              "nofail"
              "noatime"
              "X-mount.mkdir"
            ];
          };
        })
        efiSystemPartitions) // {
      "/proc" = {
        device = "/proc";
        options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
      };
    };

    hardware.enableRedistributableFirmware = true;

    sound.enable = true;

    virtualisation.containers.storage.settings = {
      storage = {
        driver = "zfs";
        graphroot = "/var/lib/containers/storage";
        runroot = "/run/containers/storage";
        options.zfs.fsname = "rpool/nixos/podman";
      };
    };
  };
}