{ config, pkgs, lib, ... }: { imports = [ # Include the results of the hardware scan. ./hardware-configuration.nix ]; nix.settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; }; # Bootloader. boot.loader = { efi = { canTouchEfiVariables = true; efiSysMountPoint = "/boot"; # ← use the same mount point here. }; grub = { efiSupport = true; device = "nodev"; useOSProber = true; theme = "${pkgs.fetchFromGitHub { # blue screen of life grub theme owner = "scouckel"; repo = "bsol"; rev = "a8eedad9e7163dce230ca7886be8e1b4ef81da99"; sha256 = "sha256-P2q73uM1Ysn1a+0mOGOvee/Q1WAYRGQvfanrasx/8r8"; }}/bsol"; }; }; system.name = "shar"; networking.hostName = "shar"; # Define your hostname. boot.supportedFilesystems = [ "zfs" ]; services.zfs = { autoScrub.enable = true; autoSnapshot.enable = true; }; fileSystems."/tank" = { device = "tank"; fsType = "zfs"; options = [ "nofail" ]; }; # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; # Enable networking networking.interfaces.eno1.ipv4.addresses = [{ address = "173.66.162.54"; prefixLength = 28; }]; networking.interfaces.eno1.mtu = 1400; networking.interfaces.eno1.wakeOnLan.enable = true; networking.hostId = "958b5d5d"; networking.useDHCP = false; networking.defaultGateway = { address = "173.66.162.1"; interface = "eno1"; }; networking.nameservers = [ "1.1.1.1" "9.9.9.9" ]; # Set your time zone. time.timeZone = "America/New_York"; # Select internationalisation properties. i18n.defaultLocale = "en_US.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "en_US.UTF-8"; LC_IDENTIFICATION = "en_US.UTF-8"; LC_MEASUREMENT = "en_US.UTF-8"; LC_MONETARY = "en_US.UTF-8"; LC_NAME = "en_US.UTF-8"; LC_NUMERIC = "en_US.UTF-8"; LC_PAPER = "en_US.UTF-8"; LC_TELEPHONE = "en_US.UTF-8"; LC_TIME = "en_US.UTF-8"; }; # Configure keymap in X11 services.xserver.xkb = { layout = "us"; variant = ""; }; hardware.enableRedistributableFirmware = true; boot.kernelParams = [ "i915.enable_guc=3" ]; environment.sessionVariables = { LIBVA_DRIVER_NAME = "iHD"; }; hardware.graphics = { enable = true; extraPackages = with pkgs; [ intel-media-driver vpl-gpu-rt intel-compute-runtime ]; }; # Define a user account. Don't forget to set a password with ‘passwd’. users.users.jck = { isNormalUser = true; description = "jck"; extraGroups = [ "networkmanager" "wheel" "media" ]; packages = with pkgs; [ vim git lazygit yazi navidrome btop trash-cli ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran" ]; shell = pkgs.fish; }; security.sudo.wheelNeedsPassword = false; # Allow unfree packages nixpkgs.config.allowUnfree = true; # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ jellyfin-ffmpeg kitty.terminfo # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh = { enable = true; settings.PasswordAuthentication = false; openFirewall = true; }; programs.fish.enable = true; programs.nh = { enable = true; clean.enable = true; clean.extraArgs = "--keep-since 3d --keep 3"; clean.dates = "daily"; flake = "/home/jck/nixosconf/"; }; services.tailscale = { enable = true; useRoutingFeatures = "server"; extraUpFlags = [ "--login-server=https://headscale.jckrinsky.net" "--advertise-exit-node" ]; }; networking.nat = { enable = true; internalInterfaces = [ "tailscale0" ]; externalInterface = "mullvad"; }; services.headscale = { enable = true; port = 8085; settings = { server_url = "https://headscale.jckrinsky.net"; dns = { magic_dns = false; nameservers.global = [ "1.1.1.1" "9.9.9.9" ]; }; prefixes = { v4 = "100.64.0.0/10"; v6 = "fd7a:115c:a1e0::/48"; }; }; }; services.nfs.server = { enable = true; exports = '' /tank/media 100.64.0.0/10(rw,async,no_subtree_check) /tank/data 100.64.0.0/10(rw,async,no_subtree_check) /tank/backups 100.64.0.0/10(rw,async,no_subtree_check) ''; }; services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; recommendedGzipSettings = true; recommendedOptimisation = true; virtualHosts."headscale.jckrinsky.net" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8085"; proxyWebsockets = true; extraConfig = '' proxy_buffering off; ''; }; }; virtualHosts."music.jckrinsky.net" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:4533"; }; virtualHosts."jellyfin.jckrinsky.net" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8096"; proxyWebsockets = true; extraConfig = '' proxy_buffering off; ''; }; }; virtualHosts."radicale.jckrinsky.net" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:5232"; }; virtualHosts."jellyseerr.jckrinsky.net" = { enableACME = true; forceSSL = true; locations."/".proxyPass = "http://127.0.0.1:5055"; }; virtualHosts."git.jckrinsky.net" = { enableACME = true; forceSSL = true; }; }; security.acme = { acceptTerms = true; defaults.email = "jckrinsky@gmail.com"; }; services.navidrome = { enable = true; settings = { MusicFolder = "/tank/media/audio"; DataFolder = "/tank/data/navidrome"; Address = "127.0.0.1"; Port = 4533; EnableTranscoding = true; EnableMediaDeletion = false; Scanner.PurgeMissing = "always"; EnableSharing = true; DefaultShareExpiration = "24h"; }; }; users.users.navidrome.extraGroups = [ "media" ]; services.jellyfin = { enable = true; openFirewall = false; dataDir = "/tank/data/jellyfin/"; hardwareAcceleration = { enable = true; device = "/dev/dri/renderD128"; }; }; systemd.services.jellyfin.serviceConfig = { Restart = "on-failure"; RestartSec = "5s"; StartLimitIntervalSec = 300; StartLimitBurst = 5; }; users.users.jellyfin.extraGroups = [ "video" "render" "media" ]; systemd.services.jellyfin.after = [ "zfs-mount.service" ]; systemd.services.jellyfin.requires = [ "zfs.target" ]; services.radarr = { enable = true; openFirewall = false; dataDir = "/tank/data/arr/radarr"; settings = { server = { bindAddress = "*"; port = 7878; }; }; }; services.lidarr = { enable = true; openFirewall = false; dataDir = "/tank/data/arr/lidarr"; settings = { server = { bindAddress = "*"; port = 8686; }; }; }; services.sonarr = { enable = true; openFirewall = false; dataDir = "/tank/data/arr/sonarr"; settings = { server = { bindAddress = "*"; port = 8989; }; }; }; services.prowlarr = { enable = true; openFirewall = false; dataDir = "/tank/data/arr/prowlarr"; settings = { server = { bindAddress = "*"; port = 9696; }; }; }; users.users.prowlarr = { isSystemUser = true; group = "prowlarr"; }; users.groups.prowlarr = {}; systemd.services.prowlarr.serviceConfig = { DynamicUser = lib.mkForce false; User = lib.mkForce "prowlarr"; Group = lib.mkForce "prowlarr"; ReadWritePaths = [ "/tank/data/arr/prowlarr" ]; ExecStart = lib.mkForce "${pkgs.prowlarr}/bin/Prowlarr -nobrowser -data=/tank/data/arr/prowlarr"; ProtectSystem = lib.mkForce "prowlarr"; }; services.flaresolverr = { enable = true; }; users.groups.media = {}; users.users.sonarr.extraGroups = [ "media" ]; users.users.radarr.extraGroups = [ "media" ]; users.users.lidarr.extraGroups = [ "media" ]; users.users.qbittorrent.extraGroups = [ "media" ]; services.qbittorrent = { enable = true; openFirewall = false; }; systemd.services.qbittorrent.serviceConfig = { RestrictNetworkInterfaces = [ "lo" "mullvad" "tailscale0" ]; }; networking.wg-quick.interfaces.mullvad = { autostart = true; privateKeyFile = "/home/jck/mullvad.key"; address = [ "10.74.181.209/32" ]; table = "off"; peers = [ { publicKey = "qD3AH8vI8MhEVc9+0+2O8zV0Gx9FfKdy7ri3Bnpzo10="; allowedIPs = [ "0.0.0.0/0" "::/0" ]; endpoint = "185.213.193.3:51820"; persistentKeepalive = 25; } ]; postUp = '' ${pkgs.iproute2}/bin/ip route add default dev mullvad table 1234 ${pkgs.iproute2}/bin/ip rule add from 10.74.181.209 table 1234 priority 1000 ${pkgs.iproute2}/bin/ip rule add iif tailscale0 table 1234 priority 1010 ''; postDown = '' ${pkgs.iproute2}/bin/ip rule del from 10.74.181.209 table 1234 ${pkgs.iproute2}/bin/ip rule del iif tailscale0 table 1234 priority 1010 ''; }; services.jellyseerr = { enable = true; configDir = "/tank/data/jellyseerr"; openFirewall = false; port = 5055; }; users.users.jellyseerr = { isSystemUser = true; group = "jellyseerr"; }; users.groups.jellyseerr = {}; systemd.services.jellyseerr.serviceConfig = { DynamicUser = lib.mkForce false; User = lib.mkForce "jellyseerr"; Group = lib.mkForce "jellyseerr"; ReadWritePaths = [ "/tank/data/jellyseerr" ]; ExecStart = lib.mkForce "${pkgs.jellyseerr}/bin/jellyseerr"; }; systemd.services.jellyseerr.after = [ "zfs-mount.service" ]; systemd.services.jellyseerr.requires = [ "zfs.target" ]; services.pufferpanel = { enable = true; extraPackages = [ pkgs.jdk8_headless pkgs.jdk17_headless pkgs.steam-run ]; environment = { PUFFER_WEB_HOST = "100.64.0.2:8086"; PUFFER_DAEMON_SFTP_HOST = "100.64.0.2:5657"; PUFFER_DAEMON_CONSOLE_BUFFER = "1000"; PUFFER_DAEMON_CONSOLE_FORWARD = "true"; PUFFER_PANEL_REGISTRATIONENABLED = "false"; }; }; users.users.pufferpanel = { isSystemUser = true; group = "pufferpanel"; home = "/tank/data/pufferpanel"; }; users.groups.pufferpanel = {}; systemd.services.pufferpanel.serviceConfig = { DynamicUser = lib.mkForce false; User = lib.mkForce "pufferpanel"; Group = lib.mkForce "pufferpanel"; ReadWritePaths = "/tank/data/pufferpanel"; ExecStart = lib.mkForce "${config.services.pufferpanel.package}/bin/pufferpanel run --workDir /tank/data/pufferpanel"; }; systemd.services.pufferpanel.after = [ "zfs-mount.service" ]; systemd.services.pufferpanel.requires = [ "zfs.target" ]; programs.steam.dedicatedServer.openFirewall = true; hardware.graphics.enable32Bit = true; # services.slskd = { # enable = true; # # }; # # systemd.services.slskd.serviceConfig = { # RestrictNetworkInterfaces = [ # "lo" # "mullvad" # "tailscale0" # ]; # }; services.radicale = { enable = true; settings = { server = { hosts = [ "127.0.0.1:5232" ]; }; auth = { type = "htpasswd"; htpasswd_filename = "/tank/data/radicale/users"; htpasswd_encryption = "autodetect"; }; storage = { filesystem_folder = "/tank/data/radicale/calendars/"; }; }; }; users.users.radicale = { isSystemUser = true; group = "radicale"; }; users.groups.radicale = {}; systemd.services.radicale.serviceConfig = { DynamicUser = lib.mkForce false; User = lib.mkForce "radicale"; Group = lib.mkForce "radicale"; ReadWritePaths = [ "/tank/data/radicale" ]; }; systemd.services.radicale.after = [ "zfs-mount.service" ]; systemd.services.radicale.requires = [ "zfs.target" ]; users.users.git = { isSystemUser = true; group = "git"; home = "/tank/data/git"; createHome = true; shell = "${pkgs.git}/bin/git-shell"; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv193EUr7MN4CTtM0iYNl98f1VQxv95eY0hBQWSHxbi jck@shar" ]; }; users.groups.git = {}; services.cgit."git.jckrinsky.net" = { enable = true; user = "git"; group = "git"; scanPath = "/tank/data/git"; settings = { "enable-index-owner" = false; "enable-commit-graph" = 1; "enable-log-filecount" = 1; "enable-log-linecount" = 1; "clone-url" = "https://git.jckrinsky.net/$CGIT_REPO_URL ssh://git@git.jckrinsky.net:/tank/data/git/$CGIT_REPO_URL"; "source-filter" = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; "about-filter" = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh"; }; gitHttpBackend = { enable = true; checkExportOkFiles = false; }; }; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 80 443 22 ]; networking.firewall = { checkReversePath = "loose"; trustedInterfaces = [ "mullvad" ]; }; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; # This value determines the NixOS release from which the default # settings for stateful data, like file locations and database versions # on your system were taken. It‘s perfectly fine and recommended to leave # this value at the release version of the first install of this system. # Before changing this value read the documentation for this option # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "25.05"; # Did you read the comment? }