modules/hosts/shar/shar.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149

{
  inputs,
  self,
  ...
}: {
  flake.nixosConfigurations.shar = inputs.nixpkgs.lib.nixosSystem {
    modules = [
      self.nixosModules.shar
      self.nixosModules.sharHardware

      self.nixosModules.createHost
      self.nixosModules.hostOptions
    ];
  };

  flake.nixosModules.shar = {pkgs, ...}: {
    hostOptions = {
      host.name = "shar";
      user.name = "jck";
      user.email = "jckrinsky@gmail.com";
      server = {
        dataPath = "/tank/data";
        mediaPath = "/tank/media";
        domain = "jckrinsky.net";
        # sshKeys = [
        #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat"
        #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna"
        #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran"
        #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3cFs4a3j77gJvoeU92Olj74wcLrVBv+2FUFqKOeoxb jck@dragotha"
        # ];
      };
    };

    users.users.jck.openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran"
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3cFs4a3j77gJvoeU92Olj74wcLrVBv+2FUFqKOeoxb jck@dragotha"
    ];

    hardware.graphics = {
      enable = true;
      enable32Bit = true;
      extraPackages = with pkgs; [
        intel-media-driver
        vpl-gpu-rt
        intel-compute-runtime
      ];
    };

    boot.kernelParams = ["i915.enable_guc=3"];
    environment.sessionVariables.LIBVA_DRIVER_NAME = "iHD";

    services.openssh.settings.PasswordAuthentication = false;
    services.openssh.settings.openFirewall = true;

    hardware.cpu.intel.updateMicrocode = true;

    networking = {
      interfaces.eno1.ipv4.addresses = [
        {
          address = "173.66.162.54";
          prefixLength = 28;
        }
      ];

      hostId = "958b5d5d";
      useDHCP = false;
      defaultGateway = {
        address = "173.66.162.1";
        interface = "eno1";
      };
      nameservers = ["1.1.1.1" "9.9.9.9"];

      nat = {
        enable = true;
        internalInterfaces = ["tailscale0"];
        externalInterface = "mullvad";
      };

      wg-quick.interfaces.mullvad = {
        autostart = true;
        privateKey = "/home/jck/mullvad.key";
        address = ["10.74.181.209/32"];
        table = "off";

        peers = [
          {
            publicKey = "qD3AH8vI8MhEVc9+0+2O8zV0Gx9FfKdy7ri3Bnpzo10=";
            allowedIPs = ["0.0.0.0/0" "::/0"];
            endpoint = "185.213.193.3:51820";
            persistentKeepalive = 25;
          }
        ];

        postUp = ''
          ${pkgs.iproute2}/bin/ip route add default dev mullvad table 1234
          ${pkgs.iproute2}/bin/ip rule add from 10.74.181.209 table 1234 priority 1000
          ${pkgs.iproute2}/bin/ip rule add iif tailscale0 table 1234 priority 1010
        '';

        postDown = ''
          ${pkgs.iproute2}/bin/ip rule del from 10.74.181.209 table 1234
          ${pkgs.iproute2}/bin/ip rule del iif tailscale0 table 1234 priority 1010
        '';
      };
    };

    systemd.services.qbittorrent.serviceConfig = {
      RestrictNetworkInterfaces = [
        "lo"
        "mullvad"
        "tailscale0"
      ];
    };

    fileSystems."/tank/data" = {
      device = "shar0/data";
      fsType = "zfs";
      options = ["nofail"];
    };

    fileSystems."/tank/media" = {
      device = "shar1/data";
      fsType = "zfs";
      options = ["nofail"];
    };

    fileSystems."/tank/backups" = {
      device = "shar1/data";
      fsType = "zfs";
      options = ["nofail"];
    };

    services.zfs = {
      autoScrub.enable = true;
      autoSnapshot.enable = true;
    };

    services.nfs.server = {
      enable = true;
      exports = ''
        /tank/media 100.64.0.0/10(rw,async,no_subtree_check)
        /tank/data 100.64.0.0/10(rw,async,no_subtree_check)
        /tank/backups 100.64.0.0/10(rw,async,no_subtree_check)
      '';
    };
  };
}