{ config, pkgs, ... }: let sshKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAM15boHYClgaBXAIyWSjbJd3W/bwcIE6YZwLu/K+Ipp ant@nixos" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKCTCKcHgCZOlGeCEz0+HcoYMyXzFy3l3igsG+nhMC8Z ant@moon" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5zrLxiyG6T5eupXT/wqhvtt8Cuak4DtPEzCyksqa1a ant@allegro" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKt6WkeBNowTOqSv1GAvTSIMReaMDvltOKGpUC2jStGG ant@hs" ]; domain = "antoinev.freeboxos.fr"; # ./ssh/authorized_keys_root; in { imports = [ ./hardware-configuration.nix ./syncthing.nix ./disks.nix ./backup.nix ]; nix.settings = { experimental-features = [ "nix-command" "flakes" ]; }; boot.kernelParams = [ "ip=dhcp" ]; boot = { loader.systemd-boot.enable = true; loader.efi.canTouchEfiVariables = true; initrd = { availableKernelModules = [ "r8169" ]; network = { enable = true; ssh = { enable = true; port = 22; authorizedKeys = sshKeys; hostKeys = [ "/etc/ssh/ssh_host_ed25519_key" ]; shell = "/bin/cryptsetup-askpass"; }; }; }; }; hardware.graphics = { enable = true; enable32Bit = true; extraPackages = with pkgs; [ nvidia-vaapi-driver ]; }; hardware.nvidia.package = config.boot.kernelPackages.nvidiaPackages.legacy_535; services.xserver.videoDrivers = [ "nvidia" ]; networking.hostName = "hs"; # Define your hostname. networking.networkmanager.enable = true; networking.domain = domain; time.timeZone = "Europe/Paris"; i18n.defaultLocale = "fr_FR.UTF-8"; i18n.extraLocaleSettings = { LC_ADDRESS = "fr_FR.UTF-8"; LC_IDENTIFICATION = "fr_FR.UTF-8"; LC_MEASUREMENT = "fr_FR.UTF-8"; LC_MONETARY = "fr_FR.UTF-8"; LC_NAME = "fr_FR.UTF-8"; LC_NUMERIC = "fr_FR.UTF-8"; LC_PAPER = "fr_FR.UTF-8"; LC_TELEPHONE = "fr_FR.UTF-8"; LC_TIME = "fr_FR.UTF-8"; }; services.xserver.xkb = { layout = "fr"; variant = ""; }; console.keyMap = "fr"; users.users.ant = { isNormalUser = true; description = "ant"; extraGroups = [ "networkmanager" "wheel" "jellyfin" ]; openssh.authorizedKeys.keys = sshKeys; }; security.sudo.wheelNeedsPassword = false; nixpkgs.config.allowUnfree = true; environment.systemPackages = with pkgs; [ neovim tmux nh git curl wget htop ]; # Some programs need SUID wrappers, can be configured further or are # started in user sessions. # programs.mtr.enable = true; # programs.gnupg.agent = { # enable = true; # enableSSHSupport = true; # }; # List services that you want to enable: # Enable the OpenSSH daemon. services.openssh = { enable = true; settings.PasswordAuthentication = false; }; users.users.root.openssh.authorizedKeys.keys = sshKeys; programs.fish = { enable = true; interactiveShellInit = '' set -gx fish_greeting ''; }; users.defaultUserShell = pkgs.fish; # Open ports in the firewall. networking.firewall.allowedTCPPorts = [ 80 443 # ssl 25565 ]; networking.firewall.allowedUDPPorts = [ 25565 ]; # Or disable the firewall altogether. # networking.firewall.enable = false; networking.interfaces.enp10s0.wakeOnLan.enable = true; systemd.services.ragnamod = { enable = false; after = [ "network.target" ]; wantedBy = [ "default.target" ]; description = "Ragnamod server"; path = [ pkgs.jre ]; serviceConfig = { Type = "simple"; ExecStart = "/home/ant/ragnamod/startserver.sh"; User = "ant"; }; }; services.glances = { enable = true; openFirewall = true; }; services.immich = { enable = true; accelerationDevices = null; }; users.users.immich.extraGroups = [ "video" "render" ]; services.nginx = { enable = true; recommendedGzipSettings = true; recommendedOptimisation = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = let reverseProxy = port: { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString port}"; proxyWebsockets = true; }; }; in { "immich.antoinevaure.fr" = { enableACME = true; forceSSL = true; locations."/" = { proxyWebsockets = true; recommendedProxySettings = true; extraConfig = '' client_max_body_size 50000M; proxy_read_timeout 600s; proxy_send_timeout 600s; send_timeout 600s; ''; proxyPass = "http://localhost:${builtins.toString config.services.immich.port}"; }; }; "jellyfin.antoinevaure.fr" = (reverseProxy 8096); # "sonarr.${domain}" = (reverseProxy 8989); # "radarr.${domain}" = (reverseProxy 7878); # "qbittorrent.${domain}" = (reverseProxy qbittorrentPort); "git.antoinevaure.fr" = (reverseProxy 3000); # "nextcloud.${domain}" = { # enableACME = true; # forceSSL = true; # }; "nixcache.antoinevaure.fr" = (reverseProxy config.services.nix-serve.port); }; }; services.forgejo = { enable = true; lfs.enable = true; settings = { server = { DOMAIN = "git.antoinevaure.fr"; ROOT_URL = "https://git.antoinevaure.fr/"; HTTP_PORT = 3000; }; # You can temporarily allow registration to create an admin user. service.DISABLE_REGISTRATION = true; # Add support for actions, based on act: https://github.com/nektos/act actions = { ENABLED = true; # DEFAULT_ACTIONS_URL = "github"; }; repository = { ENABLE_PUSH_CREATE_USER = true; ENABLE_PUSH_CREATE_ORG = true; }; # Sending emails is completely optional # You can send a test email from the web UI at: # Profile Picture > Site Administration > Configuration > Mailer Configuration # mailer = { # ENABLED = true; # SMTP_ADDR = "mail.example.com"; # FROM = "noreply@${srv.DOMAIN}"; # USER = "noreply@${srv.DOMAIN}"; # }; }; }; services.gitea-actions-runner = { package = pkgs.forgejo-actions-runner; instances.default = { enable = true; name = "monolith"; url = "https://git.antoinevaure.fr"; # Obtaining the path to the runner token file may differ # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd tokenFile = /root/forgejo_runner_token; labels = [ "native:host" ]; hostPackages = with pkgs; [ bash coreutils gitMinimal config.nix.package ]; }; }; security.acme = { acceptTerms = true; defaults.email = "contact@antoinevaure.fr"; }; services.jellyfin.enable = true; system.stateVersion = "24.11"; services.nix-serve = { enable = true; secretKeyFile = "/var/cache-priv-key.pem"; }; }