2025-04-10 13:45:57 +08:00
{ config , pkgs , . . . }:
# NixOS Homelab
# ===================
# The goal of this build is to get a basic good setup in NixOS that
# does similiar things to something like Yunohost but in a
# declarative fashion.
#
# Comments or suggestions to https://fedi.arkadi.one/@tootbrute
{
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./services/jellyfin.nix
./services/calibre-web.nix
./services/glances.nix
./services/fail2ban.nix
2025-04-17 13:52:29 +08:00
./services/transmission.nix
2025-04-10 13:45:57 +08:00
] ;
# Bootloader.
boot . loader . systemd-boot . enable = true ;
# ZFS SSH Remote Unlock, ethernet only
# https://wiki.nixos.org/wiki/ZFS
boot = {
initrd . network = {
enable = true ;
ssh = {
enable = true ;
port = 2222 ;
hostKeys = [ /boot/host_ecdsa_key ] ;
authorizedKeys = [
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I G f n E 4 J w p I y g h o F Y u r Z L j F k z c 5 G 4 l 1 F e S 7 6 y Y I T g 9 w U B e l i a s @ t u x " #little hp - tux
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I H 0 Q / N C 0 R H E U j x 2 W H r Z P w 0 x n C j O C F v 5 u z 5 3 0 9 9 l k n Z m G e l i a s @ f e d o r a " #desktop
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I L 3 I h u 9 C s C L 1 7 F u H l 6 E q y M D T 5 B P j h 8 G l L T W H M + Y 1 D 1 I 7 e l i a s @ b l u e n i x " #bluenix
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I L v 9 6 m 1 n C z 3 D 0 l z j z e G a + n 4 m 3 k r E y l 7 K Z 0 t s t j I Z d T k q e l i a s @ b l u e f i n " #acer
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I K 8 z l x S V O T C n A g b 4 U 5 v k C 3 i e t H 3 J d 9 g L E + F A 6 U O Z p 6 4 J e l i a s @ a r k a d i . o n e " #arkadi
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I M V W t 9 U s a v F f d w Q z k l W / z S l w G w Q X a D v F k + M d z s C p 0 g n p t o o t b r u t e @ t u t a n o t a . c o m " #greynix
] ;
# to login: ssh -p 2222 root@192.168.15.180 "zfs load-key -a && killall zfs"
} ;
} ;
} ;
#above can i simplify this list of authorizedKeys?
# example: https://discourse.nixos.org/t/unlock-encrypted-zfs-via-ssh-on-boot/40582
# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users);
# ZFS
services . zfs . autoScrub . enable = true ;
# Housekeeping: Garbage collection
nix . gc . automatic = true ;
nix . optimise . automatic = true ;
# Networking
networking . hostName = " k n o s s o s " ; # Define your hostname.
networking . wireless . enable = true ; # Enables wireless support via wpa_supplicant.
networking . hostId = " 0 6 3 1 3 7 4 f " ; # for ZFS
# Enable networking
#networking.networkmanager.enable = true;
# Set your time zone.
time . timeZone = " A s i a / T a i p e i " ;
# Select internationalisation properties.
i18n . defaultLocale = " e n _ U S . U T F - 8 " ;
i18n . extraLocaleSettings = {
LC_ADDRESS = " z h _ T W . U T F - 8 " ;
LC_IDENTIFICATION = " z h _ T W . U T F - 8 " ;
LC_MEASUREMENT = " z h _ T W . U T F - 8 " ;
LC_MONETARY = " z h _ T W . U T F - 8 " ;
LC_NAME = " z h _ T W . U T F - 8 " ;
LC_NUMERIC = " z h _ T W . U T F - 8 " ;
LC_PAPER = " z h _ T W . U T F - 8 " ;
LC_TELEPHONE = " z h _ T W . U T F - 8 " ;
LC_TIME = " z h _ T W . U T F - 8 " ;
} ;
nix . settings . experimental-features = [ " n i x - c o m m a n d " " f l a k e s " ] ;
#fix later
# Configure keymap in X11
# services.xserver = {
# xkb.layout = "us";
# xkb.Variant = "";
# };
# Define a user account. Don't forget to set a password with ‘ ’
users . users . elias = {
isNormalUser = true ;
description = " T o o t b r u t e " ;
extraGroups = [ " n e t w o r k m a n a g e r " " w h e e l " " d o c k e r " ] ;
openssh . authorizedKeys . keys = [
" s s h - r s a A A A A B 3 N z a C 1 y c 2 E A A A A D A Q A B A A A B g Q D C b K 2 V Q V S z h / e 6 q r q 6 6 i Q n r X G E T 2 J e Q s y P + l K h U n t l M q T i q M j U A T 2 c m j I O p s p d e / V s R 6 0 E 8 8 F j H p m y 1 d x r W t v l d c L v U X m f j B 2 I d 8 z k j 2 8 g q P l L l M G y z Q Q 8 M 1 h o k V y S F R 3 s B Q E S N s o w 6 7 z g 4 z g d Z E S s N p l S o x z r G g 1 0 Y o w o 3 U 6 p L v 6 o / O j r f H e Z a e F p h E p g j Q + j d N k M S 6 s A P U K k z C g 4 z h + 2 4 M 5 c Y N S v b X E v 1 O m S O U q 4 k Z G L 9 6 x D t + K e 0 r Z n e w / N B W 7 m 5 u m h 4 9 q 4 Q 0 S P w b T f 0 2 U F M j A E P B K W R E W v j B b r e E N 9 A H y t c a W k 3 4 0 b d X 5 U A s O 1 W 8 o A 0 q j 1 h r H r s E I w 8 n 9 W x o V z T D J r L W 1 z D F W W Q 1 L 6 x K o a a w t c p D q g 2 l m c j a M I w E F v j 7 H S g n 7 / Y / U f T V 5 G y h e d 9 6 8 V q N l C 4 v 4 v E X Q 5 a 4 4 T 5 P F Q L m o 8 0 P Z 6 x k a 4 R s a 4 6 n 1 v I F S d V u 3 J D r 8 1 s 3 U 5 p O 3 Q x J M y k U z Y 9 C s 7 j t Q / A e V 9 n 4 B u 6 f m 1 g J z i 2 G / 7 2 S x J J 8 O V 4 B U = e l i a s @ s o c r a t e s " #acer at school
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I G f n E 4 J w p I y g h o F Y u r Z L j F k z c 5 G 4 l 1 F e S 7 6 y Y I T g 9 w U B e l i a s @ t u x " #little hp - tux
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I H 0 Q / N C 0 R H E U j x 2 W H r Z P w 0 x n C j O C F v 5 u z 5 3 0 9 9 l k n Z m G e l i a s @ f e d o r a " #desktop
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I L 3 I h u 9 C s C L 1 7 F u H l 6 E q y M D T 5 B P j h 8 G l L T W H M + Y 1 D 1 I 7 e l i a s @ b l u e n i x " #bluenix
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I L v 9 6 m 1 n C z 3 D 0 l z j z e G a + n 4 m 3 k r E y l 7 K Z 0 t s t j I Z d T k q e l i a s @ b l u e f i n " #acer
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I K 8 z l x S V O T C n A g b 4 U 5 v k C 3 i e t H 3 J d 9 g L E + F A 6 U O Z p 6 4 J e l i a s @ a r k a d i . o n e "
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I M V W t 9 U s a v F f d w Q z k l W / z S l w G w Q X a D v F k + M d z s C p 0 g n p t o o t b r u t e @ t u t a n o t a . c o m " #greynix
] ;
linger = true ;
packages = with pkgs ; [ ] ;
} ;
# SSH Login Message
users . motd = "
||
||
|| // ` ` || '' | , . | '' | , ( '' '' ( '' '' . | '' | , ( ''' '
|| < < || || || || ` '' ) ` '' ) || || ` '' )
. || \ \ . . || || . ` | . . | ' ` . . . ' ` . . . ' ` | . . | ' ` . . . '
" ;
# Disable sudo password for the wheel group
security . sudo . wheelNeedsPassword = false ;
# Enable automatic login for the user.
#services.getty.autologinUser = "elias";
# Allow unfree packages
nixpkgs . config . allowUnfree = true ;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment . systemPackages = with pkgs ; [
wget
fastfetch
htop
btop
curl
wget
restic
git
neovim
tmux #like screen
wiper #like ncdu
systemctl-tui #systemd tui
diskonaut #see how much space is used
tcpdump #for wireguard test
] ;
# List services that you want to enable:
# Enable the OpenSSH daemon.
services . openssh . enable = true ;
# Tailscale
services . tailscale = {
enable = true ;
#permitCertUid = "caddy";
} ;
# Cron
services . cron . enable = true ;
services . cron . systemCronJobs = [
" 0 0 * * * * r o o t c u r l h t t p s : / / h c - p i n g . c o m / 0 b b b 3 a f b - 1 9 6 a - 4 d 1 2 - 8 9 4 f - 5 9 9 0 9 9 0 2 9 c f c "
] ;
# Docker
2025-04-10 13:52:31 +08:00
# maybe I don't need? haven't used Docker yet. Disabled for now
/*
2025-04-10 13:45:57 +08:00
virtualisation = {
docker = {
enable = true ;
autoPrune = {
enable = true ;
dates = " w e e k l y " ;
} ;
rootless = {
enable = true ;
setSocketVariable = true ;
} ;
} ;
} ;
2025-04-10 13:52:31 +08:00
* /
2025-04-10 13:45:57 +08:00
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
networking . firewall = {
# enable the firewall
enable = true ;
# allow all ports from your Tailscale network
trustedInterfaces = [ " t a i l s c a l e 0 " ] ;
#or allow you to SSH in over the public internet
allowedTCPPorts = [ 22 80 443 ] ;
# allow the Tailscale UDP port through the firewall
allowedUDPPorts = [ config . services . tailscale . port ] ;
} ;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It‘
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system . stateVersion = " 2 4 . 1 1 " ; # Did you read the comment?
}
