nixcfg/hosts/mauville/default.nix

220 lines
5.1 KiB
Nix

# Custom desktop with AMD Ryzen 5 2600, 16GB RAM, AMD Rx 6700, and 1TB SSD + 2TB HDD.
{
config,
lib,
pkgs,
self,
...
}: let
archiveDirectory = "/mnt/Archive";
domain = "raffauflabs.com";
mediaDirectory = "/mnt/Media";
in {
imports = [
../common
./disko.nix
./home.nix
self.inputs.nixhw.nixosModules.common-amd-cpu
self.inputs.nixhw.nixosModules.common-amd-gpu
self.inputs.nixhw.nixosModules.common-bluetooth
self.inputs.nixhw.nixosModules.common-ssd
self.inputs.raffauflabs.nixosModules.raffauflabs
];
age.secrets = {
cloudflare.file = ../../secrets/cloudflare.age;
lastfmId = {
owner = "navidrome";
file = ../../secrets/lastFM/apiKey.age;
};
lastfmSecret = {
owner = "navidrome";
file = ../../secrets/lastFM/secret.age;
};
spotifyId = {
owner = "navidrome";
file = ../../secrets/spotify/clientId.age;
};
spotifySecret = {
owner = "navidrome";
file = ../../secrets/spotify/clientSecret.age;
};
syncthingCert.file = ../../secrets/syncthing/mauville/cert.age;
syncthingKey.file = ../../secrets/syncthing/mauville/key.age;
};
system.activationScripts.gen-initrd-ssh.text = ''
KEY_PATH="/etc/secrets/initrd/ssh_host_ed25519_key"
mkdir -p /etc/secrets/initrd
# Check if the file already exists
if [ -f "$KEY_PATH" ]; then
echo "Key already exists at $KEY_PATH. Skipping ssh-keygen."
else
# Generate the SSH key if it doesn't exist
${pkgs.openssh}/bin/ssh-keygen -t ed25519 -N "" -f "$KEY_PATH"
echo "SSH key generated at $KEY_PATH."
fi
'';
boot = {
initrd = {
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "sd_mod" "r8169"];
network = {
enable = true;
flushBeforeStage2 = true;
ssh = {
enable = true;
port = 22;
authorizedKeyFiles = config.users.users.root.openssh.authorizedKeys.keyFiles;
hostKeys = [/etc/secrets/initrd/ssh_host_ed25519_key];
};
udhcpc.enable = true;
postCommands = ''
# Automatically ask for the password on SSH login
echo 'cryptsetup-askpass || echo "Unlock was successful; exiting SSH session" && exit 1' >> /root/.profile
'';
};
};
loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
};
hardware.enableAllFirmware = true;
networking.hostName = "mauville";
services = {
forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce true;
samba = {
enable = true;
openFirewall = true;
securityType = "user";
shares = {
Media = {
browseable = "yes";
comment = "Media @ ${config.networking.hostName}";
path = mediaDirectory;
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0755";
"directory mask" = "0755";
};
Archive = {
browseable = "yes";
comment = "Archive @ ${config.networking.hostName}";
path = archiveDirectory;
"create mask" = "0755";
"directory mask" = "0755";
"guest ok" = "yes";
"read only" = "no";
};
};
};
samba-wsdd = {
enable = true;
openFirewall = true;
};
};
environment.variables.GDK_SCALE = "1.25";
system = {
autoUpgrade.allowReboot = lib.mkForce false;
stateVersion = "24.05";
};
zramSwap.memoryPercent = 100;
ar = {
apps = {
firefox.enable = true;
nicotine-plus.enable = true;
podman.enable = true;
steam.enable = true;
virt-manager.enable = true;
};
desktop = {
greetd = {
enable = true;
autologin = "aly";
};
hyprland.enable = true;
steam.enable = true;
};
users = {
aly = {
enable = true;
password = "$y$j9T$SHPShqI2IpRE101Ey2ry/0$0mhW1f9LbVY02ifhJlP9XVImge9HOpf23s9i1JFLIt9";
syncthing = {
enable = true;
certFile = config.age.secrets.syncthingCert.path;
keyFile = config.age.secrets.syncthingKey.path;
musicPath = "${mediaDirectory}/Music";
};
};
dustin = {
enable = true;
password = "$y$j9T$3mMCBnUQ.xjuPIbSof7w0.$fPtRGblPRSwRLj7TFqk1nzuNQk2oVlgvb/bE47sghl.";
};
};
};
raffauflabs = {
inherit domain;
enable = true;
containers.oci.freshRSS.enable = true;
services = {
audiobookshelf.enable = true;
ddclient = {
enable = true;
passwordFile = config.age.secrets.cloudflare.path;
protocol = "cloudflare";
};
forgejo.enable = true;
navidrome = {
enable = true;
lastfm = {
idFile = config.age.secrets.lastfmId.path;
secretFile = config.age.secrets.lastfmSecret.path;
};
spotify = {
idFile = config.age.secrets.spotifyId.path;
secretFile = config.age.secrets.spotifySecret.path;
};
};
plexMediaServer.enable = true;
transmission.enable = true;
};
};
}