Christoph Urlacher
3c93a7e549
Changed the default location to /home/${username}/.secrets/age/age.key,
impermanent systems have to override this.
196 lines
5.3 KiB
Nix
196 lines
5.3 KiB
Nix
{
|
||
mylib,
|
||
pkgs,
|
||
username,
|
||
config,
|
||
...
|
||
}: {
|
||
imports = [
|
||
# Include the results of the hardware scan.
|
||
./hardware-configuration.nix
|
||
./disks.nix
|
||
|
||
../modules
|
||
];
|
||
|
||
modules = {
|
||
impermanence.enable = true;
|
||
|
||
network = {
|
||
useNetworkManager = true;
|
||
|
||
# Systemd-networkd configs
|
||
networks = {
|
||
# This should override the default network 50-ether
|
||
"10-ether-2_5G" = mylib.networking.mkStaticSystemdNetwork {
|
||
interface = "enp8s0";
|
||
ips = ["192.168.86.50/24"];
|
||
routers = ["192.168.86.5"];
|
||
nameservers = ["192.168.86.26" "8.8.8.8"];
|
||
routable = true;
|
||
};
|
||
"10-ether-1G" = mylib.networking.mkStaticSystemdNetwork {
|
||
interface = "enp5s0";
|
||
ips = ["192.168.86.50/24"];
|
||
routers = ["192.168.86.5"];
|
||
nameservers = ["192.168.86.26" "8.8.8.8"];
|
||
routable = false;
|
||
};
|
||
# "10-ether-1G" = mylib.networking.mkStaticSystemdNetwork {...};
|
||
};
|
||
|
||
# NetworkManager profiles
|
||
# Run "nix run github:Janik-Haag/nm2nix | nix run github:kamadorueda/alejandra"
|
||
# in /etc/NetworkManager/system-connections/
|
||
profiles = {
|
||
"10-ether-2_5G" = mylib.networking.mkStaticNetworkManagerProfile {
|
||
id = "Wired 2.5G";
|
||
interface = "enp8s0";
|
||
ip = "192.168.86.50/24";
|
||
router = "192.168.86.5";
|
||
nameserver = "192.168.86.26;8.8.8.8;";
|
||
priority = 10; # Rather connect to 2.5G than to 1G
|
||
};
|
||
"10-ether-1G" = mylib.networking.mkStaticNetworkManagerProfile {
|
||
id = "Wired 1G";
|
||
interface = "enp5s0";
|
||
ip = "192.168.86.50/24";
|
||
router = "192.168.86.5";
|
||
nameserver = "192.168.86.26;8.8.8.8;";
|
||
};
|
||
};
|
||
|
||
allowedTCPPorts = [
|
||
7777 # AvaTalk
|
||
12777 # AvaTalk
|
||
# 31431 # Parsec
|
||
5173 # SvelteKit
|
||
8090 # PocketBase
|
||
4242 # Lan-Mouse
|
||
];
|
||
|
||
allowedUDPPorts = [
|
||
7777 # AvaTalk
|
||
12777 # AvaTalk
|
||
# 31431 # Parsec
|
||
5173 # SvelteKit
|
||
8090 # PocketBase
|
||
4242 # Lan-Mouse
|
||
];
|
||
};
|
||
|
||
sops-nix.secrets.${username} = [
|
||
"makemkv-app-key"
|
||
"restic-repo-key"
|
||
];
|
||
};
|
||
|
||
# NOTE: Sops needs the keys before impermanence kicks in
|
||
# so we have to link to /persist directly...
|
||
sops.age.keyFile = "/persist/home/${username}/.secrets/age/age.key";
|
||
|
||
sops.templates."makemkv-settings.conf" = {
|
||
owner = config.users.users.${username}.name;
|
||
content = ''
|
||
app_Key = "${config.sops.placeholder.makemkv-app-key}"
|
||
sdf_Stop = ""
|
||
'';
|
||
};
|
||
|
||
boot = {
|
||
# kernelPackages = pkgs.linuxPackages_zen;
|
||
|
||
# kernelParams = [ "quiet" ];
|
||
# plymouth.enable = true;
|
||
};
|
||
|
||
# environment.systemPackages = with pkgs; [];
|
||
|
||
programs = {
|
||
ausweisapp = {
|
||
enable = true;
|
||
openFirewall = true; # Directly set port in firewall
|
||
};
|
||
};
|
||
|
||
services = {
|
||
btrfs.autoScrub = {
|
||
enable = true;
|
||
interval = "weekly";
|
||
fileSystems = ["/"];
|
||
};
|
||
|
||
# Keep this as a system service because we're backing up /persist as root
|
||
restic.backups."synology" = {
|
||
# user = "${username}"; # Keep default (root), so restic can read everything
|
||
|
||
repository = "/home/${username}/Restic";
|
||
initialize = true;
|
||
passwordFile = config.sops.secrets.restic-repo-key.path;
|
||
createWrapper = true;
|
||
|
||
timerConfig = {
|
||
OnCalendar = "daily";
|
||
Persistent = true;
|
||
RandomizedDelaySec = "5h";
|
||
};
|
||
|
||
runCheck = true;
|
||
checkOpts = [
|
||
"--with-cache"
|
||
];
|
||
|
||
pruneOpts = [
|
||
"--keep-daily 3"
|
||
"--keep-weekly 2"
|
||
# "--keep-monthly 0"
|
||
# "--keep-yearly 0"
|
||
|
||
"--prune" # Automatically remove dangling files not referenced by any snapshot
|
||
"--repack-uncompressed"
|
||
];
|
||
|
||
paths = ["/persist"];
|
||
exclude = [
|
||
# The backup is just supposed to allow a system restore
|
||
"/persist/old_homes"
|
||
"/persist/old_roots"
|
||
|
||
# Those are synced by nextcloud, no need to backup them 50 times
|
||
"/persist/home/${username}/Documents"
|
||
"/persist/home/${username}/NixFlake"
|
||
"/persist/home/${username}/Notes"
|
||
"/persist/home/${username}/Projects"
|
||
"/persist/home/${username}/Public"
|
||
|
||
# Some more caches
|
||
".cache"
|
||
"cache2" # firefox
|
||
"Cache"
|
||
];
|
||
extraBackupArgs = [
|
||
"--exclude-caches" # Excludes marked cache directories
|
||
"--one-file-system" # Only stay on /persist (in case symlinks lead elsewhere)
|
||
"--cleanup-cache" # Auto remove old cache directories
|
||
];
|
||
};
|
||
|
||
xserver = {
|
||
# Configure keymap in X11
|
||
xkb.layout = "us";
|
||
xkb.variant = "altgr-intl";
|
||
|
||
videoDrivers = ["nvidia"]; # NVIDIA
|
||
};
|
||
};
|
||
|
||
# The current system was installed on 22.05, do not change.
|
||
# This value determines the NixOS release from which the default
|
||
# settings for stateful data, like file locations and database versions
|
||
# on your system were taken. It‘s perfectly fine and recommended to leave
|
||
# this value at the release version of the first install of this system.
|
||
# Before changing this value read the documentation for this option
|
||
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
|
||
system.stateVersion = "22.05"; # Did you read the comment?
|
||
}
|