nixos-config/machines/Home-Hypervisor/default.nix

{ modulesPath, inputs, lib, pkgs, config, options, ... }:
let persistRoot = config.autoinstall.persist.persistRoot or "/persist";
in {
  imports = with inputs.self; [
    inputs.sops-nix.nixosModules.sops
    ./backups.nix
    ./boot.nix
    ./hardware-configuration.nix
    ./usb-hdd.nix
    ./virtualisation.nix
    customProfiles.hardened
    customRoles.hypervisor

    customProfiles.acme
    customProfiles.attic
    customProfiles.atticd
    customProfiles.authentik
    customProfiles.battery-historian
    customProfiles.fail2ban
    customProfiles.gitea
    customProfiles.homepage
    customProfiles.hoyolab
    customProfiles.inpx-web
    customProfiles.it-tools
    customProfiles.joplin-server
    customProfiles.media-stack
    customProfiles.minio
    customProfiles.nginx
    customProfiles.ocis
    customProfiles.openbooks
    customProfiles.outline
    customProfiles.radicale
    customProfiles.spdf
    customProfiles.tinyproxy
    customProfiles.vaultwarden
    customProfiles.vscode-server
    customProfiles.webhooks
    customProfiles.wiki
    customProfiles.yandex-db

    (import customProfiles.blocky {
      inherit config pkgs;
      inherit (import ./dns-mapping.nix) dnsmasq-list;
    })

    (import customProfiles.headscale {
      inherit config pkgs;
      inherit (import ./dns-mapping.nix) headscale-list;
    })
  ];

  deviceSpecific.devInfo = {
    cpu.vendor = "intel";
    drive.type = "ssd";
    gpu.vendor = "other";
    ram = 12;
    fileSystem = "zfs";
  };
  deviceSpecific.enableVirtualisation = true;
  deviceSpecific.vpn.tailscale.enable = true;
  deviceSpecific.isServer = true;

  zramSwap = {
    enable = true;
    algorithm = "zstd";
    memoryPercent = 150;
  };

  # Impermanence
  persist = {
    enable = true;
    cache.clean.enable = true;
    state = {
      files = [ "/etc/machine-id" ];
    };
  };
  fileSystems."/home".neededForBoot = true;
  fileSystems.${persistRoot}.neededForBoot = true;
  boot.initrd.postDeviceCommands = lib.mkAfter ''
    zfs rollback -r rpool/nixos/root@empty
    zfs rollback -r rpool/user/home@empty
  '';

  environment.memoryAllocator.provider = "libc";

  # build hell
  environment.noXlibs = lib.mkForce false;
  # minimal profile
  documentation.nixos.enable = lib.mkForce false;
  programs.command-not-found.enable = lib.mkForce false;
  xdg.autostart.enable = lib.mkForce false;
  xdg.icons.enable = lib.mkForce false;
  xdg.mime.enable = lib.mkForce false;
  xdg.sounds.enable = lib.mkForce false;
  services.udisks2.enable = lib.mkForce false;

  fonts.enableDefaultPackages = lib.mkForce false;
  fonts.packages =
    [ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];

  security.polkit.enable = true;

  services.zfs = {
    autoScrub.enable = true;
    autoScrub.interval = "monthly";
    trim.enable = true;
    trim.interval = "weekly";
  };

  # hardened
  networking.firewall.enable = true;
  networking.firewall.allowedTCPPorts = lib.mkDefault [ ];
  networking.firewall.allowedUDPPorts = lib.mkDefault [ ];
  systemd.coredump.enable = false;
  programs.firejail.enable = true;

  networking.wireless.enable = false;
  networking.networkmanager.enable = false;
  networking.hostName = config.device;

  networking.nameservers = [ "192.168.0.1" ];
  networking.defaultGateway = "192.168.0.1";
  networking.bridges.br0.interfaces = [ "enp2s0f0" ];
  networking.interfaces.br0 = {
    useDHCP = false;
    ipv4.addresses = [{
      address = "192.168.0.10";
      prefixLength = 24;
    }];
  };
  networking.extraHosts = ''
    127.0.0.1 auth.ataraxiadev.com
    127.0.0.1 code.ataraxiadev.com
    127.0.0.1 cache.ataraxiadev.com
    127.0.0.1 s3.ataraxiadev.com
  '';

  nix.optimise.automatic = false;

  services.logind.lidSwitch = "lock";
  services.logind.lidSwitchDocked = "lock";
  services.logind.lidSwitchExternalPower = "lock";
  systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ];
  systemd.timers.systemd-timesyncd = { timerConfig.OnCalendar = "hourly"; };

  home-manager.users.${config.mainuser} = {
    home.file.".config/libvirt/libvirt.conf".text = ''
      uri_default = "qemu:///system"
    '';
    home.packages = with pkgs; [
      bat
      bottom
      comma
      dig.dnsutils
      fd
      kitty
      micro
      nix-index-update
      p7zip
      podman-compose
      pwgen
      rclone
      repgrep
      restic
      rsync
      rustic-rs
      smartmontools
    ];
    xdg.mime.enable = false;
    home.stateVersion = "22.11";
  };
  system.stateVersion = "22.11";
}
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`{ modulesPath, inputs, lib, pkgs, config, options, ... }:`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`let persistRoot = config.autoinstall.persist.persistRoot or "/persist";`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`in {`
			`imports = with inputs.self; [`
change rustic backup settings 2024-01-19 17:58:20 +03:00			`inputs.sops-nix.nixosModules.sops`
big hypervisor and servers refactor 2024-01-21 17:40:07 +03:00			`./backups.nix`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`./boot.nix`
update many homelab services 2023-01-26 00:43:11 +03:00			`./hardware-configuration.nix`
big hypervisor and servers refactor 2024-01-21 17:40:07 +03:00			`./usb-hdd.nix`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`./virtualisation.nix`
change flake-utils-plus to upstream 2023-10-13 19:43:02 +03:00			`customProfiles.hardened`
			`customRoles.hypervisor`
sort profiles 2024-01-21 16:32:12 +03:00
change flake-utils-plus to upstream 2023-10-13 19:43:02 +03:00			`customProfiles.acme`
sort profiles 2024-01-21 16:32:12 +03:00			`customProfiles.attic`
			`customProfiles.atticd`
change flake-utils-plus to upstream 2023-10-13 19:43:02 +03:00			`customProfiles.authentik`
			`customProfiles.battery-historian`
			`customProfiles.fail2ban`
			`customProfiles.gitea`
sort profiles 2024-01-21 16:32:12 +03:00			`customProfiles.homepage`
			`customProfiles.hoyolab`
			`customProfiles.inpx-web`
			`customProfiles.it-tools`
change flake-utils-plus to upstream 2023-10-13 19:43:02 +03:00			`customProfiles.joplin-server`
sort profiles 2024-01-21 16:32:12 +03:00			`customProfiles.media-stack`
			`customProfiles.minio`
change flake-utils-plus to upstream 2023-10-13 19:43:02 +03:00			`customProfiles.nginx`
sort profiles 2024-01-21 16:32:12 +03:00			`customProfiles.ocis`
			`customProfiles.openbooks`
			`customProfiles.outline`
			`customProfiles.radicale`
			`customProfiles.spdf`
change flake-utils-plus to upstream 2023-10-13 19:43:02 +03:00			`customProfiles.tinyproxy`
			`customProfiles.vaultwarden`
			`customProfiles.vscode-server`
			`customProfiles.webhooks`
			`customProfiles.wiki`
sort profiles 2024-01-21 16:32:12 +03:00			`customProfiles.yandex-db`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00
change flake-utils-plus to upstream 2023-10-13 19:43:02 +03:00			`(import customProfiles.blocky {`
fix blocky container 2024-01-21 16:32:37 +03:00			`inherit config pkgs;`
big hypervisor and servers refactor 2024-01-21 17:40:07 +03:00			`inherit (import ./dns-mapping.nix) dnsmasq-list;`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`})`
move headscale and authentik to home-hypervisor 2023-10-13 19:44:48 +03:00
			`(import customProfiles.headscale {`
			`inherit config pkgs;`
big hypervisor and servers refactor 2024-01-21 17:40:07 +03:00			`inherit (import ./dns-mapping.nix) headscale-list;`
move headscale and authentik to home-hypervisor 2023-10-13 19:44:48 +03:00			`})`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`];`

			`deviceSpecific.devInfo = {`
huge cleanup and refactoring 2024-01-21 19:29:36 +03:00			`cpu.vendor = "intel";`
			`drive.type = "ssd";`
			`gpu.vendor = "other";`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`ram = 12;`
			`fileSystem = "zfs";`
			`};`
			`deviceSpecific.enableVirtualisation = true;`
huge cleanup and refactoring 2024-01-21 19:29:36 +03:00			`deviceSpecific.vpn.tailscale.enable = true;`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`deviceSpecific.isServer = true;`

			`zramSwap = {`
			`enable = true;`
			`algorithm = "zstd";`
increase zram disk size 2023-05-24 21:28:50 +03:00			`memoryPercent = 150;`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`};`

			`# Impermanence`
			`persist = {`
			`enable = true;`
			`cache.clean.enable = true;`
authentik + headscale, and change some settings 2023-06-29 23:21:54 +03:00			`state = {`
			`files = [ "/etc/machine-id" ];`
			`};`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`};`
			`fileSystems."/home".neededForBoot = true;`
			`fileSystems.${persistRoot}.neededForBoot = true;`
			`boot.initrd.postDeviceCommands = lib.mkAfter ''`
			`zfs rollback -r rpool/nixos/root@empty`
			`zfs rollback -r rpool/user/home@empty`
			`'';`

move hardened to profiles 2023-06-23 18:28:56 +03:00			`environment.memoryAllocator.provider = "libc";`

initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`# build hell`
			`environment.noXlibs = lib.mkForce false;`
			`# minimal profile`
			`documentation.nixos.enable = lib.mkForce false;`
			`programs.command-not-found.enable = lib.mkForce false;`
			`xdg.autostart.enable = lib.mkForce false;`
			`xdg.icons.enable = lib.mkForce false;`
			`xdg.mime.enable = lib.mkForce false;`
			`xdg.sounds.enable = lib.mkForce false;`
			`services.udisks2.enable = lib.mkForce false;`

upgrade 2023-08-04 02:37:47 +03:00			`fonts.enableDefaultPackages = lib.mkForce false;`
			`fonts.packages =`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`[ (pkgs.nerdfonts.override { fonts = [ "FiraCode" "VictorMono" ]; }) ];`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00
			`security.polkit.enable = true;`

			`services.zfs = {`
			`autoScrub.enable = true;`
zfs scrub once a month 2023-11-22 05:57:58 +03:00			`autoScrub.interval = "monthly";`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`trim.enable = true;`
			`trim.interval = "weekly";`
			`};`

			`# hardened`
			`networking.firewall.enable = true;`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`networking.firewall.allowedTCPPorts = lib.mkDefault [ ];`
			`networking.firewall.allowedUDPPorts = lib.mkDefault [ ];`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`systemd.coredump.enable = false;`
			`programs.firejail.enable = true;`

			`networking.wireless.enable = false;`
			`networking.networkmanager.enable = false;`
			`networking.hostName = config.device;`

wip 2023-01-13 04:03:15 +03:00			`networking.nameservers = [ "192.168.0.1" ];`
			`networking.defaultGateway = "192.168.0.1";`
			`networking.bridges.br0.interfaces = [ "enp2s0f0" ];`
			`networking.interfaces.br0 = {`
			`useDHCP = false;`
			`ipv4.addresses = [{`
update many homelab services 2023-01-26 00:43:11 +03:00			`address = "192.168.0.10";`
			`prefixLength = 24;`
wip 2023-01-13 04:03:15 +03:00			`}];`
			`};`
			`networking.extraHosts = ''`
huge cleanup and refactoring 2024-01-21 19:29:36 +03:00			`127.0.0.1 auth.ataraxiadev.com`
wip 2023-01-13 04:03:15 +03:00			`127.0.0.1 code.ataraxiadev.com`
fix attic... again 2023-06-14 03:39:35 +03:00			`127.0.0.1 cache.ataraxiadev.com`
huge cleanup and refactoring 2024-01-21 19:29:36 +03:00			`127.0.0.1 s3.ataraxiadev.com`
wip 2023-01-13 04:03:15 +03:00			`'';`

disable auto optimise nix store for hypervisor 2023-04-08 18:17:45 +03:00			`nix.optimise.automatic = false;`

wip 2023-01-13 04:03:15 +03:00			`services.logind.lidSwitch = "lock";`
			`services.logind.lidSwitchDocked = "lock";`
			`services.logind.lidSwitchExternalPower = "lock";`
huge cleanup and refactoring 2024-01-21 19:29:36 +03:00			`systemd.services.systemd-timesyncd.wantedBy = [ "multi-user.target" ];`
			`systemd.timers.systemd-timesyncd = { timerConfig.OnCalendar = "hourly"; };`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00
			`home-manager.users.${config.mainuser} = {`
			`home.file.".config/libvirt/libvirt.conf".text = ''`
			`uri_default = "qemu:///system"`
			`'';`
wip 2023-01-13 04:03:15 +03:00			`home.packages = with pkgs; [`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`bat`
			`bottom`
			`comma`
add dig to home-hypervisor 2023-11-11 03:15:07 +03:00			`dig.dnsutils`
add some utilities to home-hypervisor 2023-07-30 03:27:14 +03:00			`fd`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`kitty`
			`micro`
			`nix-index-update`
add some utilities to home-hypervisor 2023-07-30 03:27:14 +03:00			`p7zip`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`podman-compose`
			`pwgen`
wip rustic backup 2023-11-11 03:14:37 +03:00			`rclone`
add some utilities to home-hypervisor 2023-07-30 03:27:14 +03:00			`repgrep`
wip rustic backup 2023-11-11 03:14:37 +03:00			`restic`
huge cleanup and refactoring 2024-01-21 19:29:36 +03:00			`rsync`
wip rustic backup 2023-11-11 03:14:37 +03:00			`rustic-rs`
change blocky config on hypervisor 2023-06-27 01:25:28 +03:00			`smartmontools`
wip 2023-01-13 04:03:15 +03:00			`];`
initial home-hypervisor config 2023-01-26 00:24:32 +03:00			`xdg.mime.enable = false;`
			`home.stateVersion = "22.11";`
			`};`
			`system.stateVersion = "22.11";`
			`}`