{ config, pkgs, lib, ... }: { imports = [ /etc/nixos/hardware-configuration.nix ]; boot.loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; networking = { hostName = "loki"; networkmanager.enable = true; useDHCP = false; interfaces = { eno1.useDHCP = true; wlp7s0.useDHCP = true; }; }; time.timeZone = "Europe/Rome"; i18n.defaultLocale = "it_IT.UTF-8"; console = { font = "Lat2-Terminus16"; keyMap = "it"; }; services.xserver = { enable = true; videoDrivers = [ "nvidia" ]; layout = "it"; xkbOptions = "eurosign:e;"; libinput.enable = true; }; hardware = { nvidia.prime = { offload.enable = false; sync.enable = true; intelBusId = "PCI:0:2:0"; nvidiaBusId = "PCI:1:0:0"; }; opengl = { enable = true; extraPackages = with pkgs; [ intel-media-driver libvdpau-va-gl vaapiIntel vaapiVdpau ]; }; bluetooth.enable = true; }; users.users = { bertof = { isNormalUser = true; extraGroups = [ "audio" "input" "docker" "libvirtd" "network" "usb" "video" "wheel" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN+zsSWZFFzQKnATCAvtG+iuSm4qkZHjCtHzGa9B/71W" ]; shell = pkgs.zsh; }; tiziano = { isNormalUser = true; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMExwtJFk6HjySrTZwJH67SOHC3hlL28NO4oe2GXsv6k" ]; }; }; programs = { gnupg.agent = { enable = true; enableSSHSupport = true; }; zsh = { enable = true; syntaxHighlighting.enable = true; }; }; environment.pathsToLink = [ "/share/zsh" ]; services = { avahi = { enable = true; openFirewall = true; nssmdns = true; publish = { enable = true; addresses = true; domain = true; userServices = true; workstation = true; }; extraServiceFiles = { ssh = "${pkgs.avahi}/etc/avahi/services/ssh.service"; smb = ''%h_smb._tcp445''; }; }; bazarr = { enable = true; openFirewall = true; group = "users"; }; blueman.enable = true; dbus.packages = with pkgs; [ gnome.dconf ]; fail2ban = { enable = true; bantime-increment.enable = true; }; gnome.gnome-keyring.enable = true; gvfs = { enable = true; package = lib.mkForce pkgs.gnome3.gvfs; }; jackett = { enable = true; openFirewall = true; group = "users"; }; logind.lidSwitch = "ignore"; node-red = { enable = true; openFirewall = true; withNpmAndGcc = true; }; openssh = { enable = true; openFirewall = true; permitRootLogin = "no"; passwordAuthentication = false; }; plex = { enable = true; openFirewall = true; group = "users"; }; power-profiles-daemon.enable = true; radarr = { enable = true; openFirewall = true; group = "users"; }; samba-wsdd = { enable = true; discovery = true; }; samba = { enable = true; enableNmbd = true; enableWinbindd = true; nsswins = true; extraConfig = '' workgroup = WORKGROUP load printers = no smb encrypt = required ''; shares = let common = { "public" = "no"; "writeable" = "yes"; "create mask" = "0700"; "directory mask" = "2700"; "browseable" = "yes"; "guest ok" = "no"; "read only" = "no"; "force group" = "users"; }; in { bertof = common // { path = "/mnt/raid/bertof"; comment = "Bertof samba share"; "force user" = "bertof"; "valid users" = "bertof"; }; tiziano = common // { path = "/mnt/raid/tiziano"; comment = "Tiziano samba share"; "force user" = "tiziano"; "valid users" = "tiziano"; }; condiviso = common // { path = "/mnt/raid/condiviso"; comment = "Samba share condiviso"; "valid users" = "bertof tiziano"; "create mask" = "0770"; "directory mask" = "2770"; "force create mode" = "0660"; "force directory mode" = "2770"; }; bertof_safe = common // { path = "/mnt/raid1/bertof"; comment = "Bertof samba share"; "force user" = "bertof"; "valid users" = "bertof"; }; tiziano_safe = common // { path = "/mnt/raid1/tiziano"; comment = "Tiziano samba share"; "force user" = "tiziano"; "valid users" = "tiziano"; }; condiviso_safe = common // { path = "/mnt/raid1/condiviso"; comment = "Samba share condiviso"; "valid users" = "bertof tiziano"; "create mask" = "0770"; "directory mask" = "2770"; "force create mode" = "0660"; "force directory mode" = "2770"; }; }; }; smartd = { enable = true; notifications.x11.enable = true; }; sonarr = { enable = true; openFirewall = true; group = "users"; }; thermald.enable = true; transmission = { enable = true; openFirewall = true; group = "users"; settings = { download-dir = "/mnt/raid/condiviso/Scaricati/Torrent"; incomplete-dir = "/mnt/raid/condiviso/Scaricati/Torrent/.incomplete"; }; }; zerotierone = { enable = true; joinNetworks = [ "8056c2e21cf9c753" ]; }; }; # services.snapper = { # configs = # let # bertofExtraConfig = '' # ALLOW_USERS="bertof" # TIMELINE_CREATE=yes # TIMELINE_CLEANUP=yes # ''; # common = { extraConfig = bertofExtraConfig; }; # in # { # bertof_home = common // { subvolume = "/home/bertof"; }; # }; # }; systemd.packages = with pkgs; [ syncthing ]; systemd.services = let common = { after = [ "network.target" ]; environment = { STNORESTART = "yes"; STNOUPGRADE = "yes"; }; wantedBy = [ "default.target" ]; serviceConfig = { Restart = "on-failure"; SuccessExitStatus = "2 3 4"; RestartForceExitStatus = "3 4"; Group = config.ids.gids.users; MemoryDenyWriteExecute = true; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; ProtectControlGroups = true; ProtectHostname = true; ProtectKernelModules = true; ProtectKernelTunables = true; RestrictNamespaces = true; RestrictRealtime = true; RestrictSUIDSGID = true; CapabilityBoundingSet = [ "~CAP_SYS_PTRACE" "~CAP_SYS_ADMIN" "~CAP_SETGID" "~CAP_SETUID" "~CAP_SETPCAP" "~CAP_SYS_TIME" "~CAP_KILL" ]; }; }; in { syncthing-bertof = common // { description = "Syncthing service bertof"; serviceConfig = { User = "bertof"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8384 -home=/mnt/raid/bertof/Syncthing/.config"; }; }; syncthing-tiziano = common // { description = "Syncthing service tiziano"; serviceConfig = { User = "tiziano"; ExecStart = "${pkgs.syncthing}/bin/syncthing -no-browser -gui-address=0.0.0.0:8385 -home=/mnt/raid/tiziano/Syncthing/.config"; }; }; }; networking.firewall = { enable = true; allowPing = true; allowedTCPPorts = [ 445 # SAMBA 139 # SAMBA 5357 # SAMBA-WSDD 8123 # HOME ASSISTANT 8384 # SYNCTHING 8385 # SYNCTHING ]; allowedUDPPorts = [ 137 # SYNCTHING 138 # SYNCTHING 3702 # SAMBA-WSDD ]; extraCommands = ''iptables -t raw -A OUTPUT -p udp -m udp --dport 137 -j CT --helper netbios-ns''; }; virtualisation = { docker.enable = true; kvmgt.enable = true; libvirtd.enable = true; podman.enable = true; virtualbox.host.enable = true; oci-containers.containers = { hass = { image = "ghcr.io/home-assistant/home-assistant:stable"; environment = { TZ = "Europe/Rome"; }; extraOptions = [ "--privileged" "--network=host" "--pull=always" ]; ports = [ "8123:8123" ]; volumes = [ "/var/lib/hass:/config" "/mnt/raid/condiviso:/media" ]; }; }; }; environment.systemPackages = with pkgs; [ htop kakoune vim tmux ]; security.sudo.extraConfig = '' Defaults pwfeedback ''; nixpkgs.config.allowUnfree = true; nix = { package = pkgs.nixFlakes; extraOptions = lib.optionalString (config.nix.package == pkgs.nixFlakes) "experimental-features = nix-command flakes"; gc.automatic = true; }; system.autoUpgrade = { enable = true; allowReboot = true; flags = [ "-I" "nixos-config=/home/bertof/.config/nixpkgs/nixos/loki.nix" "--upgrade" ]; }; system.stateVersion = "21.11"; }