{ config, lib, pkgs, hostname, username, eth_interface, site_config, service_configs, options, ... }: { imports = [ ../../modules/common.nix # muffin-only system modules ./hardware.nix ../../modules/zfs.nix ../../modules/server-impermanence.nix ../../modules/usb-secrets.nix ../../modules/age-secrets.nix ../../modules/server-lanzaboote-agenix.nix ../../modules/no-rgb.nix ../../modules/server-security.nix ../../modules/ntfy-alerts.nix ../../modules/server-power.nix ../../modules/server-deploy-guard.nix ../../modules/server-deploy-finalize.nix ../../services/postgresql.nix ../../services/jellyfin ../../services/caddy ../../services/immich.nix ../../services/gitea ../../services/minecraft.nix ../../services/wg.nix ../../services/qbittorrent.nix ../../services/bitmagnet.nix ../../services/arr/prowlarr.nix ../../services/arr/sonarr.nix ../../services/arr/radarr.nix ../../services/arr/bazarr.nix ../../services/arr/jellyseerr.nix ../../services/arr/recyclarr.nix ../../services/arr/arr-search.nix ../../services/arr/torrent-audit.nix ../../services/arr/init.nix ../../services/soulseek.nix # ../../services/llama-cpp.nix ../../services/trilium.nix ../../services/ups.nix ../../services/grafana ../../services/bitwarden.nix ../../services/firefox-syncserver.nix ../../services/matrix ../../services/monero ../../services/graphing-calculator.nix ../../services/ssh.nix ../../services/syncthing.nix ../../services/ntfy ../../services/mollysocket.nix ../../services/harmonia.nix ../../services/ddns-updater.nix ]; # Hosts entries for CI/CD deploy targets networking.hosts.${site_config.hosts.muffin.ip} = [ site_config.hosts.muffin.alias ]; networking.hosts.${site_config.hosts.yarn.ip} = [ site_config.hosts.yarn.alias ]; # SSH known_hosts for CI runner (pinned host keys). All four names resolve to # the same muffin host and therefore serve the same host key. environment.etc."ci-known-hosts".text = let key = site_config.hosts.muffin.ssh_host_key; names = [ site_config.hosts.muffin.alias site_config.hosts.muffin.ip "git.${site_config.domain}" "git.${site_config.old_domain}" ]; in lib.concatMapStrings (n: "${n} ${key}\n") names; services.deployGuard.enable = true; # Detached deploy finalize: see modules/server-deploy-finalize.nix. deploy-rs # activates in `boot` mode and invokes deploy-finalize to schedule the real # `switch` (or reboot, when kernel/initrd/kernel-modules changed) 60s later # as a pid1-owned transient unit. Prevents the self-hosted gitea runner from # being restarted mid-CI-deploy. services.deployFinalize.enable = true; # Disable serial getty on ttyS0 to prevent dmesg warnings systemd.services."serial-getty@ttyS0".enable = false; # srvos enables vim, i don't want to use vim, disable it here: programs.vim = { defaultEditor = false; } // lib.optionalAttrs (options.programs.vim ? enable) { enable = false; }; # https://github.com/NixOS/nixpkgs/issues/101459#issuecomment-758306434 security.pam.loginLimits = [ { domain = "*"; type = "soft"; item = "nofile"; value = "4096"; } ]; # muffin overrides default gc retention (30d in common-nix.nix) nix.gc.options = lib.mkForce "--delete-older-than 7d"; # Intel Arc A380 (DG2, 56a5) uses the i915 driver on kernel 6.12. # The xe driver's iHD media driver integration has buffer mapping # failures on this GPU/kernel combination. i915 works correctly for # VAAPI transcode as long as ASPM deep states are disabled for the # GPU (see modules/power.nix). hardware.intelgpu.driver = "i915"; # Per-service 2MB hugepage budget calculated in service-configs.nix. boot.kernel.sysctl."vm.nr_hugepages" = service_configs.hugepages_2m.total_pages; boot = { # 6.12 LTS until 2027-03. Kernel 6.18 causes a reproducible ZFS deadlock # in dbuf_evict due to page allocator changes (__free_frozen_pages). # https://github.com/openzfs/zfs/issues/18426 kernelPackages = pkgs.linuxPackages_6_12; loader = { # Use the systemd-boot EFI boot loader. # Disabled: ASRock B550M Pro4 AMI UEFI hangs on POST when NixOS # writes EFI variables (NVRAM corruption). Lanzaboote boot entries # are discovered via BLS Type #2 on the ESP, so this is not needed. efi.canTouchEfiVariables = false; # 1s timeout timeout = 1; }; initrd = { compressor = "zstd"; supportedFilesystems = [ "f2fs" ]; }; }; hardware.graphics = { enable = true; extraPackages = with pkgs; [ libva-vdpau-driver intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) vpl-gpu-rt # QSV on 11th gen or newer ]; }; # Root-facing admin tools only. User-facing CLI (fish, helix, htop, bottom, # tmux, ripgrep, lsof, wget, pfetch-rs, …) is provided via home-manager in # home/profiles/terminal.nix — shared with mreow and yarn. environment.systemPackages = with pkgs; [ lm_sensors borgbackup smartmontools intel-gpu-tools iotop iftop powertop reflac sbctl # add `skdump` libatasmart ]; networking = { nameservers = site_config.dns_servers; hostName = hostname; hostId = "0f712d56"; firewall.enable = true; useDHCP = false; # Disabled because of Jellyfin (various issues) enableIPv6 = false; interfaces.${eth_interface} = { ipv4.addresses = [ { address = site_config.hosts.muffin.ip; prefixLength = 24; } ]; ipv6.addresses = [ { address = "fe80::9e6b:ff:fe4d:abb"; prefixLength = 64; } ]; }; defaultGateway = { address = site_config.lan.gateway; interface = eth_interface; }; # TODO! fix this # defaultGateway6 = { # address = "fe80::/64"; # interface = eth_interface; # }; }; users.groups.${service_configs.media_group} = { }; users.users.${username} = { isNormalUser = true; extraGroups = [ "wheel" "video" "render" service_configs.media_group ]; hashedPasswordFile = config.age.secrets.hashedPass.path; }; services.murmur = { enable = true; openFirewall = true; welcometext = "meow meow meow meow meow :3 xd"; password = "$MURMURD_PASSWORD"; environmentFile = config.age.secrets.murmur-password-env.path; port = service_configs.ports.public.murmur.port; }; # services.botamusique = { # enable = true; # settings = { # server = {port = config.services.murmur.port; # password = config.services.murmur.password; # }; # }; # }; # systemd.tmpfiles.rules = [ # "Z /tank/music 775 ${username} users" # ]; system.stateVersion = "24.11"; }