titaniumtown/server-config
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2026-04-18. You can view files and clone it. You cannot open issues or pull requests or push a commit.
Files
c2ff07b32911d8086715b1807a8d1c4873ab5224
server-config/configuration.nix
Simon Gardling e41f869843 trilium: add self-hosted note-taking service 
Add trilium-server on port 8787 behind Caddy reverse proxy at
notes.sigkill.computer. Data stored on ZFS tank pool with
serviceMountWithZpool for mount ordering.
2026-04-02 17:44:04 -04:00

331 lines
7.2 KiB
Nix
Raw Blame History

{
config,
lib,
pkgs,
hostname,
username,
eth_interface,
service_configs,
options,
...
}:
{
imports = [
./modules/hardware.nix
./modules/zfs.nix
./modules/impermanence.nix
./modules/usb-secrets.nix
./modules/age-secrets.nix
./modules/secureboot.nix
./modules/no-rgb.nix
./modules/security.nix
./modules/ntfy-alerts.nix
./modules/power.nix
./services/postgresql.nix
./services/jellyfin.nix
./services/caddy.nix
./services/immich.nix
./services/gitea.nix
./services/gitea-actions-runner.nix
./services/minecraft.nix
./services/wg.nix
./services/qbittorrent.nix
./services/jellyfin-qbittorrent-monitor.nix
./services/bitmagnet.nix
./services/arr/prowlarr.nix
./services/arr/sonarr.nix
./services/arr/radarr.nix
./services/arr/bazarr.nix
./services/arr/jellyseerr.nix
./services/arr/recyclarr.nix
./services/arr/arr-search.nix
./services/arr/torrent-audit.nix
./services/arr/init.nix
./services/soulseek.nix
./services/llama-cpp.nix
./services/llama-cpp-annotations.nix
./services/trilium.nix
./services/ups.nix
./services/monitoring.nix
./services/jellyfin-annotations.nix
./services/zfs-scrub-annotations.nix
./services/bitwarden.nix
./services/firefox-syncserver.nix
./services/matrix.nix
./services/coturn.nix
./services/livekit.nix
./services/monero.nix
./services/p2pool.nix
./services/xmrig.nix
./services/llama-cpp-xmrig-pause.nix
# KEEP UNTIL 2028
./services/caddy_senior_project.nix
./services/graphing-calculator.nix
./services/ssh.nix
./services/syncthing.nix
./services/ntfy.nix
./services/ntfy-alerts.nix
./services/mollysocket.nix
];
# Hosts entries for CI/CD deploy targets
networking.hosts."192.168.1.50" = [ "server-public" ];
networking.hosts."192.168.1.223" = [ "desktop" ];
# SSH known_hosts for CI runner (pinned host keys)
environment.etc."ci-known-hosts".text = ''
server-public ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
192.168.1.50 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
git.sigkill.computer ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
git.gardling.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
'';
services.kmscon.enable = true;
# Disable serial getty on ttyS0 to prevent dmesg warnings
systemd.services."serial-getty@ttyS0".enable = false;
# srvos enables vim, i don't want to use vim, disable it here:
programs.vim = {
defaultEditor = false;
}
// lib.optionalAttrs (options.programs.vim ? enable) {
enable = false;
};
# https://github.com/NixOS/nixpkgs/issues/101459#issuecomment-758306434
security.pam.loginLimits = [
{
domain = "*";
type = "soft";
item = "nofile";
value = "4096";
}
];
nix = {
# optimize the store
optimise.automatic = true;
# garbage collection
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
};
hardware.intelgpu.driver = "xe";
# Per-service 2MB hugepage budget calculated in service-configs.nix.
boot.kernel.sysctl."vm.nr_hugepages" = service_configs.hugepages_2m.total_pages;
boot = {
# 6.12 LTS until 2026
kernelPackages = pkgs.linuxPackages_6_12_hardened;
loader = {
# Use the systemd-boot EFI boot loader.
# Disabled: ASRock B550M Pro4 AMI UEFI hangs on POST when NixOS
# writes EFI variables (NVRAM corruption). Lanzaboote boot entries
# are discovered via BLS Type #2 on the ESP, so this is not needed.
efi.canTouchEfiVariables = false;
# 1s timeout
timeout = 1;
};
initrd = {
compressor = "zstd";
supportedFilesystems = [ "f2fs" ];
};
};
environment.etc = {
"issue".text = "";
};
# Set your time zone.
time.timeZone = "America/New_York";
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
libva-vdpau-driver
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
vpl-gpu-rt # QSV on 11th gen or newer
];
};
#fwupd for updating firmware
services.fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];
};
environment.systemPackages = with pkgs; [
helix
lm_sensors
bottom
htop
doas-sudo-shim
neofetch
borgbackup
smartmontools
ripgrep
intel-gpu-tools
iotop
iftop
tmux
wget
powertop
lsof
reflac
pfetch-rs
sbctl
# add `skdump`
libatasmart
];
networking = {
nameservers = [
"1.1.1.1"
"9.9.9.9"
];
hostName = hostname;
hostId = "0f712d56";
firewall.enable = true;
useDHCP = false;
# Disabled because of Jellyfin (various issues)
enableIPv6 = false;
interfaces.${eth_interface} = {
ipv4.addresses = [
{
address = "192.168.1.50";
# address = "10.1.1.102";
prefixLength = 24;
}
];
ipv6.addresses = [
{
address = "fe80::9e6b:ff:fe4d:abb";
prefixLength = 64;
}
];
};
defaultGateway = {
#address = "10.1.1.1";
address = "192.168.1.1";
interface = eth_interface;
};
# TODO! fix this
# defaultGateway6 = {
# address = "fe80::/64";
# interface = eth_interface;
# };
};
users.groups.${service_configs.media_group} = { };
users.users.gitea-runner = {
isSystemUser = true;
group = "gitea-runner";
home = "/var/lib/gitea-runner";
description = "Gitea Actions CI runner";
};
users.groups.gitea-runner = { };
users.users.${username} = {
isNormalUser = true;
extraGroups = [
"wheel"
"video"
"render"
service_configs.media_group
];
hashedPasswordFile = config.age.secrets.hashedPass.path;
};
# https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
programs.fish.enable = true;
programs.bash = {
interactiveShellInit = ''
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
then
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
fi
'';
};
security = {
#lets use doas and not sudo!
doas.enable = true;
sudo.enable = false;
# Configure doas
doas.extraRules = [
{
users = [ username ];
keepEnv = true;
persist = true;
}
];
};
services.murmur = {
enable = true;
openFirewall = true;
welcometext = "meow meow meow meow meow :3 xd";
password = "$MURMURD_PASSWORD";
environmentFile = config.age.secrets.murmur-password-env.path;
port = service_configs.ports.public.murmur.port;
};
# services.botamusique = {
# enable = true;
# settings = {
# server = {port = config.services.murmur.port;
# password = config.services.murmur.password;
# };
# };
# };
# systemd.tmpfiles.rules = [
# "Z /tank/music 775 ${username} users"
# ];
system.stateVersion = "24.11";
}
Reference in New Issue View Git Blame Copy Permalink