dotfiles/hosts/swan/default.nix

# The Swan
# System configuration for my home NAS server

{
  inputs,
  globals,
  overlays,
  ...
}:

inputs.nixpkgs.lib.nixosSystem rec {
  system = "x86_64-linux";
  specialArgs = {
    pkgs-caddy = import inputs.nixpkgs-caddy { inherit system; };
  };
  modules = [
    globals
    inputs.home-manager.nixosModules.home-manager
    inputs.disko.nixosModules.disko
    ../../modules/common
    ../../modules/nixos
    {
      nixpkgs.overlays = overlays;

      # Hardware
      server = true;
      physical = true;
      networking.hostName = "swan";

      # Not sure what's necessary but too afraid to remove anything
      boot.initrd.availableKernelModules = [
        "xhci_pci"
        "ahci"
        "nvme"
        "usb_storage"
        "sd_mod"
      ];

      # Required for transcoding
      boot.initrd.kernelModules = [ "amdgpu" ];
      boot.kernelParams = [
        "radeon.si_support=0"
        "amdgpu.si_support=1"
        "radeon.cik_support=0"
        "amdgpu.cik_support=1"
        "amdgpu.dc=1"
      ];

      # Required binary blobs to boot on this machine
      hardware.enableRedistributableFirmware = true;

      # Prioritize efficiency over performance
      powerManagement.cpuFreqGovernor = "powersave";

      # Allow firmware updates
      hardware.cpu.intel.updateMicrocode = true;

      # ZFS
      zfs.enable = true;
      # Generated with: head -c 8 /etc/machine-id
      networking.hostId = "600279f4"; # Random ID required for ZFS

      # Sets root ext4 filesystem instead of declaring it manually
      disko = {
        enableConfig = true;
        devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });
      };

      boot.zfs = {
        # Automatically load the ZFS pool on boot
        extraPools = [ "tank" ];
        # Only try to decrypt datasets with keyfiles
        requestEncryptionCredentials = [
          "tank/archive"
          "tank/generic"
          "tank/nextcloud"
          "tank/generic/git"
        ];
        # If password is requested and fails, continue to boot eventually
        passwordTimeout = 300;
      };

      # Theming

      # Server doesn't require GUI
      gui.enable = false;

      # Still require colors for programs like Neovim, K9S
      theme = {
        colors = (import ../../colorscheme/gruvbox-dark).dark;
      };

      # Programs and services
      atuin.enable = true;
      neovim.enable = true;
      cloudflare.enable = true;
      dotfiles.enable = true;
      arrs.enable = true;
      services.bind.enable = true;
      services.caddy.enable = true;
      services.jellyfin.enable = true;
      services.nextcloud.enable = true;
      services.calibre-web.enable = true;
      services.openssh.enable = true;
      services.prometheus.enable = false;
      services.vmagent.enable = true;
      services.samba.enable = true;
      services.paperless.enable = true;
      services.postgresql.enable = true;

      # Allows private remote access over the internet
      cloudflareTunnel = {
        enable = true;
        id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";
        credentialsFile = ../../private/cloudflared-swan.age;
        ca = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";
      };

      # Send regular backups and litestream for DBs to an S3-like bucket
      backup.s3 = {
        endpoint = "s3.us-west-002.backblazeb2.com";
        bucket = "noahmasur-backup";
        accessKeyId = "0026b0e73b2e2c80000000005";
      };

      # Disable passwords, only use SSH key
      publicKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s personal"
      ];
    }
  ];
}
initial setup for swan and staff 2023-02-18 15:24:54 +00:00			`# The Swan`
			`# System configuration for my home NAS server`

apply new nix fmt specification 2024-04-13 13:03:44 +00:00			`{`
			`inputs,`
			`globals,`
			`overlays,`
			`...`
			`}:`
initial setup for swan and staff 2023-02-18 15:24:54 +00:00
add nixpkgs-caddy into swan 2024-06-19 16:51:16 +00:00			`inputs.nixpkgs.lib.nixosSystem rec {`
initial setup for swan and staff 2023-02-18 15:24:54 +00:00			`system = "x86_64-linux";`
add nixpkgs-caddy into swan 2024-06-19 16:51:16 +00:00			`specialArgs = {`
			`pkgs-caddy = import inputs.nixpkgs-caddy { inherit system; };`
			`};`
initial setup for swan and staff 2023-02-18 15:24:54 +00:00			`modules = [`
fix: swan globals not included 2023-03-20 03:36:15 +00:00			`globals`
clean up flake and reset neovim plugin versions 2023-07-02 02:22:03 +00:00			`inputs.home-manager.nixosModules.home-manager`
			`inputs.disko.nixosModules.disko`
merge swan hardware file into host config 2023-06-03 15:12:04 +00:00			`../../modules/common`
			`../../modules/nixos`
initial setup for swan and staff 2023-02-18 15:24:54 +00:00			`{`
improve hosts documentation 2023-08-05 21:14:26 +00:00			`nixpkgs.overlays = overlays;`

cleanup comments and unneeded code 2023-07-01 21:33:24 +00:00			`# Hardware`
initial setup for swan and staff 2023-02-18 15:24:54 +00:00			`server = true;`
fix: swan not using avahi because not set as physical 2023-07-17 15:38:08 +00:00			`physical = true;`
rearrange swan settings 2023-02-27 02:50:24 +00:00			`networking.hostName = "swan";`

improve hosts documentation 2023-08-05 21:14:26 +00:00			`# Not sure what's necessary but too afraid to remove anything`
apply new nix fmt specification 2024-04-13 13:03:44 +00:00			`boot.initrd.availableKernelModules = [`
			`"xhci_pci"`
			`"ahci"`
			`"nvme"`
			`"usb_storage"`
			`"sd_mod"`
			`];`
cleanup comments and unneeded code 2023-07-01 21:33:24 +00:00
			`# Required for transcoding`
fix: headless hardware acceleration requires kernel module and firmware 2023-06-04 16:14:11 +00:00			`boot.initrd.kernelModules = [ "amdgpu" ];`
possible fix for amdgpu driver with kernel params 2023-06-18 14:28:02 +00:00			`boot.kernelParams = [`
			`"radeon.si_support=0"`
			`"amdgpu.si_support=1"`
			`"radeon.cik_support=0"`
			`"amdgpu.cik_support=1"`
			`"amdgpu.dc=1"`
			`];`
improve hosts documentation 2023-08-05 21:14:26 +00:00
			`# Required binary blobs to boot on this machine`
fix: headless hardware acceleration requires kernel module and firmware 2023-06-04 16:14:11 +00:00			`hardware.enableRedistributableFirmware = true;`
cleanup comments and unneeded code 2023-07-01 21:33:24 +00:00
improve hosts documentation 2023-08-05 21:14:26 +00:00			`# Prioritize efficiency over performance`
merge swan hardware file into host config 2023-06-03 15:12:04 +00:00			`powerManagement.cpuFreqGovernor = "powersave";`
improve hosts documentation 2023-08-05 21:14:26 +00:00
			`# Allow firmware updates`
merge swan hardware file into host config 2023-06-03 15:12:04 +00:00			`hardware.cpu.intel.updateMicrocode = true;`
fix: fully enable zfs 2023-02-26 13:23:31 +00:00
merge swan hardware file into host config 2023-06-03 15:12:04 +00:00			`# ZFS`
rearrange swan settings 2023-02-27 02:50:24 +00:00			`zfs.enable = true;`
cleanup comments and unneeded code 2023-07-01 21:33:24 +00:00			`# Generated with: head -c 8 /etc/machine-id`
merge swan hardware file into host config 2023-06-03 15:12:04 +00:00			`networking.hostId = "600279f4"; # Random ID required for ZFS`
improve hosts documentation 2023-08-05 21:14:26 +00:00
			`# Sets root ext4 filesystem instead of declaring it manually`
refactor apps and separate disko disks format-root app still not working 2023-02-27 00:53:51 +00:00			`disko = {`
			`enableConfig = true;`
setup but don't use generic zfs config 2023-02-27 01:49:46 +00:00			`devices = (import ../../disks/root.nix { disk = "/dev/nvme0n1"; });`
refactor apps and separate disko disks format-root app still not working 2023-02-27 00:53:51 +00:00			`};`
improve hosts documentation 2023-08-05 21:14:26 +00:00
fix: zfs noauto encrypted pool still requesting passphrase on reboot 2024-03-04 13:01:07 +00:00			`boot.zfs = {`
			`# Automatically load the ZFS pool on boot`
			`extraPools = [ "tank" ];`
			`# Only try to decrypt datasets with keyfiles`
apply new nix fmt specification 2024-04-13 13:03:44 +00:00			`requestEncryptionCredentials = [`
			`"tank/archive"`
			`"tank/generic"`
			`"tank/nextcloud"`
color update and decrypt git zfs dataset 2024-04-14 04:07:04 +00:00			`"tank/generic/git"`
apply new nix fmt specification 2024-04-13 13:03:44 +00:00			`];`
fix: zfs noauto encrypted pool still requesting passphrase on reboot 2024-03-04 13:01:07 +00:00			`# If password is requested and fails, continue to boot eventually`
			`passwordTimeout = 300;`
			`};`
fix: fully enable zfs 2023-02-26 13:23:31 +00:00
improve hosts documentation 2023-08-05 21:14:26 +00:00			`# Theming`

			`# Server doesn't require GUI`
initial setup for swan and staff 2023-02-18 15:24:54 +00:00			`gui.enable = false;`
improve hosts documentation 2023-08-05 21:14:26 +00:00
			`# Still require colors for programs like Neovim, K9S`
apply new nix fmt specification 2024-04-13 13:03:44 +00:00			`theme = {`
color update and decrypt git zfs dataset 2024-04-14 04:07:04 +00:00			`colors = (import ../../colorscheme/gruvbox-dark).dark;`
apply new nix fmt specification 2024-04-13 13:03:44 +00:00			`};`
improve hosts documentation 2023-08-05 21:14:26 +00:00
			`# Programs and services`
setup atuin synced shell history for user and root 2024-01-21 14:42:46 +00:00			`atuin.enable = true;`
rearrange swan settings 2023-02-27 02:50:24 +00:00			`neovim.enable = true;`
enable cloudflare IP filtering forgot to turn this on before 2023-04-16 20:59:52 +00:00			`cloudflare.enable = true;`
cleanup comments and unneeded code 2023-07-01 21:33:24 +00:00			`dotfiles.enable = true;`
remote prometheus and reconfig server modules 2023-07-04 22:20:43 +00:00			`arrs.enable = true;`
use bind for local dns 2023-07-18 03:52:37 +00:00			`services.bind.enable = true;`
remote prometheus and reconfig server modules 2023-07-04 22:20:43 +00:00			`services.caddy.enable = true;`
			`services.jellyfin.enable = true;`
			`services.nextcloud.enable = true;`
			`services.calibre-web.enable = true;`
fix: cloudflare tunnel on tempest requires openssh, but removing public key 2023-07-13 03:33:35 +00:00			`services.openssh.enable = true;`
add victoriametrics 2023-07-16 13:50:58 +00:00			`services.prometheus.enable = false;`
			`services.vmagent.enable = true;`
remote prometheus and reconfig server modules 2023-07-04 22:20:43 +00:00			`services.samba.enable = true;`
enable paperless-ngx document management 2023-11-10 03:37:34 +00:00			`services.paperless.enable = true;`
add postgres to swan 2024-01-17 00:58:01 +00:00			`services.postgresql.enable = true;`
initial setup for swan and staff 2023-02-18 15:24:54 +00:00
improve hosts documentation 2023-08-05 21:14:26 +00:00			`# Allows private remote access over the internet`
pass cloudflare tunnel info to module 2023-06-19 12:30:30 +00:00			`cloudflareTunnel = {`
			`enable = true;`
			`id = "646754ac-2149-4a58-b51a-e1d0a1f3ade2";`
			`credentialsFile = ../../private/cloudflared-swan.age;`
apply new nix fmt specification 2024-04-13 13:03:44 +00:00			`ca = "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBCHF/UMtJqPFrf6f6GRY0ZFnkCW7b6sYgUTjTtNfRj1RdmNic1NoJZql7y6BrqQinZvy7nsr1UFDNWoHn6ah3tg= open-ssh-ca@cloudflareaccess.org";`
pass cloudflare tunnel info to module 2023-06-19 12:30:30 +00:00			`};`

improve hosts documentation 2023-08-05 21:14:26 +00:00			`# Send regular backups and litestream for DBs to an S3-like bucket`
enable backups without any specific 2023-02-28 02:02:45 +00:00			`backup.s3 = {`
			`endpoint = "s3.us-west-002.backblazeb2.com";`
			`bucket = "noahmasur-backup";`
			`accessKeyId = "0026b0e73b2e2c80000000005";`
			`};`

initial setup for swan and staff 2023-02-18 15:24:54 +00:00			`# Disable passwords, only use SSH key`
introduce arrow host and deployment 2024-03-24 17:16:20 +00:00			`publicKeys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB+AbmjGEwITk5CK9y7+Rg27Fokgj9QEjgc9wST6MA3s personal"`
			`];`
initial setup for swan and staff 2023-02-18 15:24:54 +00:00			`}`
			`];`
			`}`