numbus/Numbus
1
0
Fork 0
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
Files
71465ff4f46e158609c2e72ea1e5ccae92ffbcf6
Numbus/configuration.nix
T
Raphaël Billet d4c2de55f3 Added secrets management for data and parity disks
2025-11-26 21:58:13 +01:00

210 lines
6.0 KiB
Nix
Raw Blame History

{ modulesPath, config, lib, pkgs, inputs, ... }:
let
# Create a list of data disk mount points, e.g. [ "/mnt/data-1" "/mnt/data-2" ]
dataDisks = lib.lists.catAttrs "mountpoint" (
lib.attrsets.filterAttrs (n: v: lib.strings.hasPrefix "data-" n) config.disko.devices.disk
);
# Create a list of parity disk mount points
parityDisks = lib.lists.catAttrs "mountpoint" (
lib.attrsets.filterAttrs (n: v: lib.strings.hasPrefix "parity-" n) config.disko.devices.disk
);
in
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
(modulesPath + "/profiles/qemu-guest.nix")
inputs.sops-nix.nixosModules.sops
./disk-config.nix
];
# Hardware settings
hardware.enableRedistributableFirmware = true;
hardware.cpu.intel.updateMicrocode = true;
hardware.cpu.amd.updateMicrocode = true;
# Secrets management
sops.defaultSopsFile = ./secrets/secrets.yaml;
sops.age.sshKeyPaths = [ "/home/numbus-admin/.ssh/id_ed25519" ];
sops.age.keyFile = "/var/lib/sops-nix/key.txt";
sops.age.generateKey = true;
sops.secrets."ssh-public-keys" = { owner = "numbus-admin"; path = "/etc/ssh/authorized_keys.d/numbus-admin"; };
sops.secrets."docker/frigate" = { owner = "numbus-admin"; path = "/etc/docker-compose/frigate/.env"; };
sops.secrets."docker/traefik" = { owner = "numbus-admin"; path = "/etc/docker-compose/traefik/.env"; };
sops.secrets."docker/nextcloud" = { owner = "numbus-admin"; path = "/etc/docker-compose/nextcloud/.env"; };
sops.secrets."docker/passbolt" = { owner = "numbus-admin"; path = "/etc/docker-compose/passbolt/.env"; };
sops.secrets."docker/hass" = { owner = "numbus-admin"; path = "/etc/docker-compose/hass/.env"; };
sops.secrets."docker/pihole" = { owner = "numbus-admin"; path = "/etc/docker-compose/pihole/.env"; };
sops.secrets."disks/data-disk-1" = { owner = "root"; };
sops.secrets."disks/data-disk-2" = { owner = "root"; };
sops.secrets."disks/data-disk-3" = { owner = "root"; };
sops.secrets."disks/data-disk-4" = { owner = "root"; };
sops.secrets."disks/data-disk-5" = { owner = "root"; };
sops.secrets."disks/data-disk-6" = { owner = "root"; };
sops.secrets."disks/parity-disk-1" = { owner = "root"; };
sops.secrets."disks/parity-disk-2" = { owner = "root"; };
sops.secrets."disks/parity-disk-3" = { owner = "root"; };
# Bootloader options
boot.initrd.systemd.enable = true;
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Timezone
time.timeZone = "Europe/Paris";
# Internationalisation properties.
i18n.defaultLocale = "fr_FR.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "fr_FR.UTF-8";
LC_IDENTIFICATION = "fr_FR.UTF-8";
LC_MEASUREMENT = "fr_FR.UTF-8";
LC_MONETARY = "fr_FR.UTF-8";
LC_NAME = "fr_FR.UTF-8";
LC_NUMERIC = "fr_FR.UTF-8";
LC_PAPER = "fr_FR.UTF-8";
LC_TELEPHONE = "fr_FR.UTF-8";
LC_TIME = "fr_FR.UTF-8";
};
# Keyboard mapping
console.keyMap = "fr";
services.xserver.xkb = {
layout = "fr";
variant = "";
};
# Enable SSH
services.openssh = {
enable = true;
};
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# Install packages
environment.systemPackages = with pkgs; [
ncdu
fastfetch
tpm2-tss
sops
age
powertop
pciutils
hdparm
hd-idle
hddtemp
smartmontools
cpufrequtils
intel-gpu-tools
];
# Power savings
services.autoaspm.enable = true;
powerManagement.powertop.enable = true;
boot.kernelParams = [
"pcie_aspm=force"
"consoleblank=60"
];
# Enable cron service
services.cron = {
enable = true;
systemCronJobs = [
];
};
# Enable docker
virtualisation.docker.enable = true;
virtualisation.docker.daemon.settings = {
data-root = "/mnt/config-storage/docker-data/docker-volumes/";
};
# Enable networking and firewall
networking.interfaces.eth0.ipv4.addresses = [
{
address = "HOME_SERVER_IP";
prefixLength = 24;
}
];
networking.defaultGateway = "HOME_ROUTER_IP";
networking.nameservers = [ "HOME_SERVER_IP" "9.9.9.9" ];
networking.networkmanager.enable = true;
networking.firewall.enable = true;
# Open ports in the firewall
networking.firewall.allowPing = false;
networking.firewall.allowedTCPPorts = [ 53 80 443 ];
networking.firewall.allowedUDPPorts = [ 53 ];
# Hostname
networking.hostName = "numbus-server";
# User account
users.users.numbus-admin = {
isNormalUser = true;
description = "Numbus Admin";
extraGroups = [ "networkmanager" "wheel" "docker" ];
uid = 1000;
initialPassword = "nixos-at-numbus";
};
# Login message
environment.loginShellInit = ''
if [ "$(id -u)" -eq 1000 ]; then
if [ -n "$SSH_TTY" ]; then
fastfetch
echo -e "\n\nWelcome to numbus.eu server !\n\n- This system is managed by NixOS\n- All changes are futile\n- Please consider buying support if you can't get your server running\n- Have a nice day and enjoy !"
fi
fi
'';
# Enable auto updates
system.autoUpgrade = {
enable = true;
allowReboot = true;
flake = inputs.self.outPath;
flags = [ "--print-build-logs" ];
dates = "02:00";
randomizedDelaySec = "45min";
};
# Enable NixOS flakes
nix.settings.experimental-features = [ "nix-command" "flakes" ];
# --- Storage Configuration (MergerFS & SnapRAID) ---
# Create the mount point for the MergerFS pool
fileSystems."/mnt/data-storage" = {
device = "mergerfs";
fsType = "fuse";
options = [
"defaults"
"allow_other"
"use_ino"
"cache.files=off"
"moveonenospc=true"
"category.create=mfs"
"srcmounts=${lib.strings.concatStringsSep ":" dataDisks}"
];
};
# SnapRAID for data redundancy
services.snapraid = {
enable = true;
content = map (disk: "${disk}/snapraid.content") dataDisks;
parity = map (disk: "${disk}/snapraid.parity") parityDisks;
data = dataDisks;
runner = {
enable = true;
diffAndSyncOn = "04:00"; # Daily at 4am
scrubOn = "Sun 05:00"; # Weekly on Sunday at 5am
};
};
system.stateVersion = "25.05";
}
Reference in New Issue View Git Blame Copy Permalink