{ lib, pkgs, inputs, outputs, config, modulesPath, ... }: { imports = [ # inputs.nixos-hardware.nixosModules.raspberry-pi-4 (modulesPath + "/installer/sd-card/sd-image-aarch64.nix") ./hardware-configuration.nix # Import shared settings ../../shared ]; nixpkgs.overlays = [ (final: super: { makeModulesClosure = x: super.makeModulesClosure (x // {allowMissing = true;}); }) ]; # Allow executing of anything on the system with a , eg: , python executes python from the nix store even if not in $PATH currently programs.command-not-found.enable = lib.mkForce false; programs.nix-index.enable = true; programs.nix-index-database.comma.enable = true; services.automatic-timezoned.enable = true; #Set up sops config, and configure where the keyfile is, then set the mode for the unencrypted keys sops.defaultSopsFile = ./secrets/sops.yaml; boot.kernelPackages = lib.mkForce pkgs.linuxPackages_latest; boot.initrd.kernelModules = ["vc4" "bcm2835_dma" "i2c_bcm2835" "cma=256M" "console=tty0"]; sdImage.compressImage = false; home-manager = { extraSpecialArgs = {inherit inputs outputs;}; users = { # Import your home-manager configuration lillian = import ../../../home-manager/hosts/wheatley; }; }; networking.hostName = "wheatley"; services.openssh = { enable = true; # require public key authentication for better security settings.PasswordAuthentication = false; settings.KbdInteractiveAuthentication = false; settings.PermitRootLogin = "no"; }; users.users = { ombi.extraGroups = ["radarr" "sonarr" "aria2"]; }; services.ombi = { enable = true; port = 2368; }; users.users = { radarr.extraGroups = ["aria2"]; sonarr.extraGroups = ["aria2"]; }; services = { #uses port 7878 radarr.enable = true; #uses port 8989 sonarr.enable = true; prowlarr.enable = true; }; sops.secrets."webdav-secret" = { mode = "0600"; path = "/etc/davfs2/secrets"; }; services.davfs2.enable = true; systemd.mounts = [ { enable = true; description = "Webdav mount point"; after = ["network-online.target"]; wants = ["network-online.target"]; what = "https://nextcloud.gladtherescake.eu/remote.php/dav/files/GLaDTheresCake"; where = "/home/jellyfinmediaplayer/nextcloud"; options = "uid=1003,gid=100,file_mode=0664,dir_mode=2775"; type = "davfs"; } ]; #uses port 8096 services.jellyfin.enable = true; users.groups.jellyfinmediaplayer = {}; users.users.jellyfinmediaplayer.group = "jellyfinmediaplayer"; users.users.jellyfin.extraGroups = ["jellyfinmediaplayer"]; # Add stremio kiosk on wayland :) users.extraUsers.jellyfinmediaplayer.isNormalUser = true; services.cage.user = "jellyfinmediaplayer"; services.cage.program = "${pkgs.jellyfin-media-player}/bin/jellyfinmediaplayer"; services.cage.enable = true; services.cage.extraArguments = ["-f"]; users.users.aria2.group = "aria2"; users.groups.aria2 = {}; users.users.aria2.isSystemUser = true; sops.secrets."rpcSecret".mode = "0440"; sops.secrets."rpcSecret".owner = config.users.users.aria2.name; services.aria2 = { enable = true; settings = { dir = "/var/lib/media"; rpc-listen-port = 6969; }; rpcSecretFile = config.sops.secrets."rpcSecret".path; }; environment.systemPackages = [ # (pkgs.kodi.withPackages (kodiPkgs: # with kodiPkgs; [ # steam-controller # invidious # netflix # upnext # sponsorblock # sendtokodi # jellyfin # ])) pkgs.iptables ]; sops.secrets."protonvpn-priv-key".mode = "0440"; sops.secrets."protonvpn-priv-key".owner = config.users.users.root.name; sops.secrets."wg-private-key".mode = "0440"; sops.secrets."wg-private-key".owner = config.users.users.root.name; networking.wireguard.enable = true; networking.wg-quick.interfaces = { # # "wg0" is the network interface name. You can name the interface arbitrarily. # wg0 = { # autostart = true; # # Determines the IP address and subnet of the server's end of the tunnel interface. # address = ["10.2.0.2/32"]; # # The port that WireGuard listens to. Must be accessible by the client. # listenPort = 51820; # dns = ["10.2.0.1"]; # # Path to the private key file. # # # # Note: The private key can also be included inline via the privateKey option, # # but this makes the private key world-readable; thus, using privateKeyFile is # # recommended. # privateKeyFile = config.sops.secrets."protonvpn-priv-key".path; # peers = [ # # List of allowed peers. # { # # Feel free to give a meaning full name # # Public key of the peer (not a file path). # publicKey = "/i7jCNpcqVBUkY07gVlILN4nFdvZHmxvreAOgLGoZGg="; # # List of IPs assigned to this peer within the tunnel subnet. Used to configure routing. # allowedIPs = ["0.0.0.0/0"]; # endpoint = "146.70.86.114:51820"; # } # ]; # }; # wg public key for host: A02sO7uLdgflhPIRd0cbJONIaPP4z8HTxDkmX4NegFg= wg1 = { # Determines the IP address and subnet of the server's end of the tunnel interface. address = ["10.0.0.1/24" "fdc9:281f:04d7:9ee9::1/64"]; # The port that WireGuard listens to. Must be accessible by the client. listenPort = 51821; # This allows the wireguard server to route your traffic to the internet and hence be like a VPN postUp = '' ${pkgs.iptables}/bin/iptables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -A POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -A FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -t nat -A POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE ''; # Undo the above preDown = '' ${pkgs.iptables}/bin/iptables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/iptables -t nat -D POSTROUTING -s 10.0.0.1/24 -o eth0 -j MASQUERADE ${pkgs.iptables}/bin/ip6tables -D FORWARD -i wg0 -j ACCEPT ${pkgs.iptables}/bin/ip6tables -t nat -D POSTROUTING -s fdc9:281f:04d7:9ee9::1/64 -o eth0 -j MASQUERADE ''; privateKeyFile = config.sops.secrets."wg-private-key".path; peers = [ { #GLaDOS public key publicKey = "yieF2yQptaE3jStoaGytUnN+HLxyVhFBZIUOGUNAV38="; allowedIPs = ["10.0.0.2/32" "fdc9:281f:04d7:9ee9::2/128"]; } { #EDI public key publicKey = "i4nDZbU+a2k5C20tFJRNPVE1vhYKJwhoqGHEdeC4704="; allowedIPs = ["10.0.0.3/32" "fdc9:281f:04d7:9ee9::3/128"]; } { #Shodan public key publicKey = "Zah2nZDaHF8jpP5AtMA5bhE7t38fMB2UHzbXAc96/jw="; allowedIPs = ["10.0.0.4/32" "fdc9:281f:04d7:9ee9::3/128"]; } { #ADA public key publicKey = "SHu7xxRVWuqp4U4uipMoITKrFPWZATGsJevUeqBSzWo="; allowedIPs = ["10.0.0.5/32" "fdc9:281f:04d7:9ee9::3/128"]; } ]; }; }; services.dnsmasq = { enable = true; settings = { interface = "wg1"; }; }; boot.kernel.sysctl = { "net.ipv4.ip_forward" = 1; "net.ipv6.conf.all.forwarding" = 1; }; # enable NAT networking.nat.enable = true; networking.nat.externalInterface = "end0"; networking.nat.internalInterfaces = ["wg1"]; networking.firewall = { enable = true; allowPing = false; allowedTCPPorts = [ 22 # SSH 5349 # STUN tls 5350 # STUN tls alt 80 # http 443 # https 51821 # wg 7878 53 # dnsmasq ]; allowedUDPPorts = [ 53 #dnsmasq ]; allowedUDPPortRanges = [ { from = 51820; to = 51822; # wg } { from = 49152; to = 49999; } # TURN relay ]; }; system.stateVersion = "25.05"; nixpkgs.hostPlatform = lib.mkForce "aarch64-linux"; }