mirror of
https://github.com/willemml/dotfiles.nix.git
synced 2025-04-12 19:27:17 +00:00
152 lines
3.6 KiB
Nix
152 lines
3.6 KiB
Nix
{
|
|
config,
|
|
lib,
|
|
pkgs,
|
|
modulesPath,
|
|
...
|
|
}: {
|
|
imports = [
|
|
(modulesPath + "/installer/scan/not-detected.nix")
|
|
../profiles/hyprland.nix
|
|
../profiles/default.nix
|
|
../users/willem/home/linux.nix
|
|
../modules/zerotier.nix
|
|
../modules/nordvpn.nix
|
|
];
|
|
|
|
boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
|
|
boot.initrd.kernelModules = [];
|
|
boot.kernelModules = ["amdgpu"];
|
|
boot.extraModulePackages = [];
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
boot.supportedFilesystems = ["zfs"];
|
|
boot.zfs.forceImportRoot = false;
|
|
networking.hostId = "06818aaa";
|
|
|
|
hardware.opengl.driSupport = true;
|
|
hardware.opengl.enable = true;
|
|
|
|
hardware.opengl.extraPackages = with pkgs; [
|
|
amdvlk
|
|
];
|
|
|
|
fileSystems."/" = {
|
|
device = "/dev/disk/by-uuid/9b616ca8-63fe-4d81-a13e-25c9a95a1a55";
|
|
fsType = "ext4";
|
|
};
|
|
|
|
fileSystems."/boot" = {
|
|
device = "/dev/disk/by-uuid/4FEE-904E";
|
|
fsType = "vfat";
|
|
};
|
|
|
|
fileSystems."/zpool" = {
|
|
device = "zpool";
|
|
fsType = "zfs";
|
|
};
|
|
|
|
environment.systemPackages = [pkgs.zfs];
|
|
|
|
services.jellyfin.enable = true;
|
|
services.jellyfin.openFirewall = true;
|
|
|
|
services.transmission = {
|
|
enable = true;
|
|
|
|
settings = rec {
|
|
download-dir = "/zpool/torrents/complete";
|
|
incomplete-dir = "/zpool/torrents/incomplete";
|
|
incomplete-dir-enabled = true;
|
|
rpc-enabled = true;
|
|
rpc-bind-address = "0.0.0.0";
|
|
rpc-whitelist-enabled = false;
|
|
rpc-host-whitelist-enabled = false;
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [9091];
|
|
networking.firewall.allowedUDPPorts = [9091];
|
|
|
|
networking.firewall.logRefusedConnections = true;
|
|
networking.firewall.logRefusedPackets = true;
|
|
|
|
networking.nftables.enable = true;
|
|
networking.nftables.flushRuleset = true;
|
|
|
|
networking.nftables.tables."nixos-fw".content = lib.mkForce "";
|
|
|
|
networking.firewall.trustedInterfaces = ["zt*"];
|
|
|
|
swapDevices = [];
|
|
|
|
networking.nftables.ruleset = ''
|
|
table inet filter {
|
|
chain input {
|
|
type filter hook input priority 0;
|
|
|
|
# accept all localhost and zerotier traffic
|
|
iifname lo accept
|
|
iifname "zt*" accept
|
|
|
|
# accept traffic sent by us
|
|
ct state {established, related} accept
|
|
|
|
# ICMP
|
|
# routers may also want: mld-listener-query, nd-router-solicit
|
|
ip protocol icmp icmp type { destination-unreachable, router-advertisement, time-exceeded, parameter-problem } accept
|
|
|
|
# allow "ping"
|
|
ip protocol icmp icmp type echo-request accept
|
|
|
|
# jellyfin
|
|
tcp dport 8096 accept
|
|
tcp dport 8920 accept
|
|
udp dport 1900 accept
|
|
udp dport 7359 accept
|
|
|
|
# transmission web ui
|
|
tcp dport 9091 accept
|
|
|
|
# zerotier
|
|
udp dport 9993 accept
|
|
tcp dport 9993 accept
|
|
|
|
# ssh
|
|
tcp dport 22 accept
|
|
|
|
# drop all other packets
|
|
#counter drop
|
|
accept
|
|
}
|
|
|
|
chain output {
|
|
type filter hook output priority 0;
|
|
|
|
oifname != { "lo", "tun0", "zt*" } skgid 70 counter reject
|
|
|
|
# zerotier
|
|
oifname "zt*" accept
|
|
udp dport 9993 accept
|
|
tcp dport 9993 accept
|
|
|
|
accept
|
|
}
|
|
|
|
chain forward {
|
|
type filter hook forward priority 0;
|
|
accept
|
|
}
|
|
}
|
|
'';
|
|
|
|
networking.useDHCP = lib.mkDefault true;
|
|
|
|
networking.hostName = "nixbox";
|
|
|
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
|
|
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
|
|
}
|