3/20

2026-03-07 12:05:37 -06:00 · 2026-03-07 12:05:37 -06:00 · 235f903c1d
commit 235f903c1d
parent 817aa75f84
25 changed files with 523 additions and 269 deletions
--- a/nixos/zen/configuration.nix
+++ b/nixos/zen/configuration.nix
@ -8,31 +8,86 @@
  imports = [
    ./hardware-configuration.nix
  ];
-  sops.secrets = {
-    "password" = {
-      sopsFile = ../../secrets/k8s.yaml;
-    };
-    forgejo-runner = {
-      sopsFile = ../../secrets/forgejo-runner.yaml;
+  boot = {
+    kernel.sysctl = {
+      "vm.swappiness" = 6;
+    };
+  };
+  sops = {
+    secrets = {
+      "password".sopsFile = ../../secrets/k8s.yaml;
+      forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml;
+      "b2-immich/env".sopsFile = ../../secrets/restic.yaml;
+      "b2-immich/repo".sopsFile = ../../secrets/restic.yaml;
+      "b2-immich/password".sopsFile = ../../secrets/restic.yaml;
+      "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml;
+    };
+  };
+  services.restic.backups = {
+    b2-immich = {
+      initialize = true;
+      environmentFile = config.sops.secrets."b2-immich/env".path;
+      repositoryFile = config.sops.secrets."b2-immich/repo".path;
+      passwordFile = config.sops.secrets."b2-immich/password".path;
+
+      paths = [
+        "/tank/immich"
+      ];
+      timerConfig = {
+        OnCalendar = "06:00";
+      };
+      pruneOpts = [
+        "--keep-daily 31"
+        "--keep-monthly 6"
+        "--keep-yearly 1"
+      ];
    };
  };
-  machine.sys.zram = false;
  networking = {
-    hostId = "81238132";
+    hostId = "44238132";
    firewall = {
      allowedTCPPorts = [
        22
-        10250
-        25565 # mc
-        25566 # mc
+        2049 # nfs
      ];
      interfaces."podman+" = {
        allowedTCPPorts = [ 33393 ];
      };
    };
  };
-  virtualisation.podman = {
-    enable = true;
+  services = {
+    zfs.autoScrub.enable = true;
+    zfs.autoSnapshot.enable = true;
+    fstrim.enable = true;
+    nfs.server.enable = true;
+    # immich = {
+    #   enable = false;
+    #   package = pkgs-unstable.immich;
+    #   port = 2283;
+    #   host = "localhost";
+    #   openFirewall = true;
+    #   machine-learning.enable = true;
+    #   mediaLocation = "/rice/immich";
+    #   accelerationDevices = null;
+    # };
+    # nginx = {
+    #   enable = true;
+    #   virtualHosts."img.10110110.xyz" = {
+    #     forceSSL = true;
+    #     useACMEHost = "10110110.xyz";
+    #     locations."/" = {
+    #       proxyPass = "http://localhost:${toString config.services.immich.port}";
+    #       proxyWebsockets = true;
+    #       recommendedProxySettings = true;
+    #       extraConfig = ''
+    #         client_max_body_size 50000M;
+    #         proxy_read_timeout   600s;
+    #         proxy_send_timeout   600s;
+    #         send_timeout         600s;
+    #       '';
+    #     };
+    #   };
+    # };
  };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
@ -40,9 +95,7 @@
      enable = true;
      name = host.hostName;
      settings = {
-        runner = {
-          capacity = 3;
-        };
+        runner.capacity = 3;
        cache = {
          enable = true;
          host = "host.containers.internal";
@ -61,25 +114,45 @@
      ];
    };
  };
-  services.k3s = {
-    enable = true;
-    role = "agent";
-    extraFlags = toString [
-      "--flannel-iface=tailscale0"
-    ];
-    tokenFile = config.sops.secrets."password".path;
-    serverAddr = "https://consensus:6443";
+  # services.k3s = {
+  #   enable = true;
+  #   role = "agent";
+  #   extraFlags = toString [
+  #     "--flannel-iface=tailscale0"
+  #   ];
+  #   tokenFile = config.sops.secrets."password".path;
+  #   serverAddr = "https://consensus:6443";
+  # };
+  # systemd.services.k3s = {
+  #   preStart = ''
+  #     until ${pkgs.tailscale}/bin/tailscale status; do
+  #       sleep 1
+  #     done
+  #   '';
+  # };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@10110110.xyz";
+    certs = {
+      "10110110.xyz" = {
+        domain = "*.10110110.xyz";
+        # group = config.services.nginx.group;
+        dnsProvider = "cloudflare";
+        environmentFile = config.sops.secrets."cf-dns-key".path;
+      };
+    };
  };
-  systemd.services.k3s = {
-    preStart = ''
-      until ${pkgs.tailscale}/bin/tailscale status; do
-        sleep 1
-      done
-    '';
+  virtualisation.podman.enable = true;
+  hardware = {
+    graphics.enable = true;
+    nvidia = {
+      modesetting.enable = true;
+      nvidiaSettings = true;
+      open = false;
+      package = config.boot.kernelPackages.nvidiaPackages.stable;
+    };
+    enableRedistributableFirmware = true;
+    firmware = [ pkgs.linux-firmware ];
  };
-  services.logind.settings.Login.HandleLidSwitch = "ignore";
-  services.logind.settings.Login.HandleLidSwitchExternalPower = "ignore";
-  hardware.enableRedistributableFirmware = true;
-  hardware.firmware = [ pkgs.linux-firmware ];
-  system.stateVersion = "23.11";
 }