3/20

2026-03-07 12:05:37 -06:00 · 2026-03-07 12:05:37 -06:00 · 9d8bfef042
commit 9d8bfef042
parent 817aa75f84
26 changed files with 540 additions and 276 deletions
--- a/nixos/consensus/configuration.nix
+++ b/nixos/consensus/configuration.nix
@ -22,7 +22,7 @@
    docker-compose
    tmux
  ];
-  machine.net.openssh.ports = [2022];
+  machine.net.openssh.ports = [ 2022 ];
  systemd.services.k3s = {
    preStart = ''
      until ${pkgs.tailscale}/bin/tailscale status; do
@ -48,16 +48,16 @@
        "--flannel-iface=tailscale0"
      ];
    };
-    immich = {
-      enable = true;
-      package = pkgs-unstable.immich;
-      port = 2283;
-      host = "localhost";
-      openFirewall = true;
-      machine-learning.enable = true;
-      mediaLocation = "/rice/immich";
-      accelerationDevices = null;
-    };
+    # immich = {
+    #   enable = false;
+    #   package = pkgs-unstable.immich;
+    #   port = 2283;
+    #   host = "localhost";
+    #   openFirewall = true;
+    #   machine-learning.enable = true;
+    #   mediaLocation = "/rice/immich";
+    #   accelerationDevices = null;
+    # };
    nginx = {
      enable = true;
      virtualHosts."img.10110110.xyz" = {
@ -90,16 +90,16 @@
        80
        443
        2022
-        2049 #nfs
-        8080 #unifi
-        8443 #unifi
+        2049 # nfs
+        8080 # unifi
+        8443 # unifi
        10001
        10250
-        6443 #k8s
-        25565 #mc
-        25566 #mc
-        9001 #eth
-        30303 #eth
+        6443 # k8s
+        25565 # mc
+        25566 # mc
+        9001 # eth
+        30303 # eth
      ];
      allowedUDPPorts = [
        9001
@ -116,9 +116,12 @@
    extraOptions = "--dns 1.1.1.1";
  };

-  users.users = {
-    immich.extraGroups = [ "video" "render" ];
-  };
+  # users.users = {
+  #   immich.extraGroups = [
+  #     "video"
+  #     "render"
+  #   ];
+  # };
  security.acme = {
    acceptTerms = true;
    defaults.email = "acme@10110110.xyz";
--- a/nixos/default.nix
+++ b/nixos/default.nix
@ -49,6 +49,7 @@ in
  zen = inputs.nixpkgs-stable.lib.nixosSystem {
    pkgs = pkgs.nixos-stable;
    specialArgs = {
+      pkgs-unstable = mkPkgs system;
      inherit inputs system attrs;
      host = {
        hostName = "zen";
--- a/nixos/modules/net.nix
+++ b/nixos/modules/net.nix
@ -1,5 +1,14 @@
-{ host, pkgs, config, lib, ...}:
-let cfg = config.machine.net; in {
+{
+  host,
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.machine.net;
+in
+{
  options.machine.net = {
    enable = lib.mkOption {
      type = lib.types.bool;
@ -16,7 +25,7 @@ let cfg = config.machine.net; in {
      };
      ports = lib.mkOption {
        type = lib.types.listOf lib.types.int;
-        default = [22];
+        default = [ 22 ];
      };
    };
    tailscale = lib.mkOption {
@ -85,21 +94,25 @@ let cfg = config.machine.net; in {
      };
    };
    systemd = {
-      mounts = [{
-        type = "nfs";
-        mountConfig = {
-          Options = "noatime";
-        };
-        what = "consensus:/rice";
-        where = "/mnt/rice";
-      }];
-      automounts = [{
-        wantedBy = [ "multi-user.target" ];
-        automountConfig = {
-          TimeoutIdleSec = "600";
-        };
-        where = "/mnt/rice";
-      }];
+      mounts = [
+        {
+          type = "nfs";
+          mountConfig = {
+            Options = "noatime";
+          };
+          what = "zen:/tank/home";
+          where = "/mnt/home";
+        }
+      ];
+      automounts = [
+        {
+          wantedBy = [ "multi-user.target" ];
+          automountConfig = {
+            TimeoutIdleSec = "600";
+          };
+          where = "/mnt/home";
+        }
+      ];
    };
  };
 }
--- a/nixos/modules/system.nix
+++ b/nixos/modules/system.nix
@ -19,7 +19,7 @@ in
    };
    swap = lib.mkOption {
      type = lib.types.bool;
-      default = false;
+      default = true;
    };
    zram = lib.mkOption {
      type = lib.types.bool;
--- a/nixos/t14/configuration.nix
+++ b/nixos/t14/configuration.nix
@ -64,7 +64,6 @@ in
    extraPortals = [ pkgs.xdg-desktop-portal-gtk ];
  };
  programs = {
-    light.enable = true;
    hyprland.enable = true;
    ssh = {
      startAgent = true;
@ -97,6 +96,7 @@ in
      ];
    };
    ledger.enable = true;
+    acpilight.enable = true;
    enableAllFirmware = true;
  };
  services = {
--- a/nixos/zen/configuration.nix
+++ b/nixos/zen/configuration.nix
@ -2,37 +2,93 @@
  host,
  config,
  pkgs,
+  pkgs-unstable,
  ...
 }:
 {
  imports = [
    ./hardware-configuration.nix
  ];
-  sops.secrets = {
-    "password" = {
-      sopsFile = ../../secrets/k8s.yaml;
-    };
-    forgejo-runner = {
-      sopsFile = ../../secrets/forgejo-runner.yaml;
+  boot = {
+    kernel.sysctl = {
+      "vm.swappiness" = 6;
+    };
+  };
+  sops = {
+    secrets = {
+      "password".sopsFile = ../../secrets/k8s.yaml;
+      forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml;
+      "b2-immich/env".sopsFile = ../../secrets/restic.yaml;
+      "b2-immich/repo".sopsFile = ../../secrets/restic.yaml;
+      "b2-immich/password".sopsFile = ../../secrets/restic.yaml;
+      "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml;
+    };
+  };
+  services.restic.backups = {
+    b2-immich = {
+      initialize = true;
+      environmentFile = config.sops.secrets."b2-immich/env".path;
+      repositoryFile = config.sops.secrets."b2-immich/repo".path;
+      passwordFile = config.sops.secrets."b2-immich/password".path;
+
+      paths = [
+        "/tank/immich"
+      ];
+      timerConfig = {
+        OnCalendar = "06:00";
+      };
+      pruneOpts = [
+        "--keep-daily 31"
+        "--keep-monthly 6"
+        "--keep-yearly 1"
+      ];
    };
  };
-  machine.sys.zram = false;
  networking = {
-    hostId = "81238132";
+    hostId = "44238132";
    firewall = {
      allowedTCPPorts = [
        22
-        10250
-        25565 # mc
-        25566 # mc
+        2049 # nfs
      ];
      interfaces."podman+" = {
        allowedTCPPorts = [ 33393 ];
      };
    };
  };
-  virtualisation.podman = {
-    enable = true;
+  services = {
+    zfs.autoScrub.enable = true;
+    zfs.autoSnapshot.enable = true;
+    fstrim.enable = true;
+    nfs.server.enable = true;
+    immich = {
+      enable = true;
+      package = pkgs-unstable.immich;
+      port = 2283;
+      host = "localhost";
+      openFirewall = true;
+      machine-learning.enable = true;
+      mediaLocation = "/tank/immich";
+      accelerationDevices = null;
+    };
+    nginx = {
+      enable = true;
+      virtualHosts."img.10110110.xyz" = {
+        forceSSL = true;
+        useACMEHost = "10110110.xyz";
+        locations."/" = {
+          proxyPass = "http://localhost:${toString config.services.immich.port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+          extraConfig = ''
+            client_max_body_size 50000M;
+            proxy_read_timeout   600s;
+            proxy_send_timeout   600s;
+            send_timeout         600s;
+          '';
+        };
+      };
+    };
  };
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
@ -40,16 +96,13 @@
      enable = true;
      name = host.hostName;
      settings = {
-        runner = {
-          capacity = 3;
-        };
-        cache = {
-          enable = true;
-          host = "host.containers.internal";
-          port = 33393;
-        };
+        runner.capacity = 3;
        container = {
          force_pull = true;
+          valid_volumes = [
+            "/nix/store"
+            "/nix/var/nix/daemon-socket"
+          ];
        };
      };
      url = "https://git.10110110.xyz";
@ -61,25 +114,45 @@
      ];
    };
  };
-  services.k3s = {
-    enable = true;
-    role = "agent";
-    extraFlags = toString [
-      "--flannel-iface=tailscale0"
-    ];
-    tokenFile = config.sops.secrets."password".path;
-    serverAddr = "https://consensus:6443";
+  # services.k3s = {
+  #   enable = true;
+  #   role = "agent";
+  #   extraFlags = toString [
+  #     "--flannel-iface=tailscale0"
+  #   ];
+  #   tokenFile = config.sops.secrets."password".path;
+  #   serverAddr = "https://consensus:6443";
+  # };
+  # systemd.services.k3s = {
+  #   preStart = ''
+  #     until ${pkgs.tailscale}/bin/tailscale status; do
+  #       sleep 1
+  #     done
+  #   '';
+  # };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "acme@10110110.xyz";
+    certs = {
+      "10110110.xyz" = {
+        domain = "*.10110110.xyz";
+        group = config.services.nginx.group;
+        dnsProvider = "cloudflare";
+        environmentFile = config.sops.secrets."cf-dns-key".path;
+      };
+    };
  };
-  systemd.services.k3s = {
-    preStart = ''
-      until ${pkgs.tailscale}/bin/tailscale status; do
-        sleep 1
-      done
-    '';
+  virtualisation.podman.enable = true;
+  hardware = {
+    graphics.enable = true;
+    nvidia = {
+      modesetting.enable = true;
+      nvidiaSettings = true;
+      open = false;
+      package = config.boot.kernelPackages.nvidiaPackages.stable;
+    };
+    enableRedistributableFirmware = true;
+    firmware = [ pkgs.linux-firmware ];
  };
-  services.logind.settings.Login.HandleLidSwitch = "ignore";
-  services.logind.settings.Login.HandleLidSwitchExternalPower = "ignore";
-  hardware.enableRedistributableFirmware = true;
-  hardware.firmware = [ pkgs.linux-firmware ];
-  system.stateVersion = "23.11";
 }
--- a/nixos/zen/hardware-configuration.nix
+++ b/nixos/zen/hardware-configuration.nix
@ -1,14 +1,69 @@
-{ lib, modulesPath, ... }:
 {
-  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
-  boot.loader.grub = {
-    efiSupport = true;
-    efiInstallAsRemovable = true;
-    device = "nodev";
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot = {
+    extraModulePackages = [ ];
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [
+        "dm-snapshot"
+        "nvme"
+      ];
+    };
+    kernelModules = [ "kvm-amd" ];
+    loader = {
+      efi = {
+        canTouchEfiVariables = true;
+      };
+      systemd-boot = {
+        enable = true;
+      };
+    };
+    supportedFilesystems = [
+      "zfs"
+      "nfs"
+    ];
+    zfs = {
+      # extraPools = [ "rice" ];
+      forceImportRoot = false;
+    };
  };
-  fileSystems."/boot" = { device = "/dev/disk/by-uuid/EECE-9ACB"; fsType = "vfat"; };
-  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ];
-  boot.initrd.kernelModules = [ "nvme" ];
-  fileSystems."/" = { device = "/dev/sda2"; fsType = "ext4"; };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/mapper/nixos-root";
+      fsType = "btrfs";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/7A75-7368";
+      fsType = "vfat";
+      options = [
+        "fmask=0022"
+        "dmask=0022"
+      ];
+    };
+    "/nix/store" = {
+      device = "/dev/mapper/nixos-store";
+      fsType = "btrfs";
+    };
+  };
+
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  system.stateVersion = "25.11";
 }
--- a/nixos/zen/llm.nix
+++ b/nixos/zen/llm.nix
@ -0,0 +1,14 @@
+{ pkgs-unstable, ... }:
+{
+  services.llama-cpp = {
+    enable = true;
+    openFirewall = true;
+    host = "0.0.0.0";
+    model = "/srv/models/Qwen3.5-4B-Q6_K.gguf";
+    package = (
+      pkgs-unstable.llama-cpp.override {
+        cudaSupport = true;
+      }
+    );
+  };
+}