{ host, config, pkgs, pkgs-unstable, ... }: { imports = [ ./hardware-configuration.nix ]; # boot = { # kernel.sysctl = { # "vm.swappiness" = 6; # }; # }; # sops = { # secrets = { # "password".sopsFile = ../../secrets/k8s.yaml; # # "tailscale-auth".sopsFile = ../../secrets/tailscale.yaml; # forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml; # "b2-immich/env".sopsFile = ../../secrets/restic.yaml; # "b2-immich/repo".sopsFile = ../../secrets/restic.yaml; # "b2-immich/password".sopsFile = ../../secrets/restic.yaml; # "cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml; # }; # }; # services.restic.backups = { # b2-immich = { # initialize = true; # environmentFile = config.sops.secrets."b2-immich/env".path; # repositoryFile = config.sops.secrets."b2-immich/repo".path; # passwordFile = config.sops.secrets."b2-immich/password".path; # # paths = [ # "/tank/immich" # ]; # timerConfig = { # OnCalendar = "06:00"; # }; # pruneOpts = [ # "--keep-daily 31" # "--keep-monthly 6" # "--keep-yearly 1" # ]; # }; # }; # networking = { # nftables.enable = true; # hostId = "44238132"; # firewall = { # allowedTCPPorts = [ # 22 # 80 # 443 # 2049 # nfs # ]; # trustedInterfaces = [ # "tailscale0" # "incusbr0" # ]; # }; # }; services = { zfs.autoScrub.enable = true; zfs.autoSnapshot.enable = true; fstrim.enable = true; nfs.server.enable = true; # immich = { # enable = true; # package = pkgs-unstable.immich; # port = 2283; # host = "localhost"; # openFirewall = true; # machine-learning.enable = true; # mediaLocation = "/tank/immich"; # accelerationDevices = null; # }; # nginx = { # enable = true; # virtualHosts."img.10110110.xyz" = { # forceSSL = true; # useACMEHost = "10110110.xyz"; # locations."/" = { # proxyPass = "http://localhost:${toString config.services.immich.port}"; # proxyWebsockets = true; # recommendedProxySettings = true; # extraConfig = '' # client_max_body_size 50000M; # proxy_read_timeout 600s; # proxy_send_timeout 600s; # send_timeout 600s; # ''; # }; # }; # }; }; # services.gitea-actions-runner = { # package = pkgs.forgejo-runner; # instances.default = { # enable = true; # name = host.hostName; # settings = { # runner.capacity = 3; # container = { # force_pull = true; # valid_volumes = [ # "/nix/store" # "/nix/var/nix/daemon-socket" # ]; # }; # }; # url = "https://git.10110110.xyz"; # tokenFile = config.sops.secrets.forgejo-runner.path; # labels = [ # "ubuntu-latest:docker://node:24-bullseye" # "nix-upstream-latest:docker://nixos/nix:latest" # "nix-latest:docker://git.10110110.xyz/ci/nix" # ]; # }; # }; # services.k3s = { # enable = true; # role = "server"; # extraFlags = toString [ # "--disable=traefik" # "--vpn-auth=file=${config.sops.secrets."tailscale-auth".path}" # "--node-external-ip=100.64.246.41" # ]; # tokenFile = config.sops.secrets."password".path; # serverAddr = "https://zen:6443"; # }; # systemd.services.k3s = { # preStart = '' # until ${pkgs.tailscale}/bin/tailscale status; do # sleep 1 # done # ''; # }; # security.acme = { # acceptTerms = true; # defaults.email = "acme@10110110.xyz"; # certs = { # "10110110.xyz" = { # domain = "*.10110110.xyz"; # group = config.services.nginx.group; # dnsProvider = "cloudflare"; # environmentFile = config.sops.secrets."cf-dns-key".path; # }; # }; # }; # virtualisation = { # podman.enable = false; # incus.enable = true; # }; # hardware = { # graphics.enable = true; # nvidia = { # modesetting.enable = true; # nvidiaSettings = true; # open = false; # package = config.boot.kernelPackages.nvidiaPackages.stable; # }; # enableRedistributableFirmware = true; # firmware = [ pkgs.linux-firmware ]; # }; }