iofq/nix
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
nix/nixos/zen/configuration.nix
iofq 235f903c1d
All checks were successful
/ check (push) Successful in 3m10s
Details
/ nvim-bundle (nvim) (push) Successful in 17m44s
Details
3/20
2026-03-20 00:32:23 -05:00

158 lines
4 KiB
Nix
Raw Blame History

{
host,
config,
pkgs,
...
}:
{
imports = [
./hardware-configuration.nix
];
boot = {
kernel.sysctl = {
"vm.swappiness" = 6;
};
};
sops = {
secrets = {
"password".sopsFile = ../../secrets/k8s.yaml;
forgejo-runner.sopsFile = ../../secrets/forgejo-runner.yaml;
"b2-immich/env".sopsFile = ../../secrets/restic.yaml;
"b2-immich/repo".sopsFile = ../../secrets/restic.yaml;
"b2-immich/password".sopsFile = ../../secrets/restic.yaml;
"cf-dns-key".sopsFile = ../../secrets/cf-acme.yaml;
};
};
services.restic.backups = {
b2-immich = {
initialize = true;
environmentFile = config.sops.secrets."b2-immich/env".path;
repositoryFile = config.sops.secrets."b2-immich/repo".path;
passwordFile = config.sops.secrets."b2-immich/password".path;
paths = [
"/tank/immich"
];
timerConfig = {
OnCalendar = "06:00";
};
pruneOpts = [
"--keep-daily 31"
"--keep-monthly 6"
"--keep-yearly 1"
];
};
};
networking = {
hostId = "44238132";
firewall = {
allowedTCPPorts = [
22
2049 # nfs
];
interfaces."podman+" = {
allowedTCPPorts = [ 33393 ];
};
};
};
services = {
zfs.autoScrub.enable = true;
zfs.autoSnapshot.enable = true;
fstrim.enable = true;
nfs.server.enable = true;
# immich = {
# enable = false;
# package = pkgs-unstable.immich;
# port = 2283;
# host = "localhost";
# openFirewall = true;
# machine-learning.enable = true;
# mediaLocation = "/rice/immich";
# accelerationDevices = null;
# };
# nginx = {
# enable = true;
# virtualHosts."img.10110110.xyz" = {
# forceSSL = true;
# useACMEHost = "10110110.xyz";
# locations."/" = {
# proxyPass = "http://localhost:${toString config.services.immich.port}";
# proxyWebsockets = true;
# recommendedProxySettings = true;
# extraConfig = ''
# client_max_body_size 50000M;
# proxy_read_timeout 600s;
# proxy_send_timeout 600s;
# send_timeout 600s;
# '';
# };
# };
# };
};
services.gitea-actions-runner = {
package = pkgs.forgejo-runner;
instances.default = {
enable = true;
name = host.hostName;
settings = {
runner.capacity = 3;
cache = {
enable = true;
host = "host.containers.internal";
port = 33393;
};
container = {
force_pull = true;
};
};
url = "https://git.10110110.xyz";
tokenFile = config.sops.secrets.forgejo-runner.path;
labels = [
"ubuntu-latest:docker://node:24-bullseye"
"nix-upstream-latest:docker://nixos/nix:latest"
"nix-latest:docker://git.10110110.xyz/ci/nix"
];
};
};
# services.k3s = {
# enable = true;
# role = "agent";
# extraFlags = toString [
# "--flannel-iface=tailscale0"
# ];
# tokenFile = config.sops.secrets."password".path;
# serverAddr = "https://consensus:6443";
# };
# systemd.services.k3s = {
# preStart = ''
# until ${pkgs.tailscale}/bin/tailscale status; do
# sleep 1
# done
# '';
# };
security.acme = {
acceptTerms = true;
defaults.email = "acme@10110110.xyz";
certs = {
"10110110.xyz" = {
domain = "*.10110110.xyz";
# group = config.services.nginx.group;
dnsProvider = "cloudflare";
environmentFile = config.sops.secrets."cf-dns-key".path;
};
};
};
virtualisation.podman.enable = true;
hardware = {
graphics.enable = true;
nvidia = {
modesetting.enable = true;
nvidiaSettings = true;
open = false;
package = config.boot.kernelPackages.nvidiaPackages.stable;
};
enableRedistributableFirmware = true;
firmware = [ pkgs.linux-firmware ];
};
}
Reference in a new issue View git blame Copy permalink