# Edit this configuration file to define what should be installed on # your system. Help is availanodev"; # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). { ssh, pkgs, config, ... }: { boot.loader.grub.enable = true; boot.loader.grub.device = "/dev/sda"; networking.hostName = "apu"; networking.useNetworkd = true; nix = { settings = { experimental-features = [ "nix-command" "flakes" ]; auto-optimise-store = true; }; gc = { automatic = true; dates = "daily"; options = "--delete-older-than 7d"; }; }; modules.vlans = { enable = true; networks = { koti = { id = 10; ipv6 = true; }; gast = { id = 20; ipv6 = true; staticLeases = { "dc:a6:32:05:08:5d" = "10.20.1.235"; }; }; iot = { id = 30; }; cfg = { id = 40; staticLeases = { "8c:3b:ad:c5:b8:ee" = "10.40.0.10"; }; }; }; bridge = { enable = true; pvid = config.modules.vlans.networks.cfg.id; netdev = "20-lan"; network = "30-lan"; bindNetwork = "30-bind-lan"; }; }; modules.firewall = { enable = true; interfaces = { koti = [ "dhcp" "dns" "ssh" "web" ]; gast = [ "dhcp" "dns" ]; iot = [ "dhcp" "dns" ]; cfg = [ "dhcp" "dns" ]; "tailscale*" = [ "ssh" "web" ]; }; allInterfaces = [ ]; }; systemd.network = { enable = true; config.networkConfig.IPv6Forwarding = true; links = { "10-extern0" = { matchConfig.Path = "pci-0000:01:00.0"; linkConfig.Name = "extern0"; }; "10-intern0" = { matchConfig.Path = "pci-0000:02:00.0"; linkConfig.Name = "intern0"; }; "10-intern1" = { matchConfig.Path = "pci-0000:03:00.0"; linkConfig.Name = "intern1"; }; }; netdevs = { "20-lan" = { netdevConfig = { Name = "lan"; Kind = "bridge"; }; }; }; networks = { "30-bind-lan" = { matchConfig = { Name = "intern*"; }; networkConfig = { Bridge = "lan"; }; }; "30-lan" = { matchConfig = { Name = "lan"; }; networkConfig = { IPv6AcceptRA = false; ConfigureWithoutCarrier = true; }; }; "30-wan" = { matchConfig = { Name = "extern0"; }; networkConfig = { DHCP = true; DNS = "127.0.0.1"; IPv6AcceptRA = true; IPv4Forwarding = true; }; dhcpV6Config = { PrefixDelegationHint = "::/56"; }; dhcpV4Config = { Use6RD = true; }; }; }; }; services.networkd-dispatcher = { enable = true; rules."50-tailscale" = { onState = [ "routable" ]; script = '' #!${pkgs.runtimeShell} ${pkgs.ethtool}/bin/ethtool -K ${config.systemd.network.links."10-extern0".linkConfig.Name} rx-udp-gro-forwarding on rx-gro-list off ''; }; }; time.timeZone = "Europe/Helsinki"; users.users.jokke = { isNormalUser = true; extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user. packages = [ pkgs.nh ]; openssh.authorizedKeys.keys = [ ssh.publicKeys.yubikey ]; initialPassword = "change-me"; }; environment.systemPackages = with pkgs; [ wget curl dig neovim vim htop ]; services.openssh = { enable = true; openFirewall = false; settings.PasswordAuthentication = false; }; services.tailscale = { enable = true; useRoutingFeatures = "both"; }; services.resolved.enable = false; services.nextdns = { enable = true; arguments = [ "-profile" "9c4ac9" "-setup-router" "-mdns" "koti" ]; }; services.home-assistant = { enable = true; extraComponents = [ # Components required to complete the onboarding "esphome" "met" "radio_browser" "yeelight" "xiaomi_aqara" "shelly" ]; extraPackages = python3Packages: with python3Packages; [ gtts numpy ]; config = { homeassistant = { name = "Koti"; unit_system = "metric"; time_zone = "Europe/Helsinki"; }; http = { use_x_forwarded_for = true; trusted_proxies = "127.0.0.1"; }; default_config = { }; }; }; services.webserver = { enable = true; acme.dnsChallenge = true; vHosts."koti.repomaa.com" = { proxyBuffering = false; locations."/".proxyPort = 8123; }; }; networking.nftables.enable = true; networking.firewall.enable = true; networking.useDHCP = false; system.stateVersion = "24.05"; }