{ inputs, config, lib, pkgs, ... }: { deployment.targetHost = config.networking.secondaryIP4; #this enables the following services: restic-server deployment.tags = [ "resticServer" ]; imports = [ ./hardware-configuration.nix ./impermanence.nix # syncthing (and it's backup) ./syncthing.nix # fedi server ./gotosocial.nix ./smarthome ./scanner-sftp.nix ./router ./websites ]; # dns.zones."ctu.cx".subdomains."${config.networking.hostName}.home" = (pkgs.dns.lib.combinators.host config.networking.primaryIP4 config.networking.primaryIP); # dns.zones."ctu.cx".subdomains."${config.networking.hostName}".CNAME = [ "${config.networking.hostName}.home" ]; # dns.zones."ctu.cx".subdomains."home".CNAME = [ "${config.networking.hostName}.home" ]; age.secrets = { restic-server-briefkasten.file = ../../secrets/restic-server/briefkasten.age; restic-server-wanderduene.file = ../../secrets/restic-server/wanderduene.age; }; boot = { kernelModules = [ "intel_rapl_common" ]; # seems to make realtek ethernet faster? kernelParams = [ "pcie_aspm=off" ]; loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; initrd.network = { enable = true; ssh = { enable = true; port = 22; hostKeys = [ /etc/ssh/ssh_host_rsa_key ]; authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); }; postCommands = '' echo 'cryptsetup-askpass' >> /root/.profile '' + lib.optionalString config.networking.usePBBUplink '' sysctl -w net.ipv6.conf.enp1s0.autoconf=0 sysctl -w net.ipv6.conf.enp1s0.accept_ra=0 '' + '' ip link set dev enp1s0 up ip addr add ${config.networking.primaryIP4}/28 dev enp1s0 ip addr add ${config.networking.secondaryIP4}/8 dev enp1s0 # ip route add default via 195.39.246.41 dev enp1s0 onlink '' + lib.optionalString config.networking.usePBBUplink '' ip addr add ${config.networking.primaryIP}/128 dev enp1s0 # ip route add default via 2a0f:4ac0:acab::1 dev enp1s0 onlink ''; }; }; nix.optimise.automatic = false; nix.gc.automatic = false; systemd.network.networks = { "40-enp1s0".networkConfig.IPv6AcceptRA = lib.mkIf config.networking.usePBBUplink false; }; services.logind.extraConfig = '' # don’t shutdown when power button is short-pressed HandlePowerKey=ignore ''; services.udev.extraRules = '' ACTION=="add", SUBSYSTEM=="net", ENV{INTERFACE}=="iphone", RUN+="${pkgs.systemd}/bin/networkctl up bruplink", ''; systemd.network.links."10-iphone" = { matchConfig.PermanentMACAddress = "aa:ab:b5:18:95:d9"; linkConfig.Name = "iphone"; }; networking = { useNetworkd = true; usePBBUplink = true; primaryIP = "2a0f:4ac0:acab::1"; primaryIP4 = "195.39.246.42"; secondaryIP4 = "10.0.0.1"; domain = "home.ctu.cx"; }; services = { usbmuxd.enable = true; email-notify.enable = true; nginx.virtualHosts."${config.networking.fqdn}" = { enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; }; nginx.virtualHosts."restic.${config.networking.hostName}.ctu.cx" = { enableACME = lib.mkIf (config.networking.usePBBUplink == false) false; forceSSL = lib.mkIf (config.networking.usePBBUplink == false) false; kTLS = lib.mkIf (config.networking.usePBBUplink == false) false; }; }; ctucxConfig = { programs.yt-dlp.enable = true; programs.ocrmypdf.enable = true; }; system.stateVersion = "22.11"; # Did you read the comment? home-manager.users.leah.home.stateVersion = "22.11"; home-manager.users.katja.home.stateVersion = "22.11"; }