{ config, lib, pkgs, homeyConfig, ... }: # Pi-main host configuration. # This file declares which services run on this machine and any # host-specific overrides. Hardware config lives in hardware.nix. { imports = [ ./hardware.nix ]; # ------------------------------------------------------------------------- # Identity # ------------------------------------------------------------------------- networking.hostName = "pi-main"; # ------------------------------------------------------------------------- # WiFi — static IP, always connect to home network # ------------------------------------------------------------------------- networking.wireless = { enable = true; # secretsFile is read by wpa_supplicant at runtime; values are literal # (not env vars). The key name after "ext:" must match a line in the file # formatted as: key_name=the-actual-password secretsFile = config.sops.secrets."wifi/psk".path; networks."Zakobar".pskRaw = "ext:wifi_psk"; }; # Static IP on wlan0 networking.interfaces.wlan0.ipv4.addresses = [{ address = "192.168.1.100"; prefixLength = 24; }]; networking.defaultGateway = "192.168.1.1"; networking.nameservers = [ "1.1.1.1" "8.8.8.8" ]; # Disable DHCP on wlan0 — we're using a static address networking.useDHCP = false; networking.interfaces.wlan0.useDHCP = false; # The secret file must contain exactly one line: wifi_psk= # Add it with: sops secrets/secrets.yaml → wifi/psk: "wifi_psk=YourPassword" sops.secrets."wifi/psk" = { owner = "root"; mode = "0400"; }; # ------------------------------------------------------------------------- # Admin user # ------------------------------------------------------------------------- users.users.admin = { isNormalUser = true; extraGroups = [ "wheel" "podman" ]; # Paste your SSH public key here openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBFZRqiTsOCAJPMqUyMeLd2MbyjdGoyqDVq5/Inhb6EOaM1NUGG4b6FPmYgFLyJIm5LC9BOo6M7npiaiOs/zMqp+hoGLNQUNwm5/G0uy1bjkEfKdUTdGnJ2+M9rkxrR1c+KXrjkiqECqTbnPE4mJbGyVxBW2MwMeP5w8c0DB5KO528PetvHMPPQuEdXyZzDI4kKtVpMlJoPIrIGlNFX0G/wrgXcM4zU1snOTuYGqZnWW++4kBsgIlRKpf/bLJyUMTp30eLVr0fQ6OMBtj1tzUUBaaowU6VGYQQDU/rIh/NpkA2cEVPXZegM4OohkAqrJBFPIAg90WD9Z/SyQlz0Jn8PpAloP0Cuq2vVRr+QLEwxqGiFq91YQ2VtwksMHwJGVrXRCNegpxTZQijWMEd+o0FD2cEd7Ftw6v2L6g12GJ3QGX/q0d/u0GongLLa9fPXl4VoAu7AL+cUcbX/SS7RCG8kYAR3DwOazVbK0NWEdwvWdoSU4lZ3j2at1xqMGjHjyLiTeUqZBjm+Sl5MJWIYNg+8hnONljvggg4SzDFDAkgVLZtOCaZibsMA1ucGR7VRCM09uoaEI4/ZS5pCBtYcp8X67Bv67Og8s2NFf5sUfYBPPKpdBSs+dEPycNVff6JlmzfNiyzLawacGKIDWYSgkOl43N/5ehtpsL3HMZ+5SVNIw==" ]; }; security.sudo.wheelNeedsPassword = false; # convenience on a home server # ------------------------------------------------------------------------- # External HD # ------------------------------------------------------------------------- homey.storage = { # Replace with the actual by-id path of your USB drive. # Find it: ls -la /dev/disk/by-id/ | grep -v part device = "/dev/disk/by-id/usb-WD_Ext_HDD_1021_5743415A4146313531393031-0:0-part1"; mountPoint = "/mnt/data"; fsType = "ext4"; }; # ------------------------------------------------------------------------- # Services enabled on this host # ------------------------------------------------------------------------- # Auth stack (run these together — authelia depends on openldap) homey.openldap.enable = true; homey.authelia.enable = true; # Productivity homey.gitea.enable = true; homey.nextcloud.enable = true; homey.phpldapadmin.enable = true; # Media (enable when ready) homey.jellyfin.enable = false; homey.transmission.enable = false; # Reverse proxy + Cloudflare homey.caddy.enable = true; homey.cloudflared.enable = true; # Backups homey.backup.enable = true; # Where to send restic backups — set to your backup destination: # "sftp:user@nas.local:/backups/homey" # "b2:your-bucket-name:homey" # "rclone:remote:homey" homey.backup.repository = "s3:https://s3.us-east-005.backblazeb2.com/zakobar-home-backup"; # ------------------------------------------------------------------------- # Local DNS overrides (optional — makes LAN clients hit the Pi directly # instead of going through Cloudflare for *.home.zakobar.com) # ------------------------------------------------------------------------- # If you run Pi-hole or Adguard, add these records there instead. # networking.extraHosts = '' # 192.168.1.100 home.zakobar.com # 192.168.1.100 auth.home.zakobar.com # 192.168.1.100 git.home.zakobar.com # 192.168.1.100 nextcloud.home.zakobar.com # 192.168.1.100 ldapadmin.home.zakobar.com # ''; }