Aner Zakobar
112 lines
4.7 KiB
Nix
112 lines
4.7 KiB
Nix
{ config, lib, pkgs, homeyConfig, ... }:
|
|
|
|
# Pi-main host configuration.
|
|
# This file declares which services run on this machine and any
|
|
# host-specific overrides. Hardware config lives in hardware.nix.
|
|
|
|
{
|
|
imports = [
|
|
./hardware.nix
|
|
];
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Identity
|
|
# -------------------------------------------------------------------------
|
|
networking.hostName = "pi-main";
|
|
|
|
# -------------------------------------------------------------------------
|
|
# WiFi — static IP, always connect to home network
|
|
# -------------------------------------------------------------------------
|
|
networking.wireless = {
|
|
enable = true;
|
|
# secretsFile is read by wpa_supplicant at runtime; values are literal
|
|
# (not env vars). The key name after "ext:" must match a line in the file
|
|
# formatted as: key_name=the-actual-password
|
|
secretsFile = config.sops.secrets."wifi/psk".path;
|
|
networks."Zakobar".pskRaw = "ext:wifi_psk";
|
|
};
|
|
|
|
# Static IP on wlan0
|
|
networking.interfaces.wlan0.ipv4.addresses = [{
|
|
address = "192.168.1.100";
|
|
prefixLength = 24;
|
|
}];
|
|
networking.defaultGateway = "192.168.1.1";
|
|
networking.nameservers = [ "1.1.1.1" "8.8.8.8" ];
|
|
|
|
# Disable DHCP on wlan0 — we're using a static address
|
|
networking.useDHCP = false;
|
|
networking.interfaces.wlan0.useDHCP = false;
|
|
|
|
# The secret file must contain exactly one line: wifi_psk=<your-password>
|
|
# Add it with: sops secrets/secrets.yaml → wifi/psk: "wifi_psk=YourPassword"
|
|
sops.secrets."wifi/psk" = { owner = "root"; mode = "0400"; };
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Admin user
|
|
# -------------------------------------------------------------------------
|
|
users.users.admin = {
|
|
isNormalUser = true;
|
|
extraGroups = [ "wheel" "podman" ];
|
|
# Paste your SSH public key here
|
|
openssh.authorizedKeys.keys = [
|
|
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDBFZRqiTsOCAJPMqUyMeLd2MbyjdGoyqDVq5/Inhb6EOaM1NUGG4b6FPmYgFLyJIm5LC9BOo6M7npiaiOs/zMqp+hoGLNQUNwm5/G0uy1bjkEfKdUTdGnJ2+M9rkxrR1c+KXrjkiqECqTbnPE4mJbGyVxBW2MwMeP5w8c0DB5KO528PetvHMPPQuEdXyZzDI4kKtVpMlJoPIrIGlNFX0G/wrgXcM4zU1snOTuYGqZnWW++4kBsgIlRKpf/bLJyUMTp30eLVr0fQ6OMBtj1tzUUBaaowU6VGYQQDU/rIh/NpkA2cEVPXZegM4OohkAqrJBFPIAg90WD9Z/SyQlz0Jn8PpAloP0Cuq2vVRr+QLEwxqGiFq91YQ2VtwksMHwJGVrXRCNegpxTZQijWMEd+o0FD2cEd7Ftw6v2L6g12GJ3QGX/q0d/u0GongLLa9fPXl4VoAu7AL+cUcbX/SS7RCG8kYAR3DwOazVbK0NWEdwvWdoSU4lZ3j2at1xqMGjHjyLiTeUqZBjm+Sl5MJWIYNg+8hnONljvggg4SzDFDAkgVLZtOCaZibsMA1ucGR7VRCM09uoaEI4/ZS5pCBtYcp8X67Bv67Og8s2NFf5sUfYBPPKpdBSs+dEPycNVff6JlmzfNiyzLawacGKIDWYSgkOl43N/5ehtpsL3HMZ+5SVNIw=="
|
|
];
|
|
};
|
|
|
|
security.sudo.wheelNeedsPassword = false; # convenience on a home server
|
|
|
|
# -------------------------------------------------------------------------
|
|
# External HD
|
|
# -------------------------------------------------------------------------
|
|
homey.storage = {
|
|
# Replace with the actual by-id path of your USB drive.
|
|
# Find it: ls -la /dev/disk/by-id/ | grep -v part
|
|
device = "/dev/disk/by-id/usb-WD_Ext_HDD_1021_5743415A4146313531393031-0:0-part1";
|
|
mountPoint = "/mnt/data";
|
|
fsType = "ext4";
|
|
};
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Services enabled on this host
|
|
# -------------------------------------------------------------------------
|
|
|
|
# Auth stack (run these together — authelia depends on openldap)
|
|
homey.openldap.enable = true;
|
|
homey.authelia.enable = true;
|
|
|
|
# Productivity
|
|
homey.gitea.enable = true;
|
|
homey.nextcloud.enable = true;
|
|
homey.phpldapadmin.enable = true;
|
|
|
|
# Media (enable when ready)
|
|
homey.jellyfin.enable = false;
|
|
homey.transmission.enable = false;
|
|
|
|
# Reverse proxy + Cloudflare
|
|
homey.caddy.enable = true;
|
|
homey.cloudflared.enable = true;
|
|
|
|
# Backups
|
|
homey.backup.enable = true;
|
|
# Where to send restic backups — set to your backup destination:
|
|
# "sftp:user@nas.local:/backups/homey"
|
|
# "b2:your-bucket-name:homey"
|
|
# "rclone:remote:homey"
|
|
homey.backup.repository = "s3:https://s3.us-east-005.backblazeb2.com/zakobar-home-backup";
|
|
|
|
# -------------------------------------------------------------------------
|
|
# Local DNS overrides (optional — makes LAN clients hit the Pi directly
|
|
# instead of going through Cloudflare for *.home.zakobar.com)
|
|
# -------------------------------------------------------------------------
|
|
# If you run Pi-hole or Adguard, add these records there instead.
|
|
# networking.extraHosts = ''
|
|
# 192.168.1.100 home.zakobar.com
|
|
# 192.168.1.100 auth.home.zakobar.com
|
|
# 192.168.1.100 git.home.zakobar.com
|
|
# 192.168.1.100 nextcloud.home.zakobar.com
|
|
# 192.168.1.100 ldapadmin.home.zakobar.com
|
|
# '';
|
|
}
|