Skip to content

Instantly share code, notes, and snippets.

@bsideup

bsideup/configuration.nix Secret

Created December 25, 2024 03:58
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save bsideup/8bb24c0c29d6329f70e55fe7ccb3e1e0 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save bsideup/8bb24c0c29d6329f70e55fe7ccb3e1e0 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
configuration.nix
{ config, lib, pkgs, ... }:
{
system.stateVersion = "25.05";
system.copySystemConfiguration = true;
imports = [
./hardware-configuration.nix
./user.nix
./unifi.nix
./time-machine.nix
];
boot.loader.grub.enable = false;
boot.loader.generic-extlinux-compatible.enable = true;
fileSystems."/mnt/backups" = {
device = "/dev/disk/by-uuid/b773149d-bf3a-46b9-8a91-af4c3f7907fb";
fsType = "ext4";
options = [
"noexec"
"nodev"
"noatime"
"nodiratime"
];
};
networking = {
hostName = "raspberrypi";
firewall = {
enable = true;
allowPing = true;
};
};
time.timeZone = "America/Denver";
i18n.defaultLocale = "en_US.UTF-8";
environment.systemPackages = with pkgs; [
htop
wget
lm_sensors
bottom
raspberrypi-eeprom
bat
];
services = {
watchdogd.enable = true;
openssh.enable = true;
};
}
Raw
hardware-configuration.nix
# Do not modify this file! It was generated by ‘nixos-generate-config’
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "uas" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/44444444-4444-4444-8888-888888888888";
fsType = "ext4";
};
swapDevices = [{
device = "/swapfile";
size = 16 * 1024; # 16GB
}];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.end0.useDHCP = lib.mkDefault true;
# networking.interfaces.wlan0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}
Raw
time-machine.nix
{ pkgs, ... }:
{
services = {
samba = {
package = pkgs.samba4Full;
# ^^ `samba4Full` is compiled with avahi, ldap, AD etc support (compared to the default package, `samba`
# Required for samba to register mDNS records for auto discovery
# See https://github.com/NixOS/nixpkgs/blob/592047fc9e4f7b74a4dc85d1b9f5243dfe4899e3/pkgs/top-level/all-packages.nix#L27268
enable = true;
openFirewall = true;
settings.timemachine = {
path = "/mnt/backups";
browseable = "yes";
"read only" = "no";
"guest ok" = "no";
"create mask" = "0600";
"directory mask" = "0700";
comment = "Raspberry Pi Time Capsule";
"writeable" = "yes";
"valid users" = "bsideup";
"write list" = "bsideup";
"force user" = "bsideup";
"vfs objects" = "catia fruit streams_xattr";
"fruit:aapl" = "yes";
"fruit:time machine" = "yes";
};
};
avahi = {
enable = true;
openFirewall = true;
nssmdns4 = true;
publish = {
enable = true;
addresses = true;
domain = true;
hinfo = true;
userServices = true;
workstation = true;
};
extraServiceFiles = {
smb = ''
<?xml version="1.0" standalone='no'?><!--*-nxml-*-->
<!DOCTYPE service-group SYSTEM "avahi-service.dtd">
<service-group>
<name replace-wildcards="yes">%h</name>
<service>
<type>_smb._tcp</type>
<port>445</port>
</service>
<service>
<type>_device-info._tcp</type>
<port>9</port>
<txt-record>model=TimeCapsule8,119</txt-record>
</service>
<service>
<type>_adisk._tcp</type>
<port>9</port>
<txt-record>dk0=adVN=backups,adVF=0x82</txt-record>
<txt-record>sys=adVF=0x100</txt-record>
</service>
</service-group>
'';
};
};
};
}
Raw
unifi.nix
{ config, lib, pkgs, ... }:
{
nixpkgs.config.allowUnfree = true;
networking.firewall.allowedTCPPorts = [ 8443 ];
fileSystems."/var/lib/unifi/data/backup" = {
device = "/mnt/backups/unifi";
fsType = "none";
options = [ "bind" ];
};
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
services.unifi = {
enable = true;
mongodbPackage = pkgs.stdenv.mkDerivation rec {
pname = "mongodb";
version = "7.0.14";
src = pkgs.fetchurl {
url = "https://github.com/themattman/mongodb-raspberrypi-binaries/releases/download/r7.0.14-rpi-unofficial/mongodb.ce.pi4.r7.0.14.tar.gz";
hash = "sha256-b0F8ihngN20CUc/tXFHao8JVroDiEfsSfDs2QErkma0=";
};
sourceRoot = ".";
buildInputs = [
pkgs.curl.dev
pkgs.openssl_1_1
(lib.getLib pkgs.stdenv.cc.cc)
];
nativeBuildInputs = [ pkgs.autoPatchelfHook ];
dontStrip = true;
installPhase = ''
mkdir -p $out/bin
install -Dm 755 mongod $out/bin/mongod
runHook postInstall
'';
};
openFirewall = true;
};
}
Raw
user.nix
{ pkgs, ... }:
{
users.users.bsideup = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable ‘sudo’ for the user.
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEOLlG1XLTFRZREy/5Kf0zSINGbU3ZLU6nUNqsWimF52 bsideup@MacBook-Pro-90.local"
];
};
security.sudo.extraRules = [
{
users = [ "bsideup" ];
commands = [
{
command = "ALL" ;
options = [ "NOPASSWD" ];
}
];
}
];
services.getty.autologinUser = "bsideup";
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment