{ config, pkgs, ... }: { imports = [ ./hardware/hardware-configuration.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.initrd.kernelModules = [ "overlay" "vmd" ]; boot.initrd.systemd.tmpfiles.settings."nixdirs" = { "/nix".d = { mode = "0755"; type = "d"; user = "root"; group = "root";}; "/nix/.ro-store".d = { mode = "0755"; type = "d"; user = "root"; group = "root";}; "/nix/.rw-store".d = { mode = "0755"; type = "d"; user = "root"; group = "root";}; }; boot.zfs.extraPools = ["tank"]; networking.hostName = "nix-nas"; networking.hostId = "39373132"; # via: head -c4 /etc/machine-id | od -An -tx4 fileSystems."/" = { device = "rpool/root"; fsType = "zfs"; neededForBoot = true; }; fileSystems."/nix" = { device = "rpool/nix"; fsType = "zfs"; neededForBoot = true; }; fileSystems."/home" = { device = "tank/home"; fsType = "zfs"; }; fileSystems."/tank" = { device = "tank/media"; fsType = "zfs"; }; swapDevices = [ ]; users.users.nicole = { isNormalUser = true; hashedPassword = "$6$p73d5mOLoSuJGOol$KRlszaPXZK9/frADlfR3kAr/57DD5f4.CPTGNNX80QWEWFE5y.bM1WiZwmRHiAlrws3q/zCDQ6AqeSyCUX.8U/"; extraGroups = [ "wheel" "docker" "libvirtd" ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGAsiKDWCwyf1usprg3K6Zk0xE9S4DX6+Bc4+nIOZGmf drezil@Manticore" ]; }; system.stateVersion = "25.05"; # ← einmalig festnageln security.sudo.wheelNeedsPassword = false; services.openssh.enable = true; services.zfs.autoScrub.enable = true; # Snapshots & Details kommen später systemd.services.zfs-prune-snapshots = { description = "Remove ZFS snapshots older than policy"; serviceConfig.ExecStart = "/run/current-system/sw/bin/zfs-prune-snapshots -r --keep=2w"; startAt = "daily"; }; # Wir pinnen den Kernel, bis ZFS 2.3.x für 6.13 bereit ist boot.kernelPackages = pkgs.linuxPackages_6_12; environment.systemPackages = with pkgs; [ git vim zfs virt-viewer ]; #### Virtualisation virtualisation.docker.enable = true; virtualisation.libvirtd.enable = true; users.groups.docker.members = [ "nicole" ]; programs.virt-manager.enable = true; #### nix-Cache # --- Binary-Cache services.nix-serve = { enable = true; secretKeyFile = "/var/cache/nix/secret-key"; openFirewall = true; port = 5000; }; nix.settings = { substituters = [ "http://nix-nas:5000" "https://cache.nixos.org" ]; trusted-public-keys = [ "nas-cache:rgCDn9SwmvxvhjiEiRgrjAuAEyRiJT/aBIlywetuypM=" "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" # Standard-Key vom upstream Cache ]; secret-key-files = [ "/var/cache/nix/secret-key" ]; }; ########################################################################## ### Kodi & TV-Detect ##################################################### ########################################################################## ### UDEV-Regel + Skript ################################################## services.udev.extraRules = '' ACTION=="change", SUBSYSTEM=="drm", ENV{HOTPLUG}=="1", \ RUN+="/etc/udev/scripts/hdmi-handler.sh" ''; environment.etc."udev/scripts/hdmi-handler.sh".text = '' #!/usr/bin/env bash PORT="/sys/class/drm/card0-HDMI-A-1/status" USER="nicole" read status < "$PORT" if [[ "$status" == "connected" ]]; then # Fernseher an ➜ Kodi starten runuser -l "$USER" -c "systemctl --user start kodi.service" # Beispiel: alternative Wartungs-VM # runuser -l "$USER" -c "systemctl --user start vm-viewer@ha-vm.service" else # Fernseher aus ➜ alles stoppen runuser -l "$USER" -c "systemctl --user stop vm-viewer@ha-vm.service" || true runuser -l "$USER" -c "systemctl --user stop kodi.service" fi ''; environment.etc."udev/scripts/hdmi-handler.sh".mode = "0755"; ### Kodi (GBM-Wayland Variante) ########################################## programs.kodi = { enable = true; package = pkgs.kodi; # ← Standard; wähle ggf. `pkgs.kodi-wayland` gpuSupport = true; # deaktiviert X11-Abhängigkeit }; ### Virt-Viewer Template-Unit (optional) ################################# systemd.user.services."vm-viewer@" = { description = "Virt-viewer fullscreen for %i"; serviceConfig = { ExecStart = "${pkgs.virt-viewer}/bin/virt-viewer --full-screen --wait --domain-name %i"; Restart = "on-failure"; }; }; }