Edit this configuration file to define what should be installed on

your system. Help is available in the configuration.nix(5) man page, on

https://search.nixos.org/options and in the NixOS manual (nixos-help).

{
config,
lib,
pkgs,
...
}:

{
imports = [
# Include the results of the hardware scan.
./hardware-configuration.nix
];

Use the systemd-boot EFI boot loader.

boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
boot.zfs.extraPools = [ "jjpool" ];

Define a user account. Don't forget to set a password with ‘passwd’.

users.users = {
conor = {
isNormalUser = true;
home = "/home/conor";
description = "";
extraGroups = [
"wheel"
"plex"
];
shell = pkgs.zsh;
openssh.authorizedKeys.keys = [
""
];
};
};

List packages installed in system profile. To search, run:

environment.systemPackages = with pkgs; [
git
gh
wget
openssl
neofetch
tmux
rsync
iotop
nmap
lsof
htop
powertop
nixfmt-rfc-style
wireguard-tools
bind
tcpdump
qbittorrent-nox
((vim_configurable.override { }).customize {
name = "vim";
# Install plugins for example for syntax highlighting of nix files
vimrcConfig.packages.myplugins = with pkgs.vimPlugins; {
start = [
vim-nix
vim-lastplace
];
opt = [ ];
};
vimrcConfig.customRC = ''
" your custom vimrc
set nocompatible
set backspace=indent,eol,start
set number
set title
" Turn on syntax highlighting by default
syntax on
" ...
'';
})
];

nixpkgs = {
config = {
allowUnfree = true;
};
};

List of programs to enable

programs = {
zsh = {
enable = true;
enableCompletion = true;
enableBashCompletion = true;
autosuggestions.enable = true;
syntaxHighlighting.enable = true;
histSize = 10000;

  shellAliases = {
    nixos = "cd ~/nixos-config";
    switch = "nixos-rebuild switch --flake .#jubjub --use-remote-sudo";
    garbage = "nix-collect-garbage --delete-older-than 7d";
    jja = "cd /mnt/data1/video";
    jjf = "cd /mnt/data1/files";
    jji = "cd /mnt/data1/inbox";
    jjm = "cd /mnt/data1/video/Movies";
    jjtv = "cd /mnt/data1/video/TV";
  };

};

};

List services that you want to enable:

services = {
# Start SSHD
openssh.enable = true;

# Setup AFP  Server
netatalk = {
  enable = true;
  settings = {
    audio = {
      path = "/mnt/data1/audio";
      "valid users" = "conor";
    };
    files = {
      path = "/mnt/data1/files";
      "valid users" = "conor";
    };
    inbox = {
      path = "/mnt/data1/inbox";
      "valid users" = "conor";
    };
    photo = {
      path = "/mnt/data1/photo";
      "valid users" = "conor";
    };
    video = {
      path = "/mnt/data1/video";
      "valid users" = "conor";
    };
    backup-itchy = {
      path = "/mnt/data1/backup/itchy";
      "valid users" = "conor";
      "time machine" = "yes";
    };
  };
};

# Enable Avahi Service
avahi = {
  enable = true;
  nssmdns4 = true;
  publish = {
    enable = true;
    userServices = true;
  };
};

# Enable Plex Media Server
plex.enable = true;
plex.openFirewall = true;

# Enable Resolved
resolved = {
  enable = true;
  fallbackDns = [
    "91.231.153.2"
    "192.211.0.2"
  ];
  extraConfig = ''
    DNSStubListener=no
  '';
};

};

networking = {
hostName = "jubjub"; # Define your hostname.
useNetworkd = true;
enableIPv6 = false;
nameservers = [
"91.231.153.2"
"192.211.0.2"
];
firewall = {
enable = true; # Enable firewall
allowedTCPPorts = [
80
443
548
8080
53897
];
allowedUDPPorts = [
5353
51820
];
};

wg-quick.interfaces = {
  wg0 = {
    address = [ "<redacted>" ];
    dns = [
      "<redacted>"
      "<redacted>"
    ];
    peers = [
      {
        allowedIPs = [ "0.0.0.0/0" ];
        endpoint = "<redacted>";
        publicKey = "<redacted>";

      }
    ];
    privateKeyFile = "/var/lib/lxxx-privkey";
    listenPort = 51820;
  };
};

};

systemd.services.qbittorrent =
let
qbittorrent = pkgs.qbittorrent.override { guiSupport = false; };
in
{
enable = true;
description = "qbittorrent daemon";
documentation = [ "man:qbittorrent-nox(1)" ];
wants = [ "network-online.target" ];
after = [
"network-online.target"
"nss-lookup.target"
];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
ExecStart = "${qbittorrent}/bin/qbittorrent-nox";
User = "conor";
};
};

Check if share folder is created and set

systemd.tmpfiles.rules = [
"d /mnt/data1 0755 conor users"
"Z /mnt/data1 0755 conor users"
];

This option defines the first version of NixOS you have installed on this particular machine,

and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.

Most users should NEVER change this value after the initial install, for any reason,

even if you've upgraded your system to a new NixOS release.

This value does NOT affect the Nixpkgs version your packages and OS are pulled from,

so changing it will NOT upgrade your system.

This value being lower than the current NixOS release does NOT mean your system is

out of date, out of support, or vulnerable.

Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,

and migrated your data accordingly.

For more information, see man configuration.nix or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .

system.stateVersion = "23.11"; # Did you read the comment?

nix = {
extraOptions = "experimental-features = nix-command flakes";
};

}

  security.acme = {
    acceptTerms = true;
    defaults.email = "conor+acme@domain.com";
    certs = {
      "conr.run" = {
        domain = "domain.com";
        group = "nginx";
        dnsProvider = "porkbun";
        environmentFile = "/var/lib/private/porkbun";
      };
    };
  }

In reply to @hexa:lossy.network
the nginx group apparently does not exist

hexa: do i need the lego command too? or just the first too lines?

PORKBUN_SECRET_API_KEY=xxxxxx \
PORKBUN_API_KEY=yyyyyy \
lego --email you@example.com --dns porkbun -d '*.example.com' -d example.com run
``

so i am getting a

2025/04/15 21:40:37 porkbun: some credentials info>
Apr 15 21:40:37 jubjub acme-jubjub.conr.run-start[48440]: + echo Failed to fetch certificates. This may mean>
Apr 15 21:40:37 jubjub acme-jubjub.conr.run-start[48440]: Failed to fetch certificates. This may mean your D>
Apr 15 21:40:37 jubjub acme-jubjub.conr.run-start[48440]: + exit 10

@hexa does your porkbun file look like this?

PORKBUN_SECRET_API_KEY=pk1_1234… \
PORKBUN_API_KEY=sk1_1234… \