shar to dendritic?

7 files changed, 254 insertions, 14 deletions

diff --git a/modules/hosts/shar/hardware.nix b/modules/hosts/shar/hardware.nix
new file mode 100644
index 0000000..7431695
--- /dev/null
+++ b/modules/hosts/shar/hardware.nix
@@ -0,0 +1,47 @@
+{
+  self,
+  inputs,
+  ...
+}: {
+  flake.nixosModules.sharHardware = {
+    config,
+    lib,
+    pkgs,
+    modulesPath,
+    ...
+  }: {
+    imports = [
+      (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+    boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "ehci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+    boot.initrd.kernelModules = [];
+    boot.kernelModules = ["kvm-intel"];
+    boot.extraModulePackages = [];
+
+    fileSystems."/" = {
+      device = "/dev/disk/by-uuid/737de4e0-554e-4175-a454-677cf03dbada";
+      fsType = "ext4";
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/disk/by-uuid/8201-A778";
+      fsType = "vfat";
+      options = ["fmask=0077" "dmask=0077"];
+    };
+
+    swapDevices = [
+      {device = "/dev/disk/by-uuid/429ba137-6ea4-43ba-97ff-e2c2206f935b";}
+    ];
+
+    # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+    # (the default) this is the recommended approach. When using systemd-networkd it's
+    # still possible to use this option, but it's recommended to use it in conjunction
+    # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+    networking.useDHCP = lib.mkDefault true;
+    # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+    nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+    hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  };
+}
diff --git a/modules/hosts/shar/shar.nix b/modules/hosts/shar/shar.nix
new file mode 100644
index 0000000..1562ad1
--- /dev/null
+++ b/modules/hosts/shar/shar.nix
@@ -0,0 +1,149 @@
+{
+  inputs,
+  self,
+  ...
+}: {
+  flake.nixosConfigurations.shar = inputs.nixpkgs.lib.nixosSystem {
+    modules = [
+      self.nixosModules.shar
+      self.nixosModules.sharHardware
+
+      self.nixosModules.createHost
+      self.nixosModules.hostOptions
+    ];
+  };
+
+  flake.nixosModules.shar = {pkgs, ...}: {
+    hostOptions = {
+      host.name = "shar";
+      user.name = "jck";
+      user.email = "jckrinsky@gmail.com";
+      server = {
+        dataPath = "/tank/data";
+        mediaPath = "/tank/media";
+        domain = "jckrinsky.net";
+        # sshKeys = [
+        #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat"
+        #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna"
+        #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran"
+        #   "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3cFs4a3j77gJvoeU92Olj74wcLrVBv+2FUFqKOeoxb jck@dragotha"
+        # ];
+      };
+    };
+
+    users.users.jck.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3cFs4a3j77gJvoeU92Olj74wcLrVBv+2FUFqKOeoxb jck@dragotha"
+    ];
+
+    hardware.graphics = {
+      enable = true;
+      enable32Bit = true;
+      extraPackages = with pkgs; [
+        intel-media-driver
+        vpl-gpu-rt
+        intel-compute-runtime
+      ];
+    };
+
+    boot.kernelParams = ["i915.enable_guc=3"];
+    environment.sessionVariables.LIBVA_DRIVER_NAME = "iHD";
+
+    services.openssh.settings.PasswordAuthentication = false;
+    services.openssh.settings.openFirewall = true;
+
+    hardware.cpu.intel.updateMicrocode = true;
+
+    networking = {
+      interfaces.eno1.ipv4.addresses = [
+        {
+          address = "173.66.162.54";
+          prefixLength = 28;
+        }
+      ];
+
+      hostId = "958b5d5d";
+      useDHCP = false;
+      defaultGateway = {
+        address = "173.66.162.1";
+        interface = "eno1";
+      };
+      nameservers = ["1.1.1.1" "9.9.9.9"];
+
+      nat = {
+        enable = true;
+        internalInterfaces = ["tailscale0"];
+        externalInterface = "mullvad";
+      };
+
+      wg-quick.interfaces.mullvad = {
+        autostart = true;
+        privateKey = "/home/jck/mullvad.key";
+        address = ["10.74.181.209/32"];
+        table = "off";
+
+        peers = [
+          {
+            publicKey = "qD3AH8vI8MhEVc9+0+2O8zV0Gx9FfKdy7ri3Bnpzo10=";
+            allowedIPs = ["0.0.0.0/0" "::/0"];
+            endpoint = "185.213.193.3:51820";
+            persistentKeepalive = 25;
+          }
+        ];
+
+        postUp = ''
+          ${pkgs.iproute2}/bin/ip route add default dev mullvad table 1234
+          ${pkgs.iproute2}/bin/ip rule add from 10.74.181.209 table 1234 priority 1000
+          ${pkgs.iproute2}/bin/ip rule add iif tailscale0 table 1234 priority 1010
+        '';
+
+        postDown = ''
+          ${pkgs.iproute2}/bin/ip rule del from 10.74.181.209 table 1234
+          ${pkgs.iproute2}/bin/ip rule del iif tailscale0 table 1234 priority 1010
+        '';
+      };
+    };
+
+    systemd.services.qbittorrent.serviceConfig = {
+      RestrictNetworkInterfaces = [
+        "lo"
+        "mullvad"
+        "tailscale0"
+      ];
+    };
+
+    fileSystems."/tank/data" = {
+      device = "shar0/data";
+      fsType = "zfs";
+      options = ["nofail"];
+    };
+
+    fileSystems."/tank/media" = {
+      device = "shar1/data";
+      fsType = "zfs";
+      options = ["nofail"];
+    };
+
+    fileSystems."/tank/backups" = {
+      device = "shar1/data";
+      fsType = "zfs";
+      options = ["nofail"];
+    };
+
+    services.zfs = {
+      autoScrub.enable = true;
+      autoSnapshot.enable = true;
+    };
+
+    services.nfs.server = {
+      enable = true;
+      exports = ''
+        /tank/media 100.64.0.0/10(rw,async,no_subtree_check)
+        /tank/data 100.64.0.0/10(rw,async,no_subtree_check)
+        /tank/backups 100.64.0.0/10(rw,async,no_subtree_check)
+      '';
+    };
+  };
+}
diff --git a/modules/lib/hostOptions.nix b/modules/lib/hostOptions.nix
index 37a00c8..224bb79 100644
--- a/modules/lib/hostOptions.nix
+++ b/modules/lib/hostOptions.nix
@@ -32,9 +32,10 @@
           type = lib.types.str;
           default = "jckrinsky.net";
         };
-        sshKeys = {
-          type = lib.types.list lib.types.str;
-        };
+        # sshKeys = {
+        #   type = lib.types.listOf lib.types.singleLineStr;
+        #   default = [];
+        # };
       };
     };
   };
diff --git a/modules/nixosModules/server/arr.nix b/modules/nixosModules/server/arr.nix
index 40261ef..daf61a5 100644
--- a/modules/nixosModules/server/arr.nix
+++ b/modules/nixosModules/server/arr.nix
@@ -21,16 +21,6 @@
       };
     };
 
-    services.lidarr = {
-      enable = true;
-      openFirewall = false;
-      dataDir = "${cfg.dataPath}/arr/lidarr/";
-      settings.server = {
-        bindAddress = "*";
-        port = 8686;
-      };
-    };
-
     services.sonarr = {
       enable = true;
       openFirewall = false;
@@ -68,7 +58,6 @@
 
     users.groups.arr = {};
     users.users.radarr.extraGroups = ["arr"];
-    users.users.lidarr.extraGroups = ["arr"];
     users.users.sonarr.extraGroups = ["arr"];
   };
 }
diff --git a/modules/nixosModules/server/default.nix b/modules/nixosModules/server/default.nix
index 5a475b1..f7e63ff 100644
--- a/modules/nixosModules/server/default.nix
+++ b/modules/nixosModules/server/default.nix
@@ -11,7 +11,9 @@
       self.nixosModules.jellyfin
       self.nixosModules.navidrome
       self.nixosModules.nginx
+      self.nixosModules.qbittorrent
       self.nixosModules.radicale
+      self.nixosModules.seerr
       self.nixosModules.tailscaleServer
     ];
   };
diff --git a/modules/nixosModules/server/qbittorrent.nix b/modules/nixosModules/server/qbittorrent.nix
new file mode 100644
index 0000000..afea0ca
--- /dev/null
+++ b/modules/nixosModules/server/qbittorrent.nix
@@ -0,0 +1,12 @@
+{self, ...}: {
+  flake.nixosModules.qbittorrent = {config, ...}: {
+    imports = [
+      self.nixosModules.hostOptions
+    ];
+
+    services.qbittorrent = {
+      enable = true;
+      openFirewall = false;
+    };
+  };
+}
diff --git a/modules/nixosModules/server/seerr.nix b/modules/nixosModules/server/seerr.nix
new file mode 100644
index 0000000..93c5f19
--- /dev/null
+++ b/modules/nixosModules/server/seerr.nix
@@ -0,0 +1,40 @@
+{self, ...}: {
+  flake.nixosModules.seerr = {
+    config,
+    lib,
+    pkgs,
+    ...
+  }: {
+    imports = [
+      self.nixosModules.hostOptions
+    ];
+
+    services.seerr = {
+      enable = true;
+      openFirewall = false;
+      configDir = "${config.hostOptions.server.dataPath}/seerr";
+      port = 5055;
+    };
+
+    users.users.seerr = {
+      isSystemUser = true;
+      group = "seerr";
+    };
+
+    users.groups.seerr = {};
+    systemd.services.seerr.serviceConfig = {
+      DynamicUser = lib.mkForce false;
+      User = lib.mkForce "seerr";
+      Group = lib.mkForce "seerr";
+      ReadWritePaths = ["${config.hostOptions.server.dataPath}/seerr"];
+      ExecStart = lib.mkForce "${pkgs.seerr}/bin/seerr";
+    };
+
+    services.nginx.virtualHosts."seerr.${config.hostOptions.server.domain}" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:5055";
+      locations."/".proxyWebSockets = true;
+    };
+  };
+}