diff options
Diffstat (limited to 'hosts/shar')
| -rw-r--r-- | hosts/shar/configuration.nix | 412 |
1 files changed, 405 insertions, 7 deletions
diff --git a/hosts/shar/configuration.nix b/hosts/shar/configuration.nix index 2156706..405b8b9 100644 --- a/hosts/shar/configuration.nix +++ b/hosts/shar/configuration.nix @@ -1,4 +1,4 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: { imports = @@ -40,6 +40,12 @@ autoSnapshot.enable = true; }; + fileSystems."/tank" = { + device = "tank"; + fsType = "zfs"; + options = [ "nofail" ]; + }; + # Configure network proxy if necessary # networking.proxy.default = "http://user:password@proxy:port/"; # networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain"; @@ -86,20 +92,43 @@ variant = ""; }; + hardware.enableRedistributableFirmware = true; + boot.kernelParams = [ "i915.enable_guc=3" ]; + + environment.sessionVariables = { + LIBVA_DRIVER_NAME = "iHD"; + }; + + hardware.graphics = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver + vpl-gpu-rt + intel-compute-runtime + ]; + }; + + # Define a user account. Don't forget to set a password with ‘passwd’. users.users.jck = { isNormalUser = true; description = "jck"; - extraGroups = [ "networkmanager" "wheel" ]; + extraGroups = [ "networkmanager" "wheel" "media" ]; packages = with pkgs; [ vim git lazygit yazi + navidrome + btop + trash-cli ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran" ]; + shell = pkgs.fish; }; security.sudo.wheelNeedsPassword = false; @@ -110,6 +139,8 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ + jellyfin-ffmpeg + kitty.terminfo # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. # wget ]; @@ -133,11 +164,45 @@ programs.fish.enable = true; + programs.nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 3d --keep 3"; + clean.dates = "daily"; + flake = "/home/jck/nixosconf/"; + }; + services.tailscale = { enable = true; useRoutingFeatures = "server"; + extraUpFlags = [ + "--login-server=https://headscale.jckrinsky.net" + "--advertise-exit-node" + ]; }; + networking.nat = { + enable = true; + internalInterfaces = [ "tailscale0" ]; + externalInterface = "mullvad"; + }; + + services.headscale = { + enable = true; + port = 8085; + settings = { + server_url = "https://headscale.jckrinsky.net"; + dns = { + magic_dns = false; + nameservers.global = [ "1.1.1.1" "9.9.9.9" ]; + }; + prefixes = { + v4 = "100.64.0.0/10"; + v6 = "fd7a:115c:a1e0::/48"; + }; + }; + }; + services.nfs.server = { enable = true; @@ -148,16 +213,64 @@ ''; }; - services.caddy = { + services.nginx = { enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + + virtualHosts."headscale.jckrinsky.net" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8085"; + proxyWebsockets = true; + extraConfig = '' + proxy_buffering off; + ''; + }; + }; - virtualHosts = { - "music.jckrinsky.net" = { + virtualHosts."music.jckrinsky.net" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:4533"; + }; + + virtualHosts."jellyfin.jckrinsky.net" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8096"; + proxyWebsockets = true; extraConfig = '' - reverse_proxy localhost:4533 + proxy_buffering off; ''; }; }; + + virtualHosts."radicale.jckrinsky.net" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:5232"; + }; + + virtualHosts."jellyseerr.jckrinsky.net" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://127.0.0.1:5055"; + }; + + virtualHosts."git.jckrinsky.net" = { + enableACME = true; + forceSSL = true; + }; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "jckrinsky@gmail.com"; }; services.navidrome = { @@ -168,11 +281,296 @@ Address = "127.0.0.1"; Port = 4533; EnableTranscoding = true; + EnableMediaDeletion = false; + Scanner.PurgeMissing = "always"; + EnableSharing = true; + DefaultShareExpiration = "24h"; }; }; + users.users.navidrome.extraGroups = [ "media" ]; + + services.jellyfin = { + enable = true; + openFirewall = false; + dataDir = "/tank/data/jellyfin/"; + hardwareAcceleration = { + enable = true; + device = "/dev/dri/renderD128"; + }; + }; + + systemd.services.jellyfin.serviceConfig = { + Restart = "on-failure"; + RestartSec = "5s"; + StartLimitIntervalSec = 300; + StartLimitBurst = 5; + }; + + users.users.jellyfin.extraGroups = [ "video" "render" "media" ]; + systemd.services.jellyfin.after = [ "zfs-mount.service" ]; + systemd.services.jellyfin.requires = [ "zfs.target" ]; + + services.radarr = { + enable = true; + openFirewall = false; + dataDir = "/tank/data/arr/radarr"; + settings = { + server = { + bindAddress = "*"; + port = 7878; + }; + }; + }; + + services.lidarr = { + enable = true; + openFirewall = false; + dataDir = "/tank/data/arr/lidarr"; + settings = { + server = { + bindAddress = "*"; + port = 8686; + }; + }; + }; + + services.sonarr = { + enable = true; + openFirewall = false; + dataDir = "/tank/data/arr/sonarr"; + settings = { + server = { + bindAddress = "*"; + port = 8989; + }; + }; + }; + + services.prowlarr = { + enable = true; + openFirewall = false; + dataDir = "/tank/data/arr/prowlarr"; + settings = { + server = { + bindAddress = "*"; + port = 9696; + }; + }; + }; + + users.users.prowlarr = { + isSystemUser = true; + group = "prowlarr"; + }; + users.groups.prowlarr = {}; + systemd.services.prowlarr.serviceConfig = { + DynamicUser = lib.mkForce false; + User = lib.mkForce "prowlarr"; + Group = lib.mkForce "prowlarr"; + ReadWritePaths = [ "/tank/data/arr/prowlarr" ]; + ExecStart = lib.mkForce "${pkgs.prowlarr}/bin/Prowlarr -nobrowser -data=/tank/data/arr/prowlarr"; + ProtectSystem = lib.mkForce "prowlarr"; + }; + + services.flaresolverr = { + enable = true; + }; + + users.groups.media = {}; + users.users.sonarr.extraGroups = [ "media" ]; + users.users.radarr.extraGroups = [ "media" ]; + users.users.lidarr.extraGroups = [ "media" ]; + users.users.qbittorrent.extraGroups = [ "media" ]; + + services.qbittorrent = { + enable = true; + openFirewall = false; + }; + + systemd.services.qbittorrent.serviceConfig = { + RestrictNetworkInterfaces = [ + "lo" + "mullvad" + "tailscale0" + ]; + }; + + networking.wg-quick.interfaces.mullvad = { + autostart = true; + privateKeyFile = "/home/jck/mullvad.key"; + address = [ "10.74.181.209/32" ]; + table = "off"; + + peers = [ + { + publicKey = "qD3AH8vI8MhEVc9+0+2O8zV0Gx9FfKdy7ri3Bnpzo10="; + allowedIPs = [ "0.0.0.0/0" "::/0" ]; + endpoint = "185.213.193.3:51820"; + persistentKeepalive = 25; + } + ]; + + postUp = '' + ${pkgs.iproute2}/bin/ip route add default dev mullvad table 1234 + ${pkgs.iproute2}/bin/ip rule add from 10.74.181.209 table 1234 priority 1000 + ${pkgs.iproute2}/bin/ip rule add iif tailscale0 table 1234 priority 1010 + ''; + + postDown = '' + ${pkgs.iproute2}/bin/ip rule del from 10.74.181.209 table 1234 + ${pkgs.iproute2}/bin/ip rule del iif tailscale0 table 1234 priority 1010 + ''; + }; + + services.jellyseerr = { + enable = true; + configDir = "/tank/data/jellyseerr"; + openFirewall = false; + port = 5055; + }; + + users.users.jellyseerr = { + isSystemUser = true; + group = "jellyseerr"; + }; + users.groups.jellyseerr = {}; + systemd.services.jellyseerr.serviceConfig = { + DynamicUser = lib.mkForce false; + User = lib.mkForce "jellyseerr"; + Group = lib.mkForce "jellyseerr"; + ReadWritePaths = [ "/tank/data/jellyseerr" ]; + ExecStart = lib.mkForce "${pkgs.jellyseerr}/bin/jellyseerr"; + }; + systemd.services.jellyseerr.after = [ "zfs-mount.service" ]; + systemd.services.jellyseerr.requires = [ "zfs.target" ]; + + services.pufferpanel = { + enable = true; + + extraPackages = [ + pkgs.jdk8_headless + pkgs.jdk17_headless + pkgs.steam-run + ]; + + environment = { + PUFFER_WEB_HOST = "100.64.0.2:8086"; + PUFFER_DAEMON_SFTP_HOST = "100.64.0.2:5657"; + PUFFER_DAEMON_CONSOLE_BUFFER = "1000"; + PUFFER_DAEMON_CONSOLE_FORWARD = "true"; + PUFFER_PANEL_REGISTRATIONENABLED = "false"; + }; + }; + + users.users.pufferpanel = { + isSystemUser = true; + group = "pufferpanel"; + home = "/tank/data/pufferpanel"; + }; + users.groups.pufferpanel = {}; + systemd.services.pufferpanel.serviceConfig = { + DynamicUser = lib.mkForce false; + User = lib.mkForce "pufferpanel"; + Group = lib.mkForce "pufferpanel"; + ReadWritePaths = "/tank/data/pufferpanel"; + ExecStart = lib.mkForce "${config.services.pufferpanel.package}/bin/pufferpanel run --workDir /tank/data/pufferpanel"; + }; + systemd.services.pufferpanel.after = [ "zfs-mount.service" ]; + systemd.services.pufferpanel.requires = [ "zfs.target" ]; + + programs.steam.dedicatedServer.openFirewall = true; + hardware.graphics.enable32Bit = true; + +# services.slskd = { +# enable = true; +# +# }; +# +# systemd.services.slskd.serviceConfig = { +# RestrictNetworkInterfaces = [ +# "lo" +# "mullvad" +# "tailscale0" +# ]; +# }; + + services.radicale = { + enable = true; + settings = { + server = { + hosts = [ "127.0.0.1:5232" ]; + }; + auth = { + type = "htpasswd"; + htpasswd_filename = "/tank/data/radicale/users"; + htpasswd_encryption = "autodetect"; + }; + storage = { + filesystem_folder = "/tank/data/radicale/calendars/"; + }; + }; + }; + + users.users.radicale = { + isSystemUser = true; + group = "radicale"; + }; + users.groups.radicale = {}; + systemd.services.radicale.serviceConfig = { + DynamicUser = lib.mkForce false; + User = lib.mkForce "radicale"; + Group = lib.mkForce "radicale"; + ReadWritePaths = [ "/tank/data/radicale" ]; + }; + systemd.services.radicale.after = [ "zfs-mount.service" ]; + systemd.services.radicale.requires = [ "zfs.target" ]; + + users.users.git = { + isSystemUser = true; + group = "git"; + home = "/tank/data/git"; + createHome = true; + shell = "${pkgs.git}/bin/git-shell"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv193EUr7MN4CTtM0iYNl98f1VQxv95eY0hBQWSHxbi jck@shar" + ]; + }; + users.groups.git = {}; + + services.cgit."git.jckrinsky.net" = { + enable = true; + + user = "git"; + group = "git"; + + scanPath = "/tank/data/git"; + + settings = { + "enable-index-owner" = false; + "enable-commit-graph" = 1; + "enable-log-filecount" = 1; + "enable-log-linecount" = 1; + "clone-url" = "https://git.jckrinsky.net/$CGIT_REPO_URL ssh://git@git.jckrinsky.net:/tank/data/git/$CGIT_REPO_URL"; + "source-filter" = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py"; + "about-filter" = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh"; + }; + + gitHttpBackend = { + enable = true; + checkExportOkFiles = false; + }; + }; + # Open ports in the firewall. - # networking.firewall.allowedTCPPorts = [ ... ]; + networking.firewall.allowedTCPPorts = [ 80 443 22 ]; + networking.firewall = { + checkReversePath = "loose"; + trustedInterfaces = [ "mullvad" ]; + }; # networking.firewall.allowedUDPPorts = [ ... ]; # Or disable the firewall altogether. # networking.firewall.enable = false; |