summaryrefslogtreecommitdiff
path: root/hosts
diff options
context:
space:
mode:
Diffstat (limited to 'hosts')
-rw-r--r--hosts/shar/configuration.nix412
1 files changed, 405 insertions, 7 deletions
diff --git a/hosts/shar/configuration.nix b/hosts/shar/configuration.nix
index 2156706..405b8b9 100644
--- a/hosts/shar/configuration.nix
+++ b/hosts/shar/configuration.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, pkgs, lib, ... }:
{
imports =
@@ -40,6 +40,12 @@
autoSnapshot.enable = true;
};
+ fileSystems."/tank" = {
+ device = "tank";
+ fsType = "zfs";
+ options = [ "nofail" ];
+ };
+
# Configure network proxy if necessary
# networking.proxy.default = "http://user:password@proxy:port/";
# networking.proxy.noProxy = "127.0.0.1,localhost,internal.domain";
@@ -86,20 +92,43 @@
variant = "";
};
+ hardware.enableRedistributableFirmware = true;
+ boot.kernelParams = [ "i915.enable_guc=3" ];
+
+ environment.sessionVariables = {
+ LIBVA_DRIVER_NAME = "iHD";
+ };
+
+ hardware.graphics = {
+ enable = true;
+ extraPackages = with pkgs; [
+ intel-media-driver
+ vpl-gpu-rt
+ intel-compute-runtime
+ ];
+ };
+
+
# Define a user account. Don't forget to set a password with ‘passwd’.
users.users.jck = {
isNormalUser = true;
description = "jck";
- extraGroups = [ "networkmanager" "wheel" ];
+ extraGroups = [ "networkmanager" "wheel" "media" ];
packages = with pkgs; [
vim
git
lazygit
yazi
+ navidrome
+ btop
+ trash-cli
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran"
];
+ shell = pkgs.fish;
};
security.sudo.wheelNeedsPassword = false;
@@ -110,6 +139,8 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
+ jellyfin-ffmpeg
+ kitty.terminfo
# vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
# wget
];
@@ -133,11 +164,45 @@
programs.fish.enable = true;
+ programs.nh = {
+ enable = true;
+ clean.enable = true;
+ clean.extraArgs = "--keep-since 3d --keep 3";
+ clean.dates = "daily";
+ flake = "/home/jck/nixosconf/";
+ };
+
services.tailscale = {
enable = true;
useRoutingFeatures = "server";
+ extraUpFlags = [
+ "--login-server=https://headscale.jckrinsky.net"
+ "--advertise-exit-node"
+ ];
};
+ networking.nat = {
+ enable = true;
+ internalInterfaces = [ "tailscale0" ];
+ externalInterface = "mullvad";
+ };
+
+ services.headscale = {
+ enable = true;
+ port = 8085;
+ settings = {
+ server_url = "https://headscale.jckrinsky.net";
+ dns = {
+ magic_dns = false;
+ nameservers.global = [ "1.1.1.1" "9.9.9.9" ];
+ };
+ prefixes = {
+ v4 = "100.64.0.0/10";
+ v6 = "fd7a:115c:a1e0::/48";
+ };
+ };
+ };
+
services.nfs.server = {
enable = true;
@@ -148,16 +213,64 @@
'';
};
- services.caddy = {
+ services.nginx = {
enable = true;
+ recommendedProxySettings = true;
+ recommendedTlsSettings = true;
+ recommendedGzipSettings = true;
+ recommendedOptimisation = true;
+
+ virtualHosts."headscale.jckrinsky.net" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:8085";
+ proxyWebsockets = true;
+ extraConfig = ''
+ proxy_buffering off;
+ '';
+ };
+ };
- virtualHosts = {
- "music.jckrinsky.net" = {
+ virtualHosts."music.jckrinsky.net" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".proxyPass = "http://127.0.0.1:4533";
+ };
+
+ virtualHosts."jellyfin.jckrinsky.net" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://127.0.0.1:8096";
+ proxyWebsockets = true;
extraConfig = ''
- reverse_proxy localhost:4533
+ proxy_buffering off;
'';
};
};
+
+ virtualHosts."radicale.jckrinsky.net" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".proxyPass = "http://127.0.0.1:5232";
+ };
+
+ virtualHosts."jellyseerr.jckrinsky.net" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".proxyPass = "http://127.0.0.1:5055";
+ };
+
+ virtualHosts."git.jckrinsky.net" = {
+ enableACME = true;
+ forceSSL = true;
+ };
+ };
+
+ security.acme = {
+ acceptTerms = true;
+ defaults.email = "jckrinsky@gmail.com";
};
services.navidrome = {
@@ -168,11 +281,296 @@
Address = "127.0.0.1";
Port = 4533;
EnableTranscoding = true;
+ EnableMediaDeletion = false;
+ Scanner.PurgeMissing = "always";
+ EnableSharing = true;
+ DefaultShareExpiration = "24h";
};
};
+ users.users.navidrome.extraGroups = [ "media" ];
+
+ services.jellyfin = {
+ enable = true;
+ openFirewall = false;
+ dataDir = "/tank/data/jellyfin/";
+ hardwareAcceleration = {
+ enable = true;
+ device = "/dev/dri/renderD128";
+ };
+ };
+
+ systemd.services.jellyfin.serviceConfig = {
+ Restart = "on-failure";
+ RestartSec = "5s";
+ StartLimitIntervalSec = 300;
+ StartLimitBurst = 5;
+ };
+
+ users.users.jellyfin.extraGroups = [ "video" "render" "media" ];
+ systemd.services.jellyfin.after = [ "zfs-mount.service" ];
+ systemd.services.jellyfin.requires = [ "zfs.target" ];
+
+ services.radarr = {
+ enable = true;
+ openFirewall = false;
+ dataDir = "/tank/data/arr/radarr";
+ settings = {
+ server = {
+ bindAddress = "*";
+ port = 7878;
+ };
+ };
+ };
+
+ services.lidarr = {
+ enable = true;
+ openFirewall = false;
+ dataDir = "/tank/data/arr/lidarr";
+ settings = {
+ server = {
+ bindAddress = "*";
+ port = 8686;
+ };
+ };
+ };
+
+ services.sonarr = {
+ enable = true;
+ openFirewall = false;
+ dataDir = "/tank/data/arr/sonarr";
+ settings = {
+ server = {
+ bindAddress = "*";
+ port = 8989;
+ };
+ };
+ };
+
+ services.prowlarr = {
+ enable = true;
+ openFirewall = false;
+ dataDir = "/tank/data/arr/prowlarr";
+ settings = {
+ server = {
+ bindAddress = "*";
+ port = 9696;
+ };
+ };
+ };
+
+ users.users.prowlarr = {
+ isSystemUser = true;
+ group = "prowlarr";
+ };
+ users.groups.prowlarr = {};
+ systemd.services.prowlarr.serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = lib.mkForce "prowlarr";
+ Group = lib.mkForce "prowlarr";
+ ReadWritePaths = [ "/tank/data/arr/prowlarr" ];
+ ExecStart = lib.mkForce "${pkgs.prowlarr}/bin/Prowlarr -nobrowser -data=/tank/data/arr/prowlarr";
+ ProtectSystem = lib.mkForce "prowlarr";
+ };
+
+ services.flaresolverr = {
+ enable = true;
+ };
+
+ users.groups.media = {};
+ users.users.sonarr.extraGroups = [ "media" ];
+ users.users.radarr.extraGroups = [ "media" ];
+ users.users.lidarr.extraGroups = [ "media" ];
+ users.users.qbittorrent.extraGroups = [ "media" ];
+
+ services.qbittorrent = {
+ enable = true;
+ openFirewall = false;
+ };
+
+ systemd.services.qbittorrent.serviceConfig = {
+ RestrictNetworkInterfaces = [
+ "lo"
+ "mullvad"
+ "tailscale0"
+ ];
+ };
+
+ networking.wg-quick.interfaces.mullvad = {
+ autostart = true;
+ privateKeyFile = "/home/jck/mullvad.key";
+ address = [ "10.74.181.209/32" ];
+ table = "off";
+
+ peers = [
+ {
+ publicKey = "qD3AH8vI8MhEVc9+0+2O8zV0Gx9FfKdy7ri3Bnpzo10=";
+ allowedIPs = [ "0.0.0.0/0" "::/0" ];
+ endpoint = "185.213.193.3:51820";
+ persistentKeepalive = 25;
+ }
+ ];
+
+ postUp = ''
+ ${pkgs.iproute2}/bin/ip route add default dev mullvad table 1234
+ ${pkgs.iproute2}/bin/ip rule add from 10.74.181.209 table 1234 priority 1000
+ ${pkgs.iproute2}/bin/ip rule add iif tailscale0 table 1234 priority 1010
+ '';
+
+ postDown = ''
+ ${pkgs.iproute2}/bin/ip rule del from 10.74.181.209 table 1234
+ ${pkgs.iproute2}/bin/ip rule del iif tailscale0 table 1234 priority 1010
+ '';
+ };
+
+ services.jellyseerr = {
+ enable = true;
+ configDir = "/tank/data/jellyseerr";
+ openFirewall = false;
+ port = 5055;
+ };
+
+ users.users.jellyseerr = {
+ isSystemUser = true;
+ group = "jellyseerr";
+ };
+ users.groups.jellyseerr = {};
+ systemd.services.jellyseerr.serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = lib.mkForce "jellyseerr";
+ Group = lib.mkForce "jellyseerr";
+ ReadWritePaths = [ "/tank/data/jellyseerr" ];
+ ExecStart = lib.mkForce "${pkgs.jellyseerr}/bin/jellyseerr";
+ };
+ systemd.services.jellyseerr.after = [ "zfs-mount.service" ];
+ systemd.services.jellyseerr.requires = [ "zfs.target" ];
+
+ services.pufferpanel = {
+ enable = true;
+
+ extraPackages = [
+ pkgs.jdk8_headless
+ pkgs.jdk17_headless
+ pkgs.steam-run
+ ];
+
+ environment = {
+ PUFFER_WEB_HOST = "100.64.0.2:8086";
+ PUFFER_DAEMON_SFTP_HOST = "100.64.0.2:5657";
+ PUFFER_DAEMON_CONSOLE_BUFFER = "1000";
+ PUFFER_DAEMON_CONSOLE_FORWARD = "true";
+ PUFFER_PANEL_REGISTRATIONENABLED = "false";
+ };
+ };
+
+ users.users.pufferpanel = {
+ isSystemUser = true;
+ group = "pufferpanel";
+ home = "/tank/data/pufferpanel";
+ };
+ users.groups.pufferpanel = {};
+ systemd.services.pufferpanel.serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = lib.mkForce "pufferpanel";
+ Group = lib.mkForce "pufferpanel";
+ ReadWritePaths = "/tank/data/pufferpanel";
+ ExecStart = lib.mkForce "${config.services.pufferpanel.package}/bin/pufferpanel run --workDir /tank/data/pufferpanel";
+ };
+ systemd.services.pufferpanel.after = [ "zfs-mount.service" ];
+ systemd.services.pufferpanel.requires = [ "zfs.target" ];
+
+ programs.steam.dedicatedServer.openFirewall = true;
+ hardware.graphics.enable32Bit = true;
+
+# services.slskd = {
+# enable = true;
+#
+# };
+#
+# systemd.services.slskd.serviceConfig = {
+# RestrictNetworkInterfaces = [
+# "lo"
+# "mullvad"
+# "tailscale0"
+# ];
+# };
+
+ services.radicale = {
+ enable = true;
+ settings = {
+ server = {
+ hosts = [ "127.0.0.1:5232" ];
+ };
+ auth = {
+ type = "htpasswd";
+ htpasswd_filename = "/tank/data/radicale/users";
+ htpasswd_encryption = "autodetect";
+ };
+ storage = {
+ filesystem_folder = "/tank/data/radicale/calendars/";
+ };
+ };
+ };
+
+ users.users.radicale = {
+ isSystemUser = true;
+ group = "radicale";
+ };
+ users.groups.radicale = {};
+ systemd.services.radicale.serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = lib.mkForce "radicale";
+ Group = lib.mkForce "radicale";
+ ReadWritePaths = [ "/tank/data/radicale" ];
+ };
+ systemd.services.radicale.after = [ "zfs-mount.service" ];
+ systemd.services.radicale.requires = [ "zfs.target" ];
+
+ users.users.git = {
+ isSystemUser = true;
+ group = "git";
+ home = "/tank/data/git";
+ createHome = true;
+ shell = "${pkgs.git}/bin/git-shell";
+ openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv193EUr7MN4CTtM0iYNl98f1VQxv95eY0hBQWSHxbi jck@shar"
+ ];
+ };
+ users.groups.git = {};
+
+ services.cgit."git.jckrinsky.net" = {
+ enable = true;
+
+ user = "git";
+ group = "git";
+
+ scanPath = "/tank/data/git";
+
+ settings = {
+ "enable-index-owner" = false;
+ "enable-commit-graph" = 1;
+ "enable-log-filecount" = 1;
+ "enable-log-linecount" = 1;
+ "clone-url" = "https://git.jckrinsky.net/$CGIT_REPO_URL ssh://git@git.jckrinsky.net:/tank/data/git/$CGIT_REPO_URL";
+ "source-filter" = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
+ "about-filter" = "${pkgs.cgit}/lib/cgit/filters/about-formatting.sh";
+ };
+
+ gitHttpBackend = {
+ enable = true;
+ checkExportOkFiles = false;
+ };
+ };
+
# Open ports in the firewall.
- # networking.firewall.allowedTCPPorts = [ ... ];
+ networking.firewall.allowedTCPPorts = [ 80 443 22 ];
+ networking.firewall = {
+ checkReversePath = "loose";
+ trustedInterfaces = [ "mullvad" ];
+ };
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
# networking.firewall.enable = false;
generated by cgit v1.3 (git 2.53.0) at 2026-04-26 21:04:41 +0000