summaryrefslogtreecommitdiff
path: root/modules
diff options
context:
space:
mode:
Diffstat (limited to 'modules')
-rw-r--r--modules/hosts/shar/hardware.nix47
-rw-r--r--modules/hosts/shar/shar.nix149
-rw-r--r--modules/lib/hostOptions.nix7
-rw-r--r--modules/nixosModules/server/arr.nix11
-rw-r--r--modules/nixosModules/server/default.nix2
-rw-r--r--modules/nixosModules/server/qbittorrent.nix12
-rw-r--r--modules/nixosModules/server/seerr.nix40
7 files changed, 254 insertions, 14 deletions
diff --git a/modules/hosts/shar/hardware.nix b/modules/hosts/shar/hardware.nix
new file mode 100644
index 0000000..7431695
--- /dev/null
+++ b/modules/hosts/shar/hardware.nix
@@ -0,0 +1,47 @@
+{
+ self,
+ inputs,
+ ...
+}: {
+ flake.nixosModules.sharHardware = {
+ config,
+ lib,
+ pkgs,
+ modulesPath,
+ ...
+ }: {
+ imports = [
+ (modulesPath + "/installer/scan/not-detected.nix")
+ ];
+
+ boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "ehci_pci" "nvme" "usbhid" "usb_storage" "sd_mod"];
+ boot.initrd.kernelModules = [];
+ boot.kernelModules = ["kvm-intel"];
+ boot.extraModulePackages = [];
+
+ fileSystems."/" = {
+ device = "/dev/disk/by-uuid/737de4e0-554e-4175-a454-677cf03dbada";
+ fsType = "ext4";
+ };
+
+ fileSystems."/boot" = {
+ device = "/dev/disk/by-uuid/8201-A778";
+ fsType = "vfat";
+ options = ["fmask=0077" "dmask=0077"];
+ };
+
+ swapDevices = [
+ {device = "/dev/disk/by-uuid/429ba137-6ea4-43ba-97ff-e2c2206f935b";}
+ ];
+
+ # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+ # (the default) this is the recommended approach. When using systemd-networkd it's
+ # still possible to use this option, but it's recommended to use it in conjunction
+ # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+ networking.useDHCP = lib.mkDefault true;
+ # networking.interfaces.eno1.useDHCP = lib.mkDefault true;
+
+ nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+ hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+ };
+}
diff --git a/modules/hosts/shar/shar.nix b/modules/hosts/shar/shar.nix
new file mode 100644
index 0000000..1562ad1
--- /dev/null
+++ b/modules/hosts/shar/shar.nix
@@ -0,0 +1,149 @@
+{
+ inputs,
+ self,
+ ...
+}: {
+ flake.nixosConfigurations.shar = inputs.nixpkgs.lib.nixosSystem {
+ modules = [
+ self.nixosModules.shar
+ self.nixosModules.sharHardware
+
+ self.nixosModules.createHost
+ self.nixosModules.hostOptions
+ ];
+ };
+
+ flake.nixosModules.shar = {pkgs, ...}: {
+ hostOptions = {
+ host.name = "shar";
+ user.name = "jck";
+ user.email = "jckrinsky@gmail.com";
+ server = {
+ dataPath = "/tank/data";
+ mediaPath = "/tank/media";
+ domain = "jckrinsky.net";
+ # sshKeys = [
+ # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat"
+ # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna"
+ # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran"
+ # "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3cFs4a3j77gJvoeU92Olj74wcLrVBv+2FUFqKOeoxb jck@dragotha"
+ # ];
+ };
+ };
+
+ users.users.jck.openssh.authorizedKeys.keys = [
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBgQS9Y3yqztLL0Ss0JUCN04B6zgLXIETgY0jyvT6I98 jck@tiamat"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVbrjXliZECEFOLlgJ8vy+Qja1G+sY0LM+ijEgyP3HZ jck@vecna"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMGuvWTpRTumIOlnUHRBx5ZqjFi5qfezvLrpLAzB97nq jck@balduran"
+ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK3cFs4a3j77gJvoeU92Olj74wcLrVBv+2FUFqKOeoxb jck@dragotha"
+ ];
+
+ hardware.graphics = {
+ enable = true;
+ enable32Bit = true;
+ extraPackages = with pkgs; [
+ intel-media-driver
+ vpl-gpu-rt
+ intel-compute-runtime
+ ];
+ };
+
+ boot.kernelParams = ["i915.enable_guc=3"];
+ environment.sessionVariables.LIBVA_DRIVER_NAME = "iHD";
+
+ services.openssh.settings.PasswordAuthentication = false;
+ services.openssh.settings.openFirewall = true;
+
+ hardware.cpu.intel.updateMicrocode = true;
+
+ networking = {
+ interfaces.eno1.ipv4.addresses = [
+ {
+ address = "173.66.162.54";
+ prefixLength = 28;
+ }
+ ];
+
+ hostId = "958b5d5d";
+ useDHCP = false;
+ defaultGateway = {
+ address = "173.66.162.1";
+ interface = "eno1";
+ };
+ nameservers = ["1.1.1.1" "9.9.9.9"];
+
+ nat = {
+ enable = true;
+ internalInterfaces = ["tailscale0"];
+ externalInterface = "mullvad";
+ };
+
+ wg-quick.interfaces.mullvad = {
+ autostart = true;
+ privateKey = "/home/jck/mullvad.key";
+ address = ["10.74.181.209/32"];
+ table = "off";
+
+ peers = [
+ {
+ publicKey = "qD3AH8vI8MhEVc9+0+2O8zV0Gx9FfKdy7ri3Bnpzo10=";
+ allowedIPs = ["0.0.0.0/0" "::/0"];
+ endpoint = "185.213.193.3:51820";
+ persistentKeepalive = 25;
+ }
+ ];
+
+ postUp = ''
+ ${pkgs.iproute2}/bin/ip route add default dev mullvad table 1234
+ ${pkgs.iproute2}/bin/ip rule add from 10.74.181.209 table 1234 priority 1000
+ ${pkgs.iproute2}/bin/ip rule add iif tailscale0 table 1234 priority 1010
+ '';
+
+ postDown = ''
+ ${pkgs.iproute2}/bin/ip rule del from 10.74.181.209 table 1234
+ ${pkgs.iproute2}/bin/ip rule del iif tailscale0 table 1234 priority 1010
+ '';
+ };
+ };
+
+ systemd.services.qbittorrent.serviceConfig = {
+ RestrictNetworkInterfaces = [
+ "lo"
+ "mullvad"
+ "tailscale0"
+ ];
+ };
+
+ fileSystems."/tank/data" = {
+ device = "shar0/data";
+ fsType = "zfs";
+ options = ["nofail"];
+ };
+
+ fileSystems."/tank/media" = {
+ device = "shar1/data";
+ fsType = "zfs";
+ options = ["nofail"];
+ };
+
+ fileSystems."/tank/backups" = {
+ device = "shar1/data";
+ fsType = "zfs";
+ options = ["nofail"];
+ };
+
+ services.zfs = {
+ autoScrub.enable = true;
+ autoSnapshot.enable = true;
+ };
+
+ services.nfs.server = {
+ enable = true;
+ exports = ''
+ /tank/media 100.64.0.0/10(rw,async,no_subtree_check)
+ /tank/data 100.64.0.0/10(rw,async,no_subtree_check)
+ /tank/backups 100.64.0.0/10(rw,async,no_subtree_check)
+ '';
+ };
+ };
+}
diff --git a/modules/lib/hostOptions.nix b/modules/lib/hostOptions.nix
index 37a00c8..224bb79 100644
--- a/modules/lib/hostOptions.nix
+++ b/modules/lib/hostOptions.nix
@@ -32,9 +32,10 @@
type = lib.types.str;
default = "jckrinsky.net";
};
- sshKeys = {
- type = lib.types.list lib.types.str;
- };
+ # sshKeys = {
+ # type = lib.types.listOf lib.types.singleLineStr;
+ # default = [];
+ # };
};
};
};
diff --git a/modules/nixosModules/server/arr.nix b/modules/nixosModules/server/arr.nix
index 40261ef..daf61a5 100644
--- a/modules/nixosModules/server/arr.nix
+++ b/modules/nixosModules/server/arr.nix
@@ -21,16 +21,6 @@
};
};
- services.lidarr = {
- enable = true;
- openFirewall = false;
- dataDir = "${cfg.dataPath}/arr/lidarr/";
- settings.server = {
- bindAddress = "*";
- port = 8686;
- };
- };
-
services.sonarr = {
enable = true;
openFirewall = false;
@@ -68,7 +58,6 @@
users.groups.arr = {};
users.users.radarr.extraGroups = ["arr"];
- users.users.lidarr.extraGroups = ["arr"];
users.users.sonarr.extraGroups = ["arr"];
};
}
diff --git a/modules/nixosModules/server/default.nix b/modules/nixosModules/server/default.nix
index 5a475b1..f7e63ff 100644
--- a/modules/nixosModules/server/default.nix
+++ b/modules/nixosModules/server/default.nix
@@ -11,7 +11,9 @@
self.nixosModules.jellyfin
self.nixosModules.navidrome
self.nixosModules.nginx
+ self.nixosModules.qbittorrent
self.nixosModules.radicale
+ self.nixosModules.seerr
self.nixosModules.tailscaleServer
];
};
diff --git a/modules/nixosModules/server/qbittorrent.nix b/modules/nixosModules/server/qbittorrent.nix
new file mode 100644
index 0000000..afea0ca
--- /dev/null
+++ b/modules/nixosModules/server/qbittorrent.nix
@@ -0,0 +1,12 @@
+{self, ...}: {
+ flake.nixosModules.qbittorrent = {config, ...}: {
+ imports = [
+ self.nixosModules.hostOptions
+ ];
+
+ services.qbittorrent = {
+ enable = true;
+ openFirewall = false;
+ };
+ };
+}
diff --git a/modules/nixosModules/server/seerr.nix b/modules/nixosModules/server/seerr.nix
new file mode 100644
index 0000000..93c5f19
--- /dev/null
+++ b/modules/nixosModules/server/seerr.nix
@@ -0,0 +1,40 @@
+{self, ...}: {
+ flake.nixosModules.seerr = {
+ config,
+ lib,
+ pkgs,
+ ...
+ }: {
+ imports = [
+ self.nixosModules.hostOptions
+ ];
+
+ services.seerr = {
+ enable = true;
+ openFirewall = false;
+ configDir = "${config.hostOptions.server.dataPath}/seerr";
+ port = 5055;
+ };
+
+ users.users.seerr = {
+ isSystemUser = true;
+ group = "seerr";
+ };
+
+ users.groups.seerr = {};
+ systemd.services.seerr.serviceConfig = {
+ DynamicUser = lib.mkForce false;
+ User = lib.mkForce "seerr";
+ Group = lib.mkForce "seerr";
+ ReadWritePaths = ["${config.hostOptions.server.dataPath}/seerr"];
+ ExecStart = lib.mkForce "${pkgs.seerr}/bin/seerr";
+ };
+
+ services.nginx.virtualHosts."seerr.${config.hostOptions.server.domain}" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/".proxyPass = "http://127.0.0.1:5055";
+ locations."/".proxyWebSockets = true;
+ };
+ };
+}
generated by cgit v1.3.1 (git 2.54.0) at 2026-06-18 09:18:58 +0000