2023-06-05 18:18:55 -06:00
|
|
|
{ inputs, config, lib, pkgs, isUnstable, ... }:
|
2022-08-25 12:21:35 -06:00
|
|
|
|
|
|
|
let
|
2022-10-21 16:12:00 -06:00
|
|
|
#photoPrismTag = "220901-bullseye";
|
2022-08-25 12:21:35 -06:00
|
|
|
httpCacheTime = "720m";
|
|
|
|
httpAllow = ''
|
|
|
|
allow 10.6.0.0/24;
|
|
|
|
allow 100.64.0.0/10;
|
|
|
|
allow 10.20.30.1/32;
|
|
|
|
'';
|
|
|
|
openbsdPub = {
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_cache my_cache;
|
|
|
|
proxy_cache_revalidate on;
|
|
|
|
proxy_cache_min_uses 1;
|
|
|
|
proxy_cache_use_stale error timeout updating http_500 http_502
|
|
|
|
http_503 http_504;
|
|
|
|
proxy_cache_background_update on;
|
|
|
|
proxy_cache_lock on;
|
|
|
|
|
|
|
|
proxy_ignore_headers Cache-Control;
|
|
|
|
proxy_cache_valid any ${httpCacheTime};
|
|
|
|
|
|
|
|
# from jeremy
|
|
|
|
proxy_set_header Connection "";
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
|
|
|
|
proxy_pass http://ftp.usa.openbsd.org;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
pubKeys = [
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
|
2022-10-22 06:30:41 -06:00
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
|
2022-08-25 12:21:35 -06:00
|
|
|
];
|
|
|
|
userBase = { openssh.authorizedKeys.keys = pubKeys; };
|
|
|
|
mkNginxSecret = {
|
|
|
|
sopsFile = config.xin-secrets.box.certs;
|
|
|
|
owner = config.users.users.nginx.name;
|
|
|
|
mode = "400";
|
|
|
|
};
|
|
|
|
|
|
|
|
in {
|
|
|
|
_module.args.isUnstable = false;
|
2022-10-21 16:12:00 -06:00
|
|
|
imports = [ ./hardware-configuration.nix ];
|
2022-08-25 12:21:35 -06:00
|
|
|
|
|
|
|
sops.secrets = {
|
2023-07-06 10:44:40 -06:00
|
|
|
nextcloud_db_pass = {
|
|
|
|
owner = config.users.users.nextcloud.name;
|
|
|
|
sopsFile = config.xin-secrets.box.services;
|
|
|
|
};
|
|
|
|
nextcloud_admin_pass = {
|
|
|
|
owner = config.users.users.nextcloud.name;
|
|
|
|
sopsFile = config.xin-secrets.box.services;
|
|
|
|
};
|
2022-08-25 12:21:35 -06:00
|
|
|
photoprism_admin_password = { sopsFile = config.xin-secrets.box.services; };
|
|
|
|
gitea_db_pass = {
|
|
|
|
owner = config.users.users.gitea.name;
|
|
|
|
sopsFile = config.xin-secrets.box.services;
|
|
|
|
};
|
2022-10-12 10:44:42 -06:00
|
|
|
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.services; };
|
2022-10-21 16:12:00 -06:00
|
|
|
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.services; };
|
2022-08-25 12:21:35 -06:00
|
|
|
};
|
|
|
|
|
2022-09-06 11:08:26 -06:00
|
|
|
sops.secrets.books_cert = mkNginxSecret;
|
|
|
|
sops.secrets.books_key = mkNginxSecret;
|
2022-08-25 12:21:35 -06:00
|
|
|
sops.secrets.jelly_cert = mkNginxSecret;
|
|
|
|
sops.secrets.jelly_key = mkNginxSecret;
|
2022-09-06 11:08:26 -06:00
|
|
|
sops.secrets.lidarr_cert = mkNginxSecret;
|
|
|
|
sops.secrets.lidarr_key = mkNginxSecret;
|
|
|
|
sops.secrets.nzb_cert = mkNginxSecret;
|
|
|
|
sops.secrets.nzb_key = mkNginxSecret;
|
|
|
|
sops.secrets.prowlarr_cert = mkNginxSecret;
|
|
|
|
sops.secrets.prowlarr_key = mkNginxSecret;
|
|
|
|
sops.secrets.radarr_cert = mkNginxSecret;
|
|
|
|
sops.secrets.radarr_key = mkNginxSecret;
|
2022-08-25 12:21:35 -06:00
|
|
|
sops.secrets.reddit_cert = mkNginxSecret;
|
|
|
|
sops.secrets.reddit_key = mkNginxSecret;
|
|
|
|
sops.secrets.sonarr_cert = mkNginxSecret;
|
|
|
|
sops.secrets.sonarr_key = mkNginxSecret;
|
2022-11-25 13:06:29 -07:00
|
|
|
sops.secrets.graph_cert = mkNginxSecret;
|
|
|
|
sops.secrets.graph_key = mkNginxSecret;
|
2022-11-27 08:33:21 -07:00
|
|
|
sops.secrets.bw_cert = mkNginxSecret;
|
|
|
|
sops.secrets.bw_key = mkNginxSecret;
|
2023-06-05 18:18:55 -06:00
|
|
|
sops.secrets.invidious_cert = mkNginxSecret;
|
|
|
|
sops.secrets.invidious_key = mkNginxSecret;
|
2022-08-25 12:21:35 -06:00
|
|
|
|
|
|
|
boot.supportedFilesystems = [ "zfs" ];
|
|
|
|
boot.loader.grub.copyKernels = true;
|
|
|
|
boot.loader.systemd-boot.enable = true;
|
|
|
|
boot.loader.efi.canTouchEfiVariables = true;
|
|
|
|
|
|
|
|
doas.enable = true;
|
|
|
|
|
2022-10-03 13:39:57 -06:00
|
|
|
networking = {
|
|
|
|
hostName = "box";
|
|
|
|
hostId = "9a2d2563";
|
2022-08-25 12:21:35 -06:00
|
|
|
|
2022-10-03 13:39:57 -06:00
|
|
|
useDHCP = false;
|
|
|
|
enableIPv6 = false;
|
2022-08-25 12:21:35 -06:00
|
|
|
|
2023-02-04 08:04:07 -07:00
|
|
|
hosts = {
|
|
|
|
"127.0.0.1" = [ "git.tapenet.org" ];
|
|
|
|
"100.122.61.43" = [ "nix-binary-cache.humpback-trout.ts.net" ];
|
|
|
|
};
|
2022-10-21 09:38:41 -06:00
|
|
|
interfaces.enp7s0 = { useDHCP = true; };
|
|
|
|
|
|
|
|
firewall = {
|
|
|
|
interfaces = { "tailscale0" = { allowedTCPPorts = [ 3030 ]; }; };
|
2022-10-21 16:12:00 -06:00
|
|
|
interfaces = {
|
|
|
|
"wg0" = {
|
|
|
|
allowedTCPPorts = [
|
2022-11-22 21:30:31 -07:00
|
|
|
config.services.gitea.settings.server.SSH_PORT
|
2023-05-29 08:07:08 -06:00
|
|
|
config.services.gitea.settings.server.HTTP_PORT
|
2022-10-21 16:12:00 -06:00
|
|
|
config.services.vaultwarden.config.rocketPort
|
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
2022-10-21 09:38:41 -06:00
|
|
|
allowedTCPPorts = config.services.openssh.ports
|
2022-11-22 21:30:31 -07:00
|
|
|
++ [ 80 443 config.services.gitea.settings.server.SSH_PORT ];
|
2022-10-21 09:38:41 -06:00
|
|
|
allowedUDPPortRanges = [{
|
|
|
|
from = 60000;
|
|
|
|
to = 61000;
|
2022-08-25 12:21:35 -06:00
|
|
|
}];
|
|
|
|
};
|
2022-10-21 09:38:41 -06:00
|
|
|
|
|
|
|
wireguard = {
|
2022-10-21 16:12:00 -06:00
|
|
|
enable = true;
|
2022-10-21 09:38:41 -06:00
|
|
|
interfaces = {
|
|
|
|
wg0 = {
|
|
|
|
listenPort = 7122;
|
|
|
|
ips = [ "192.168.112.4/32" ];
|
|
|
|
peers = [{
|
|
|
|
publicKey = "IMJ1gVK6KzRghon5Wg1dxv1JCB8IbdSqeFjwQAxJM10=";
|
|
|
|
endpoint = "23.29.118.127:7122";
|
|
|
|
allowedIPs = [ "192.168.112.3/32" ];
|
|
|
|
persistentKeepalive = 25;
|
|
|
|
}];
|
2022-10-21 16:12:00 -06:00
|
|
|
privateKeyFile = "${config.sops.secrets.wireguard_private_key.path}";
|
|
|
|
#privateKeyFile = "/root/wgpk";
|
2022-10-21 09:38:41 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
2022-08-25 12:21:35 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
nixpkgs.config.allowUnfree = true;
|
|
|
|
|
|
|
|
environment.systemPackages = with pkgs; [
|
|
|
|
nixfmt
|
|
|
|
tmux
|
|
|
|
mosh
|
|
|
|
apg
|
|
|
|
git
|
|
|
|
signify
|
|
|
|
glowing-bear
|
|
|
|
|
|
|
|
(callPackage ../../pkgs/athens.nix { inherit isUnstable; })
|
|
|
|
];
|
|
|
|
|
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
defaults.email = "aaron@bolddaemon.com";
|
|
|
|
};
|
|
|
|
|
|
|
|
# for photoprism
|
2022-10-18 19:27:07 -06:00
|
|
|
#users.groups.photoprism = {
|
|
|
|
# name = "photoprism";
|
|
|
|
# gid = 986;
|
|
|
|
#};
|
|
|
|
#users.users.photoprism = {
|
|
|
|
# uid = 991;
|
|
|
|
# name = "photoprism";
|
|
|
|
# isSystemUser = true;
|
|
|
|
# hashedPassword = null;
|
|
|
|
# group = "photoprism";
|
|
|
|
# shell = "/bin/sh";
|
|
|
|
# openssh.authorizedKeys.keys = pubKeys;
|
|
|
|
#};
|
2022-08-25 12:21:35 -06:00
|
|
|
|
2022-10-21 09:38:41 -06:00
|
|
|
#virtualisation.podman = {
|
|
|
|
# enable = false;
|
|
|
|
# #dockerCompat = true;
|
|
|
|
#};
|
|
|
|
#virtualisation.oci-containers.backend = "podman";
|
|
|
|
#virtualisation.oci-containers.containers = {
|
|
|
|
# #kativa = {
|
|
|
|
# # autoStart = true;
|
|
|
|
# # ports = [ "127.0.0.1:5000:5000" ];
|
|
|
|
# # image = "kizaing/kavita:0.5.2";
|
|
|
|
# # volumes = [ "/media/books:/books" "/media/books/config:/kativa/config" ];
|
|
|
|
# #};
|
|
|
|
# photoprism = {
|
|
|
|
# #user = "${toString config.users.users.photoprism.name}:${toString config.users.groups.photoprism.name}";
|
|
|
|
# autoStart = true;
|
|
|
|
# ports = [ "127.0.0.1:2343:2343" ];
|
|
|
|
# image = "photoprism/photoprism:${photoPrismTag}";
|
|
|
|
# workdir = "/photoprism";
|
|
|
|
# volumes = [
|
|
|
|
# "/media/pictures/photoprism/storage:/photoprism/storage"
|
|
|
|
# "/media/pictures/photoprism/originals:/photoprism/originals"
|
|
|
|
# "/media/pictures/photoprism/import:/photoprism/import"
|
|
|
|
# ];
|
|
|
|
# environment = {
|
|
|
|
# PHOTOPRISM_HTTP_PORT = "2343";
|
|
|
|
# PHOTOPRISM_UPLOAD_NSFW = "true";
|
|
|
|
# PHOTOPRISM_DETECT_NSFW = "false";
|
|
|
|
# PHOTOPRISM_UID = "${toString config.users.users.photoprism.uid}";
|
|
|
|
# PHOTOPRISM_GID = "${toString config.users.groups.photoprism.gid}";
|
|
|
|
# #PHOTOPRISM_SITE_URL = "https://photos.tapenet.org/";
|
|
|
|
# PHOTOPRISM_SITE_URL = "https://box.humpback-trout.ts.net/photos";
|
|
|
|
# PHOTOPRISM_SETTINGS_HIDDEN = "false";
|
|
|
|
# PHOTOPRISM_DATABASE_DRIVER = "sqlite";
|
|
|
|
# };
|
|
|
|
# };
|
|
|
|
#};
|
2022-08-25 12:21:35 -06:00
|
|
|
|
|
|
|
users.groups.media = {
|
|
|
|
name = "media";
|
|
|
|
members =
|
|
|
|
[ "qbit" "sonarr" "radarr" "lidarr" "nzbget" "jellyfin" "headphones" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
services = {
|
2023-07-06 08:29:02 -06:00
|
|
|
nextcloud = {
|
2023-07-06 10:28:27 -06:00
|
|
|
enable = true;
|
|
|
|
enableBrokenCiphersForSSE = false;
|
2023-07-06 10:44:40 -06:00
|
|
|
hostName = "box.humpback-trout.ts.net";
|
2023-07-06 08:29:02 -06:00
|
|
|
home = "/media/nextcloud";
|
|
|
|
https = true;
|
2023-07-06 10:28:27 -06:00
|
|
|
|
|
|
|
package = pkgs.nextcloud27;
|
|
|
|
extraApps = with config.services.nextcloud.package.packages.apps; {
|
|
|
|
inherit bookmarks calendar contacts notes tasks twofactor_webauthn;
|
|
|
|
};
|
|
|
|
|
|
|
|
extraAppsEnable = true;
|
2023-07-06 08:29:02 -06:00
|
|
|
|
|
|
|
config = {
|
|
|
|
overwriteProtocol = "https";
|
|
|
|
|
|
|
|
dbtype = "pgsql";
|
|
|
|
dbuser = "nextcloud";
|
|
|
|
dbhost = "/run/postgresql";
|
|
|
|
dbname = "nextcloud";
|
|
|
|
dbpassFile = "${config.sops.secrets.nextcloud_db_pass.path}";
|
|
|
|
|
|
|
|
adminpassFile = "${config.sops.secrets.nextcloud_admin_pass.path}";
|
|
|
|
adminuser = "admin";
|
|
|
|
};
|
|
|
|
};
|
2023-06-05 18:18:55 -06:00
|
|
|
invidious = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
port = lib.mkForce 1538;
|
|
|
|
host_binding = "127.0.0.1";
|
|
|
|
domain = "invidious.bold.daemon";
|
|
|
|
https_only = true;
|
|
|
|
popular_enabled = false;
|
|
|
|
statistics_enabled = false;
|
2023-06-07 09:41:43 -06:00
|
|
|
default_home = "Subscriptions";
|
2023-06-05 18:18:55 -06:00
|
|
|
};
|
|
|
|
};
|
2022-08-25 12:21:35 -06:00
|
|
|
cron = {
|
|
|
|
enable = true;
|
|
|
|
systemCronJobs = let
|
|
|
|
tsCertsScript = pkgs.writeScriptBin "ts-certs.sh" ''
|
|
|
|
#!/usr/bin/env sh
|
|
|
|
. /etc/profile;
|
|
|
|
(
|
|
|
|
mkdir -p /etc/nixos/secrets;
|
|
|
|
chown root /etc/nixos/secrets/box.humpback-trout.ts.net.*;
|
|
|
|
tailscale cert \
|
|
|
|
--cert-file /etc/nixos/secrets/box.humpback-trout.ts.net.crt \
|
|
|
|
--key-file=/etc/nixos/secrets/box.humpback-trout.ts.net.key \
|
|
|
|
box.humpback-trout.ts.net;
|
|
|
|
chown nginx /etc/nixos/secrets/box.humpback-trout.ts.net.*
|
|
|
|
) >/dev/null 2>&1
|
|
|
|
'';
|
|
|
|
in [ "@daily root ${tsCertsScript}/bin/ts-certs.sh" ];
|
|
|
|
};
|
2023-05-29 20:01:18 -06:00
|
|
|
openssh = { settings.X11Forwarding = true; };
|
2022-08-25 12:21:35 -06:00
|
|
|
|
|
|
|
tor.enable = true;
|
|
|
|
|
|
|
|
sonarr.enable = true;
|
|
|
|
radarr.enable = true;
|
|
|
|
lidarr.enable = true;
|
2022-10-18 19:27:07 -06:00
|
|
|
jackett.enable = false;
|
2022-08-25 12:21:35 -06:00
|
|
|
prowlarr.enable = true;
|
|
|
|
headphones.enable = false;
|
|
|
|
nzbget = {
|
|
|
|
enable = true;
|
|
|
|
group = "media";
|
|
|
|
settings = { MainDir = "/media/downloads"; };
|
|
|
|
};
|
|
|
|
|
|
|
|
fwupd.enable = true;
|
|
|
|
zfs = {
|
|
|
|
autoSnapshot.enable = true;
|
|
|
|
autoReplication = {
|
|
|
|
enable = true;
|
|
|
|
host = "10.6.0.245";
|
|
|
|
identityFilePath = "/etc/ssh/ssh_host_ed25519_key";
|
|
|
|
localFilesystem = "rpool";
|
|
|
|
recursive = true;
|
|
|
|
remoteFilesystem = "tank/backups/box";
|
|
|
|
username = "root";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
jellyfin = {
|
|
|
|
enable = true;
|
|
|
|
openFirewall = true;
|
|
|
|
};
|
|
|
|
|
2022-09-03 18:48:26 -06:00
|
|
|
calibre-web = {
|
|
|
|
enable = true;
|
|
|
|
options = { enableBookUploading = true; };
|
2022-09-04 06:35:49 -06:00
|
|
|
listen.port = 8909;
|
|
|
|
listen.ip = "127.0.0.1";
|
2022-09-03 18:48:26 -06:00
|
|
|
};
|
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
grafana = {
|
|
|
|
enable = true;
|
2022-11-22 21:30:31 -07:00
|
|
|
settings = {
|
|
|
|
analytics.reporting_enabled = false;
|
|
|
|
server = {
|
|
|
|
domain = "graph.tapenet.org";
|
|
|
|
http_port = 2342;
|
|
|
|
http_addr = "127.0.0.1";
|
|
|
|
};
|
|
|
|
};
|
2022-09-03 14:25:47 -06:00
|
|
|
|
2022-09-03 14:58:29 -06:00
|
|
|
#declarativePlugins = with pkgs; [ grafana-image-renderer ];
|
2022-09-03 14:49:38 -06:00
|
|
|
|
2022-09-03 14:25:47 -06:00
|
|
|
provision = {
|
|
|
|
enable = true;
|
2022-11-22 21:30:31 -07:00
|
|
|
datasources.settings.datasources = [
|
2022-09-03 14:25:47 -06:00
|
|
|
{
|
|
|
|
name = "Prometheus";
|
|
|
|
type = "prometheus";
|
|
|
|
access = "proxy";
|
|
|
|
url =
|
|
|
|
"http://127.0.0.1:${toString config.services.prometheus.port}";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "Loki";
|
|
|
|
type = "loki";
|
|
|
|
access = "proxy";
|
|
|
|
url = "http://127.0.0.1:${
|
|
|
|
toString
|
|
|
|
config.services.loki.configuration.server.http_listen_port
|
|
|
|
}";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
2022-08-25 12:21:35 -06:00
|
|
|
};
|
|
|
|
|
2022-09-03 14:10:59 -06:00
|
|
|
loki = {
|
|
|
|
enable = true;
|
|
|
|
configuration = {
|
2022-09-10 22:37:53 -06:00
|
|
|
analytics.reporting_enabled = false;
|
2022-09-03 14:10:59 -06:00
|
|
|
server.http_listen_port = 3030;
|
2022-09-10 22:16:20 -06:00
|
|
|
server.http_listen_address = "0.0.0.0";
|
2022-09-03 14:10:59 -06:00
|
|
|
auth_enabled = false;
|
|
|
|
|
|
|
|
ingester = {
|
|
|
|
lifecycler = {
|
|
|
|
address = "127.0.0.1";
|
|
|
|
ring = {
|
|
|
|
kvstore = { store = "inmemory"; };
|
|
|
|
replication_factor = 1;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
chunk_idle_period = "1h";
|
|
|
|
max_chunk_age = "1h";
|
|
|
|
chunk_target_size = 999999;
|
|
|
|
chunk_retain_period = "30s";
|
|
|
|
max_transfer_retries = 0;
|
|
|
|
};
|
|
|
|
|
|
|
|
schema_config = {
|
|
|
|
configs = [{
|
|
|
|
from = "2022-06-06";
|
|
|
|
store = "boltdb-shipper";
|
|
|
|
object_store = "filesystem";
|
|
|
|
schema = "v11";
|
|
|
|
index = {
|
|
|
|
prefix = "index_";
|
|
|
|
period = "24h";
|
|
|
|
};
|
|
|
|
}];
|
|
|
|
};
|
|
|
|
|
|
|
|
storage_config = {
|
|
|
|
boltdb_shipper = {
|
|
|
|
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
|
|
|
|
cache_location = "/var/lib/loki/boltdb-shipper-cache";
|
|
|
|
cache_ttl = "24h";
|
|
|
|
shared_store = "filesystem";
|
|
|
|
};
|
|
|
|
|
|
|
|
filesystem = { directory = "/var/lib/loki/chunks"; };
|
|
|
|
};
|
|
|
|
|
|
|
|
limits_config = {
|
|
|
|
reject_old_samples = true;
|
|
|
|
reject_old_samples_max_age = "168h";
|
|
|
|
};
|
|
|
|
|
|
|
|
chunk_store_config = { max_look_back_period = "0s"; };
|
|
|
|
|
|
|
|
table_manager = {
|
|
|
|
retention_deletes_enabled = false;
|
|
|
|
retention_period = "0s";
|
|
|
|
};
|
|
|
|
|
|
|
|
compactor = {
|
|
|
|
working_directory = "/var/lib/loki";
|
|
|
|
shared_store = "filesystem";
|
|
|
|
compactor_ring = { kvstore = { store = "inmemory"; }; };
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-09-03 14:25:47 -06:00
|
|
|
promtail = {
|
|
|
|
enable = true;
|
|
|
|
configuration = {
|
|
|
|
server = {
|
|
|
|
http_listen_port = 3031;
|
|
|
|
grpc_listen_port = 0;
|
|
|
|
};
|
|
|
|
positions = { filename = "/tmp/positions.yaml"; };
|
|
|
|
clients = [{
|
|
|
|
url = "http://127.0.0.1:${
|
|
|
|
toString
|
|
|
|
config.services.loki.configuration.server.http_listen_port
|
|
|
|
}/loki/api/v1/push";
|
|
|
|
}];
|
|
|
|
scrape_configs = [{
|
|
|
|
job_name = "journal";
|
|
|
|
journal = {
|
|
|
|
max_age = "12h";
|
|
|
|
labels = {
|
|
|
|
job = "systemd-journal";
|
|
|
|
host = "box";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
relabel_configs = [{
|
|
|
|
source_labels = [ "__journal__systemd_unit" ];
|
|
|
|
target_label = "unit";
|
|
|
|
}];
|
|
|
|
}];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
prometheus = {
|
|
|
|
enable = true;
|
|
|
|
port = 9001;
|
|
|
|
|
|
|
|
exporters = {
|
|
|
|
node = {
|
|
|
|
enable = true;
|
|
|
|
enabledCollectors = [ "systemd" ];
|
|
|
|
port = 9002;
|
|
|
|
};
|
|
|
|
|
|
|
|
nginx = { enable = true; };
|
|
|
|
};
|
|
|
|
|
|
|
|
scrapeConfigs = [
|
|
|
|
{
|
|
|
|
job_name = "box";
|
|
|
|
static_configs = [{
|
|
|
|
targets = [
|
|
|
|
"127.0.0.1:${
|
|
|
|
toString config.services.prometheus.exporters.node.port
|
|
|
|
}"
|
|
|
|
];
|
|
|
|
}];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
job_name = "greenhouse";
|
|
|
|
static_configs = [{ targets = [ "10.6.0.20:80" ]; }];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
job_name = "house";
|
|
|
|
static_configs = [{ targets = [ "10.6.0.21:80" ]; }];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
job_name = "outside";
|
|
|
|
static_configs = [{ targets = [ "10.6.0.22:8811" ]; }];
|
|
|
|
}
|
|
|
|
{
|
2022-09-02 18:46:43 -06:00
|
|
|
job_name = "faf";
|
2022-09-02 19:13:38 -06:00
|
|
|
static_configs = [{ targets = [ "10.6.0.245:9002" ]; }];
|
2022-08-25 12:21:35 -06:00
|
|
|
}
|
2022-09-10 09:47:47 -06:00
|
|
|
{
|
|
|
|
job_name = "h";
|
|
|
|
static_configs = [{ targets = [ "100.64.247.69:9002" ]; }];
|
|
|
|
}
|
2022-08-25 12:21:35 -06:00
|
|
|
{
|
|
|
|
job_name = "namish";
|
|
|
|
static_configs = [{ targets = [ "10.6.0.2:9100" ]; }];
|
|
|
|
}
|
2022-09-12 08:25:33 -06:00
|
|
|
{
|
|
|
|
job_name = "router";
|
|
|
|
static_configs = [{ targets = [ "10.6.0.1:9100" ]; }];
|
|
|
|
}
|
2022-08-25 12:21:35 -06:00
|
|
|
{
|
|
|
|
job_name = "nginx";
|
|
|
|
static_configs = [{
|
|
|
|
targets = [
|
|
|
|
"127.0.0.1:${
|
|
|
|
toString config.services.prometheus.exporters.nginx.port
|
|
|
|
}"
|
|
|
|
];
|
|
|
|
}];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
vaultwarden = {
|
|
|
|
enable = true;
|
|
|
|
backupDir = "/backups/bitwarden_rs";
|
|
|
|
config = {
|
|
|
|
domain = "https://bw.tapenet.org";
|
|
|
|
signupsAllowed = false;
|
|
|
|
rocketPort = 8222;
|
2022-11-27 08:33:21 -07:00
|
|
|
rocketAddress = "192.168.112.4"; # wg0
|
2022-08-25 12:21:35 -06:00
|
|
|
rocketLog = "critical";
|
|
|
|
};
|
2023-01-20 09:50:57 -07:00
|
|
|
environmentFile = config.sops.secrets."bitwarden_rs.env".path;
|
2022-08-25 12:21:35 -06:00
|
|
|
};
|
|
|
|
|
|
|
|
gitea = {
|
|
|
|
enable = true;
|
|
|
|
stateDir = "/media/git";
|
|
|
|
appName = "Tape:neT";
|
|
|
|
|
2023-07-01 12:19:04 -06:00
|
|
|
package = inputs.unstable.legacyPackages.${pkgs.system}.forgejo;
|
2023-03-21 06:23:01 -06:00
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
lfs.enable = true;
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
server = {
|
2023-05-29 08:07:08 -06:00
|
|
|
DOMAIN = "git.tapenet.org";
|
|
|
|
ROOT_URL = "https://git.tapenet.org";
|
2022-08-25 12:21:35 -06:00
|
|
|
START_SSH_SERVER = true;
|
|
|
|
SSH_SERVER_HOST_KEYS = "ssh/gitea-ed25519";
|
2022-11-22 21:30:31 -07:00
|
|
|
SSH_PORT = 2222;
|
|
|
|
DISABLE_REGISTRATION = true;
|
|
|
|
COOKIE_SECURE = true;
|
2022-08-25 12:21:35 -06:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
database = {
|
|
|
|
type = "postgres";
|
|
|
|
passwordFile = "${config.sops.secrets.gitea_db_pass.path}";
|
|
|
|
socket = "/run/postgresql";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
rsnapshot = {
|
|
|
|
enable = false;
|
|
|
|
enableManualRsnapshot = true;
|
|
|
|
extraConfig = ''
|
|
|
|
snapshot_root /backups/snapshots/
|
|
|
|
retain daily 7
|
|
|
|
retain manual 3
|
|
|
|
backup_exec date "+ backup of suah.dev started at %c"
|
|
|
|
backup root@suah.dev:/home/ suah.dev/
|
|
|
|
backup root@suah.dev:/etc/ suah.dev/
|
|
|
|
backup root@suah.dev:/var/synapse/ suah.dev/
|
|
|
|
backup root@suah.dev:/var/dendrite/ suah.dev/
|
|
|
|
backup root@suah.dev:/var/hammer/ suah.dev/
|
|
|
|
backup root@suah.dev:/var/go-ipfs/ suah.dev/
|
|
|
|
backup root@suah.dev:/var/gopher/ suah.dev/
|
|
|
|
backup root@suah.dev:/var/honk/ suah.dev/
|
|
|
|
backup root@suah.dev:/var/mcchunkie/ suah.dev/
|
|
|
|
backup root@suah.dev:/var/www/ suah.dev/
|
|
|
|
backup_exec date "+ backup of suah.dev ended at %c"
|
|
|
|
'';
|
|
|
|
cronIntervals = { daily = "50 21 * * *"; };
|
|
|
|
};
|
|
|
|
|
|
|
|
libreddit = {
|
|
|
|
enable = true;
|
|
|
|
port = 8482;
|
|
|
|
};
|
|
|
|
|
|
|
|
nginx = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.openresty;
|
|
|
|
|
|
|
|
statusPage = true;
|
|
|
|
|
|
|
|
recommendedTlsSettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
|
|
|
|
clientMaxBodySize = "512M";
|
|
|
|
|
|
|
|
commonHttpConfig = ''
|
|
|
|
proxy_cache_path /backups/nginx_cache levels=1:2 keys_zone=my_cache:10m max_size=10g
|
|
|
|
inactive=${httpCacheTime} use_temp_path=off;
|
|
|
|
'';
|
|
|
|
|
|
|
|
virtualHosts = {
|
2023-06-05 18:18:55 -06:00
|
|
|
"invidious.bold.daemon" = {
|
|
|
|
forceSSL = true;
|
|
|
|
sslCertificateKey = "${config.sops.secrets.invidious_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.invidious_cert.path}";
|
|
|
|
locations."/" = {
|
2023-06-06 06:37:04 -06:00
|
|
|
proxyPass = "http://127.0.0.1:${
|
|
|
|
toString config.services.invidious.settings.port
|
|
|
|
}";
|
2023-06-05 18:18:55 -06:00
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
};
|
2022-08-25 12:21:35 -06:00
|
|
|
"box.humpback-trout.ts.net" = {
|
|
|
|
forceSSL = true;
|
|
|
|
sslCertificateKey =
|
|
|
|
"/etc/nixos/secrets/box.humpback-trout.ts.net.key";
|
|
|
|
sslCertificate = "/etc/nixos/secrets/box.humpback-trout.ts.net.crt";
|
|
|
|
|
|
|
|
locations."/photos" = {
|
|
|
|
proxyPass = "http://localhost:2343";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
locations."/pub" = openbsdPub;
|
|
|
|
};
|
|
|
|
|
2022-10-21 16:12:00 -06:00
|
|
|
#"photos.tapenet.org" = {
|
|
|
|
# forceSSL = true;
|
|
|
|
# enableACME = true;
|
2022-08-25 12:21:35 -06:00
|
|
|
|
2022-10-21 16:12:00 -06:00
|
|
|
# locations."/" = {
|
|
|
|
# proxyPass = "http://localhost:2343";
|
|
|
|
# proxyWebsockets = true;
|
|
|
|
# };
|
|
|
|
#};
|
2022-08-25 12:21:35 -06:00
|
|
|
|
|
|
|
"jelly.bold.daemon" = {
|
|
|
|
forceSSL = true;
|
|
|
|
sslCertificateKey = "${config.sops.secrets.jelly_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.jelly_cert.path}";
|
|
|
|
|
|
|
|
locations."/" = {
|
|
|
|
# TODO: jellyfin.nix doesn't expose the port being used.
|
|
|
|
proxyPass = "http://localhost:8096";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
"reddit.bold.daemon" = {
|
|
|
|
sslCertificateKey = "${config.sops.secrets.reddit_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.reddit_cert.path}";
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass =
|
|
|
|
"http://localhost:${toString config.services.libreddit.port}";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-09-03 18:48:26 -06:00
|
|
|
"books.bold.daemon" = {
|
2022-09-06 11:08:26 -06:00
|
|
|
sslCertificateKey = "${config.sops.secrets.books_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.books_cert.path}";
|
|
|
|
forceSSL = true;
|
2022-09-03 18:48:26 -06:00
|
|
|
locations."/" = {
|
2022-09-04 07:43:32 -06:00
|
|
|
proxyPass = "http://localhost:${
|
|
|
|
toString config.services.calibre-web.listen.port
|
|
|
|
}";
|
2022-09-03 18:48:26 -06:00
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
"sonarr.bold.daemon" = {
|
|
|
|
sslCertificateKey = "${config.sops.secrets.sonarr_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.sonarr_cert.path}";
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://localhost:8989";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"radarr.bold.daemon" = {
|
|
|
|
sslCertificateKey = "${config.sops.secrets.radarr_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.radarr_cert.path}";
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://localhost:7878";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"prowlarr.bold.daemon" = {
|
|
|
|
sslCertificateKey = "${config.sops.secrets.prowlarr_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.prowlarr_cert.path}";
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://localhost:9696";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"nzb.bold.daemon" = {
|
|
|
|
sslCertificateKey = "${config.sops.secrets.nzb_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.nzb_cert.path}";
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://localhost:6789";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"headphones.bold.daemon" = {
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://localhost:8181";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
"lidarr.bold.daemon" = {
|
|
|
|
sslCertificateKey = "${config.sops.secrets.lidarr_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.lidarr_cert.path}";
|
|
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://localhost:8686";
|
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2022-11-25 13:06:29 -07:00
|
|
|
"graph.bold.daemon" = {
|
|
|
|
sslCertificateKey = "${config.sops.secrets.graph_key.path}";
|
|
|
|
sslCertificate = "${config.sops.secrets.graph_cert.path}";
|
2022-08-25 12:21:35 -06:00
|
|
|
forceSSL = true;
|
|
|
|
|
|
|
|
locations."/" = {
|
2022-11-22 21:30:31 -07:00
|
|
|
proxyPass = "http://127.0.0.1:${
|
|
|
|
toString config.services.grafana.settings.server.http_port
|
|
|
|
}";
|
2022-08-25 12:21:35 -06:00
|
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
|
|
${httpAllow}
|
|
|
|
deny all;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
|
|
|
|
locations."/_pub" = {
|
|
|
|
extraConfig = ''
|
|
|
|
default_type 'application/json';
|
|
|
|
|
|
|
|
content_by_lua_block {
|
|
|
|
function lsplit (str, sep)
|
|
|
|
sep = "\n"
|
|
|
|
local t={}
|
|
|
|
for str in string.gmatch(str, "([^"..sep.."]+)") do
|
|
|
|
table.insert(t, str)
|
|
|
|
end
|
|
|
|
return t
|
|
|
|
end
|
|
|
|
|
|
|
|
local sock = ngx.socket.tcp()
|
|
|
|
local ok, err = sock:connect("127.0.0.1", ${
|
|
|
|
toString config.services.prometheus.port
|
|
|
|
})
|
|
|
|
if not ok then
|
|
|
|
ngx.say("failed to connect to backend: ", err)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
local bytes = sock:send("GET /api/v1/query?query=wstation_temp_c HTTP/1.1\nHost: 127.0.0.1:${
|
|
|
|
toString config.services.prometheus.port
|
|
|
|
}\n\n")
|
|
|
|
|
|
|
|
sock:settimeouts(1000, 1000, 1000)
|
|
|
|
|
|
|
|
local data, err = sock:receiveany(10 * 1024)
|
|
|
|
if not data then
|
|
|
|
ngx.say("failed to read weather data: ", err)
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
|
|
|
local b = lsplit(data)
|
|
|
|
ngx.say(b[#b])
|
|
|
|
|
|
|
|
sock:close()
|
|
|
|
}
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
postgresqlBackup = {
|
|
|
|
enable = true;
|
|
|
|
location = "/backups/postgresql";
|
|
|
|
};
|
|
|
|
postgresql = {
|
|
|
|
enable = true;
|
|
|
|
dataDir = "/db/postgres";
|
|
|
|
|
2023-07-06 08:29:02 -06:00
|
|
|
enableTCPIP = true;
|
|
|
|
authentication = pkgs.lib.mkOverride 14 ''
|
|
|
|
local all all trust
|
|
|
|
host all all 127.0.0.1/32 trust
|
|
|
|
host all all ::1/128 trust
|
|
|
|
'';
|
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
ensureDatabases = [ "nextcloud" "gitea" ];
|
|
|
|
ensureUsers = [
|
|
|
|
{
|
|
|
|
name = "nextcloud";
|
|
|
|
ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
|
|
|
|
}
|
|
|
|
{
|
|
|
|
name = "gitea";
|
|
|
|
ensurePermissions."DATABASE gitea" = "ALL PRIVILEGES";
|
|
|
|
}
|
2023-06-05 18:18:55 -06:00
|
|
|
{
|
|
|
|
name = "invidious";
|
|
|
|
ensurePermissions."DATABASE invidious" = "ALL PRIVILEGES";
|
|
|
|
}
|
2022-08-25 12:21:35 -06:00
|
|
|
];
|
|
|
|
};
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.nginx.serviceConfig = {
|
|
|
|
ReadWritePaths = [ "/backups/nginx_cache" ];
|
|
|
|
ReadOnlyPaths = [ "/etc/nixos/secrets" ];
|
|
|
|
};
|
|
|
|
|
2023-01-09 13:00:41 -07:00
|
|
|
systemd.services.gitea.environment = {
|
|
|
|
GIT_CONFIG_NOGLOBAL = "true";
|
|
|
|
GIT_CONFIG_NOSYSTEM = "true";
|
|
|
|
};
|
|
|
|
|
2022-08-25 12:21:35 -06:00
|
|
|
#systemd.services."nextcloud-setup" = {
|
|
|
|
# requires = [ "postgresql.service" ];
|
|
|
|
# after = [ "postgresql.service" ];
|
|
|
|
#};
|
|
|
|
|
|
|
|
users.users.qbit = userBase;
|
|
|
|
users.users.root = userBase;
|
|
|
|
|
|
|
|
programs.zsh.enable = true;
|
|
|
|
|
|
|
|
system.stateVersion = "20.03";
|
|
|
|
}
|
|
|
|
|