xin/hosts/box/default.nix

1098 lines
28 KiB
Nix
Raw Normal View History

2023-12-13 11:07:59 -07:00
{ config
2023-09-12 08:44:05 -06:00
, lib
, pkgs
2023-12-13 11:07:59 -07:00
, xinlib
2023-09-12 08:44:05 -06:00
, ...
}:
let
2023-12-13 11:07:59 -07:00
inherit (xinlib) todo;
2022-08-25 12:21:35 -06:00
httpCacheTime = "720m";
httpAllow = ''
allow 10.6.0.0/24;
allow 100.64.0.0/10;
allow 10.20.30.1/32;
'';
openbsdPub = {
extraConfig = ''
proxy_cache my_cache;
proxy_cache_revalidate on;
proxy_cache_min_uses 1;
proxy_cache_use_stale error timeout updating http_500 http_502
http_503 http_504;
proxy_cache_background_update on;
proxy_cache_lock on;
proxy_ignore_headers Cache-Control;
proxy_cache_valid any ${httpCacheTime};
# from jeremy
proxy_set_header Connection "";
proxy_http_version 1.1;
2023-08-18 09:51:43 -06:00
proxy_pass http://cdn.openbsd.org;
2022-08-25 12:21:35 -06:00
'';
};
pubKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILnaC1v+VoVNnK04D32H+euiCyWPXU8nX6w+4UoFfjA3 qbit@plq"
2022-10-22 06:30:41 -06:00
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO7v+/xS8832iMqJHCWsxUZ8zYoMWoZhjj++e26g1fLT europa"
2022-08-25 12:21:35 -06:00
];
2023-09-12 08:44:05 -06:00
userBase = { openssh.authorizedKeys.keys = pubKeys; };
2022-08-25 12:21:35 -06:00
mkNginxSecret = {
sopsFile = config.xin-secrets.box.secrets.certs;
2022-08-25 12:21:35 -06:00
owner = config.users.users.nginx.name;
mode = "400";
};
2023-09-12 08:44:05 -06:00
in
{
2024-01-17 11:01:02 -07:00
_module.args.isUnstable = true;
imports = [
./hardware-configuration.nix
2023-12-13 08:07:19 -07:00
#"${inputs.unstable}/nixos/modules/services/home-automation/home-assistant.nix"
];
2022-08-25 12:21:35 -06:00
sops.secrets = {
2023-08-05 05:19:58 -06:00
#nextcloud_db_pass = {
# owner = config.users.users.nextcloud.name;
# sopsFile = config.xin-secrets.box.secrets.services;
2023-08-05 05:19:58 -06:00
#};
#nextcloud_admin_pass = {
# owner = config.users.users.nextcloud.name;
# sopsFile = config.xin-secrets.box.secrets.services;
2023-08-05 05:19:58 -06:00
#};
2022-08-25 12:21:35 -06:00
gitea_db_pass = {
owner = config.users.users.gitea.name;
sopsFile = config.xin-secrets.box.secrets.services;
2022-08-25 12:21:35 -06:00
};
"bitwarden_rs.env" = { sopsFile = config.xin-secrets.box.secrets.services; };
"wireguard_private_key" = { sopsFile = config.xin-secrets.box.secrets.services; };
2023-09-27 19:37:20 -06:00
"restic_htpasswd" = {
owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.secrets.services;
2023-09-27 19:37:20 -06:00
};
restic_cert = {
owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.secrets.certs;
2023-09-27 19:37:20 -06:00
};
restic_key = {
owner = config.users.users.restic.name;
sopsFile = config.xin-secrets.box.secrets.certs;
2023-09-27 19:37:20 -06:00
};
2023-09-12 08:44:05 -06:00
books_cert = mkNginxSecret;
books_key = mkNginxSecret;
jelly_cert = mkNginxSecret;
jelly_key = mkNginxSecret;
lidarr_cert = mkNginxSecret;
lidarr_key = mkNginxSecret;
nzb_cert = mkNginxSecret;
nzb_key = mkNginxSecret;
prowlarr_cert = mkNginxSecret;
prowlarr_key = mkNginxSecret;
radarr_cert = mkNginxSecret;
radarr_key = mkNginxSecret;
reddit_cert = mkNginxSecret;
reddit_key = mkNginxSecret;
sonarr_cert = mkNginxSecret;
sonarr_key = mkNginxSecret;
graph_cert = mkNginxSecret;
graph_key = mkNginxSecret;
bw_cert = mkNginxSecret;
bw_key = mkNginxSecret;
readarr_cert = mkNginxSecret;
readarr_key = mkNginxSecret;
home_cert = mkNginxSecret;
home_key = mkNginxSecret;
2022-08-25 12:21:35 -06:00
};
2023-09-12 08:44:05 -06:00
boot = {
supportedFilesystems = [ "zfs" ];
loader = {
grub.copyKernels = true;
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
2022-08-25 12:21:35 -06:00
doas.enable = true;
networking = {
hostName = "box";
hostId = "9a2d2563";
2022-08-25 12:21:35 -06:00
useDHCP = false;
enableIPv6 = false;
2022-08-25 12:21:35 -06:00
hosts = {
"10.6.0.1" = [ "router.bold.daemon" ];
2023-09-12 08:44:05 -06:00
"127.0.0.1" = [ "git.tapenet.org" ];
"10.6.0.15" = [ "jelly.bold.daemon" ];
2023-09-25 14:36:25 -06:00
"100.74.8.55" = [ "nix-binary-cache.otter-alligator.ts.net" ];
};
2023-09-12 08:44:05 -06:00
interfaces.enp7s0 = { useDHCP = true; };
2022-10-21 09:38:41 -06:00
firewall = {
2023-09-12 08:44:05 -06:00
interfaces = { "tailscale0" = { allowedTCPPorts = [ 3030 ]; }; };
interfaces = {
"wg0" = {
allowedTCPPorts = [
2022-11-22 21:30:31 -07:00
config.services.gitea.settings.server.SSH_PORT
config.services.gitea.settings.server.HTTP_PORT
config.services.vaultwarden.config.rocketPort
];
};
};
2023-07-11 09:12:50 -06:00
allowedTCPPorts =
config.services.openssh.ports
2023-08-05 05:19:58 -06:00
++ [
80
443
config.services.gitea.settings.server.SSH_PORT
21063 #homekit
21064 #homekit
1883 # mosquitto
2023-09-27 19:37:20 -06:00
8484 # restic-rest server
2023-08-05 05:19:58 -06:00
];
allowedUDPPorts = [
5353 #homekit
];
2023-07-11 09:12:50 -06:00
allowedUDPPortRanges = [
{
from = 60000;
to = 61000;
}
];
2022-08-25 12:21:35 -06:00
};
2022-10-21 09:38:41 -06:00
wireguard = {
enable = true;
2022-10-21 09:38:41 -06:00
interfaces = {
wg0 = {
listenPort = 7122;
2023-09-12 08:44:05 -06:00
ips = [ "192.168.112.4/32" ];
2023-07-11 09:12:50 -06:00
peers = [
{
publicKey = "IMJ1gVK6KzRghon5Wg1dxv1JCB8IbdSqeFjwQAxJM10=";
endpoint = "23.29.118.127:7122";
2023-09-12 08:44:05 -06:00
allowedIPs = [ "192.168.112.3/32" ];
2023-07-11 09:12:50 -06:00
persistentKeepalive = 25;
}
];
privateKeyFile = "${config.sops.secrets.wireguard_private_key.path}";
#privateKeyFile = "/root/wgpk";
2022-10-21 09:38:41 -06:00
};
};
};
2022-08-25 12:21:35 -06:00
};
nixpkgs = {
2023-12-13 11:07:59 -07:00
config = {
allowUnfree = true;
permittedInsecurePackages = todo "figure out what is using openssl-1.1.1w" [
"openssl-1.1.1w"
];
};
2023-12-13 08:07:19 -07:00
#overlays = [
# (_: _: {
# inherit (inputs.unstable.legacyPackages.${pkgs.system}) home-assistant;
# })
#];
};
2023-12-13 08:07:19 -07:00
#disabledModules = [
# "services/home-automation/home-assistant.nix"
#];
2022-08-25 12:21:35 -06:00
environment = {
systemPackages = with pkgs; [
tmux
mosh
apg
git
signify
2024-03-14 06:08:39 -06:00
git-annex
rtl_433
];
};
2022-08-25 12:21:35 -06:00
security.acme = {
acceptTerms = true;
defaults.email = "aaron@bolddaemon.com";
};
2023-09-12 08:44:05 -06:00
users = {
groups = {
media = {
name = "media";
members = [ "qbit" "sonarr" "radarr" "lidarr" "nzbget" "jellyfin" "headphones" "rtorrent" "readarr" ];
};
2023-09-12 08:44:05 -06:00
photos = {
name = "photos";
members = [ "qbit" ];
};
};
2023-07-12 09:14:55 -06:00
};
2023-08-05 05:19:58 -06:00
hardware.rtl-sdr.enable = true;
2022-08-25 12:21:35 -06:00
services = {
2024-09-11 11:01:45 -06:00
immich = {
enable = true;
port = 3301;
2024-09-11 11:01:45 -06:00
mediaLocation = "/media/pictures/immich";
machine-learning.enable = true;
};
2024-08-23 13:33:46 -06:00
tsns = {
enable = true;
};
rimgo = {
enable = true;
settings = {
PORT = 3001;
ADDRESS = "127.0.0.1";
};
};
2024-07-29 21:19:00 -06:00
ts-reverse-proxy = {
servers = {
"invidious-service" = {
enable = true;
reverseName = "invidious";
reversePort = config.services.invidious.port;
reverseIP = config.services.invidious.address;
};
"rimgo-service" = {
enable = true;
reverseName = "rimgo";
reversePort = config.services.rimgo.settings.PORT;
reverseIP = config.services.rimgo.settings.ADDRESS;
};
2024-07-29 21:19:00 -06:00
"evse-service" = {
enable = true;
reverseName = "evse";
reversePort = 80;
reverseIP = "10.6.0.166";
};
"immich-service" = {
enable = true;
reverseName = "immich";
reversePort = config.services.immich.port;
reverseIP = config.services.immich.host;
};
2024-07-29 21:19:00 -06:00
};
};
2023-09-27 19:37:20 -06:00
restic = {
server = {
enable = true;
dataDir = "/backups/restic";
privateRepos = true;
listenAddress = "10.6.0.15:8484";
extraFlags = [
"--htpasswd-file"
"${config.sops.secrets.restic_htpasswd.path}"
"--tls"
"--tls-cert"
"${config.sops.secrets.restic_cert.path}"
"--tls-key"
"${config.sops.secrets.restic_key.path}"
];
};
};
mosquitto = {
enable = true;
listeners = [
{
2023-09-12 08:44:05 -06:00
acl = [ "pattern readwrite #" ];
omitPasswordAuth = true;
settings.allow_anonymous = true;
}
];
};
2023-08-05 05:19:58 -06:00
avahi = {
enable = true;
openFirewall = true;
};
2024-06-28 05:14:26 -06:00
matter-server = {
enable = true;
};
2023-08-03 08:42:39 -06:00
home-assistant = {
enable = true;
2023-08-05 05:19:58 -06:00
extraPackages = python3Packages:
with python3Packages; [
pyipp
pymetno
2023-11-03 08:48:40 -06:00
ical
2024-04-11 09:08:26 -06:00
grpcio
2023-08-05 05:19:58 -06:00
];
customComponents = [
(pkgs.python312Packages.callPackage ../../pkgs/openevse.nix { inherit (pkgs.home-assistant) pkgs; })
];
2023-08-05 05:19:58 -06:00
extraComponents = [
"airthings"
"airthings_ble"
"airvisual"
"airvisual_pro"
"apple_tv"
#"aprs"
"brother"
2023-10-07 19:08:52 -06:00
"ecobee"
2023-08-05 05:19:58 -06:00
"esphome"
"ffmpeg"
"homekit"
"homekit_controller"
"icloud"
"kodi"
"logger"
2024-06-28 05:05:14 -06:00
"matter"
2023-08-05 05:19:58 -06:00
"met"
"mqtt"
2023-08-05 05:19:58 -06:00
"nextdns"
2023-09-23 06:30:00 -06:00
"octoprint"
"prometheus"
2023-08-05 05:19:58 -06:00
"pushover"
"rest"
2023-08-05 05:19:58 -06:00
"snmp"
"zeroconf"
];
2023-08-03 08:42:39 -06:00
config = {
2023-12-24 08:08:09 -07:00
sensor = [
];
mqtt.sensor = [
2023-12-07 14:10:53 -07:00
{
name = "Greenhouse Temperature";
unique_id = "greenhouse_temp_c";
state_topic = "greenhouse/temp";
unit_of_measurement = "°C";
}
{
name = "Greenhouse Humidity";
unique_id = "greenhouse_humidity_pct";
state_topic = "greenhouse/humidity";
unit_of_measurement = "%";
}
];
logger = {
default = "warning";
logs = {
2024-04-11 09:10:52 -06:00
#"homeassistant.components.starlink" = "debug";
};
};
2023-08-06 08:17:02 -06:00
"automation manual" = [
];
"automation ui" = "!include automations.yaml";
2023-08-05 05:19:58 -06:00
rest = [
{
resource = "http://127.0.0.1:9001/api/v1/query?query=rtl_433_temperature_celsius";
sensor = {
name = "rtl_433_outside";
unique_id = "f36fc559-268f-489d-9454-56000d42ebf3";
value_template = ''
{% for entry in value_json.data.result %}
{% if entry.metric.model == 'LaCrosse-TX141Bv3' %}
{{ entry.value[1] }}
{% endif %}
{% endfor %}
'';
2023-08-23 16:00:57 -06:00
};
}
2023-09-18 08:12:16 -06:00
{
resource = "http://127.0.0.1:9001/api/v1/query?query=rtl_433_temperature_celsius";
sensor = {
unique_id = "6720a3dc-658e-496f-b321-fc9c161e6620";
name = "rtl_433_greenhouse";
value_template = ''
{% for entry in value_json.data.result %}
{% if entry.metric.model == 'Solight-TE44' %}
{{ entry.value[1] }}
{% endif %}
{% endfor %}
'';
2023-09-18 08:12:16 -06:00
};
}
2023-08-05 05:19:58 -06:00
];
device_tracker = [
];
2023-09-12 08:44:05 -06:00
default_config = { };
2023-08-05 05:19:58 -06:00
http = {
use_x_forwarded_for = true;
server_host = "127.0.0.1";
trusted_proxies = "127.0.0.1";
};
2023-08-03 08:42:39 -06:00
homeassistant = {
name = "Home";
2023-08-05 05:19:58 -06:00
time_zone = "America/Denver";
2024-01-17 11:02:38 -07:00
temperature_unit = "C";
unit_system = "imperial";
2023-08-05 05:19:58 -06:00
longitude = -104.72;
latitude = 38.35;
2023-08-03 08:42:39 -06:00
};
};
};
2024-09-12 09:52:47 -06:00
2023-06-05 18:18:55 -06:00
invidious = {
2023-12-21 07:23:51 -07:00
enable = true;
2023-12-20 19:54:40 -07:00
database = {
createLocally = true;
};
2023-12-21 07:23:51 -07:00
address = "127.0.0.1";
port = 1538;
2023-06-05 18:18:55 -06:00
settings = {
2023-12-21 07:23:51 -07:00
db = {
user = "invidious";
password = lib.mkForce "invidious";
dbname = "invidious";
host = lib.mkForce "127.0.0.1";
port = 5432;
};
domain = "invidious.otter-alligator.ts.net";
2023-06-05 18:18:55 -06:00
https_only = true;
popular_enabled = false;
statistics_enabled = false;
default_home = "Subscriptions";
2023-06-05 18:18:55 -06:00
};
};
2022-08-25 12:21:35 -06:00
cron = {
enable = true;
2023-09-12 08:44:05 -06:00
systemCronJobs =
let
tsCertsScript = pkgs.writeScriptBin "ts-certs.sh" ''
#!/usr/bin/env sh
. /etc/profile;
(
mkdir -p /etc/nixos/secrets;
2023-09-25 14:36:25 -06:00
chown root /etc/nixos/secrets/box.otter-alligator.ts.net.*;
2023-09-12 08:44:05 -06:00
tailscale cert \
2023-09-25 14:36:25 -06:00
--cert-file /etc/nixos/secrets/box.otter-alligator.ts.net.crt \
--key-file=/etc/nixos/secrets/box.otter-alligator.ts.net.key \
box.otter-alligator.ts.net;
chown nginx /etc/nixos/secrets/box.otter-alligator.ts.net.*
2023-09-12 08:44:05 -06:00
) >/dev/null 2>&1
'';
in
[ "@daily root ${tsCertsScript}/bin/ts-certs.sh" ];
2022-08-25 12:21:35 -06:00
};
2023-09-12 08:44:05 -06:00
openssh = { settings.X11Forwarding = true; };
2022-08-25 12:21:35 -06:00
tor.enable = true;
transmission = {
2023-07-31 15:45:35 -06:00
enable = true;
group = "media";
downloadDirPermissions = "770";
settings = {
download-dir = "/media/downloads/torrents";
};
2023-07-31 15:45:35 -06:00
};
readarr = {
enable = true;
dataDir = "/media/books";
2023-07-31 18:23:28 -06:00
group = "media";
2023-07-31 15:45:35 -06:00
};
2022-08-25 12:21:35 -06:00
sonarr.enable = true;
radarr.enable = true;
lidarr.enable = true;
2022-10-18 19:27:07 -06:00
jackett.enable = false;
2022-08-25 12:21:35 -06:00
prowlarr.enable = true;
headphones.enable = false;
nzbget = {
enable = true;
group = "media";
2023-09-12 08:44:05 -06:00
settings = { MainDir = "/media/downloads"; };
2022-08-25 12:21:35 -06:00
};
2024-03-25 11:48:33 -06:00
sabnzbd = {
enable = true;
group = "media";
};
2022-08-25 12:21:35 -06:00
fwupd.enable = true;
zfs = {
autoSnapshot = {
enable = true;
daily = 3;
hourly = 8;
monthly = 3;
weekly = 2;
};
2022-08-25 12:21:35 -06:00
};
jellyfin = {
enable = true;
openFirewall = true;
};
2022-09-03 18:48:26 -06:00
calibre-web = {
enable = true;
2023-08-01 06:46:21 -06:00
group = "media";
2023-09-12 08:44:05 -06:00
options = { enableBookUploading = true; };
2022-09-04 06:35:49 -06:00
listen.port = 8909;
listen.ip = "127.0.0.1";
2022-09-03 18:48:26 -06:00
};
2022-08-25 12:21:35 -06:00
grafana = {
enable = true;
2022-11-22 21:30:31 -07:00
settings = {
analytics.reporting_enabled = false;
server = {
domain = "graph.tapenet.org";
http_port = 2342;
http_addr = "127.0.0.1";
};
};
#declarativePlugins = with pkgs; [ grafana-image-renderer ];
2022-09-03 14:49:38 -06:00
provision = {
enable = true;
2022-11-22 21:30:31 -07:00
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
access = "proxy";
2023-07-11 09:12:50 -06:00
url = "http://127.0.0.1:${toString config.services.prometheus.port}";
}
{
name = "Loki";
type = "loki";
access = "proxy";
url = "http://127.0.0.1:${
2023-07-11 09:12:50 -06:00
toString
config.services.loki.configuration.server.http_listen_port
}";
}
];
};
2022-08-25 12:21:35 -06:00
};
2022-09-03 14:10:59 -06:00
loki = {
enable = false;
2022-09-03 14:10:59 -06:00
configuration = {
2022-09-10 22:37:53 -06:00
analytics.reporting_enabled = false;
2022-09-03 14:10:59 -06:00
server.http_listen_port = 3030;
2022-09-10 22:16:20 -06:00
server.http_listen_address = "0.0.0.0";
2022-09-03 14:10:59 -06:00
auth_enabled = false;
ingester = {
lifecycler = {
address = "127.0.0.1";
ring = {
2023-09-12 08:44:05 -06:00
kvstore = { store = "inmemory"; };
2022-09-03 14:10:59 -06:00
replication_factor = 1;
};
};
chunk_idle_period = "1h";
max_chunk_age = "1h";
chunk_target_size = 999999;
chunk_retain_period = "30s";
max_transfer_retries = 0;
};
schema_config = {
2023-07-11 09:12:50 -06:00
configs = [
{
from = "2022-06-06";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v11";
index = {
prefix = "index_";
period = "24h";
};
}
];
2022-09-03 14:10:59 -06:00
};
storage_config = {
boltdb_shipper = {
active_index_directory = "/var/lib/loki/boltdb-shipper-active";
cache_location = "/var/lib/loki/boltdb-shipper-cache";
cache_ttl = "24h";
shared_store = "filesystem";
};
2023-09-12 08:44:05 -06:00
filesystem = { directory = "/var/lib/loki/chunks"; };
2022-09-03 14:10:59 -06:00
};
limits_config = {
reject_old_samples = true;
reject_old_samples_max_age = "168h";
};
2023-09-12 08:44:05 -06:00
chunk_store_config = { max_look_back_period = "0s"; };
2022-09-03 14:10:59 -06:00
table_manager = {
retention_deletes_enabled = false;
retention_period = "0s";
};
compactor = {
working_directory = "/var/lib/loki";
shared_store = "filesystem";
2023-09-12 08:44:05 -06:00
compactor_ring = { kvstore = { store = "inmemory"; }; };
2022-09-03 14:10:59 -06:00
};
};
};
promtail = {
enable = true;
configuration = {
server = {
http_listen_port = 3031;
grpc_listen_port = 0;
};
2023-09-12 08:44:05 -06:00
positions = { filename = "/tmp/positions.yaml"; };
2023-07-11 09:12:50 -06:00
clients = [
{
url = "http://127.0.0.1:${
toString
config.services.loki.configuration.server.http_listen_port
}/loki/api/v1/push";
2023-07-11 09:12:50 -06:00
}
];
scrape_configs = [
{
job_name = "journal";
journal = {
max_age = "12h";
labels = {
job = "systemd-journal";
host = "box";
};
};
2023-07-11 09:12:50 -06:00
relabel_configs = [
{
2023-09-12 08:44:05 -06:00
source_labels = [ "__journal__systemd_unit" ];
2023-07-11 09:12:50 -06:00
target_label = "unit";
}
];
}
];
};
};
2022-08-25 12:21:35 -06:00
prometheus = {
enable = true;
port = 9001;
exporters = {
node = {
enable = true;
2023-09-12 08:44:05 -06:00
enabledCollectors = [ "systemd" ];
2022-08-25 12:21:35 -06:00
port = 9002;
};
2023-09-12 08:44:05 -06:00
nginx = { enable = true; };
2023-08-05 05:19:58 -06:00
rtl_433 = {
enable = true;
group = "plugdev";
ids = [
{
id = 55;
name = "LaCrosse-TX141Bv3";
location = "Kitchen";
}
2023-09-18 08:12:16 -06:00
{
id = 34;
name = "Rubicson-Temperature";
location = "3D-Printer";
}
2023-08-05 05:19:58 -06:00
];
};
2022-08-25 12:21:35 -06:00
};
scrapeConfigs = [
2023-08-05 05:19:58 -06:00
{
job_name = "rtl_433";
static_configs = [
{
targets = [
"127.0.0.1:${
toString config.services.prometheus.exporters.rtl_433.port
}"
];
}
];
}
2022-08-25 12:21:35 -06:00
{
job_name = "box";
2023-07-11 09:12:50 -06:00
static_configs = [
{
targets = [
"127.0.0.1:${
toString config.services.prometheus.exporters.node.port
}"
];
}
];
2022-08-25 12:21:35 -06:00
}
{
2022-09-02 18:46:43 -06:00
job_name = "faf";
2023-09-12 08:44:05 -06:00
static_configs = [{ targets = [ "10.6.0.245:9002" ]; }];
2022-08-25 12:21:35 -06:00
}
2022-09-10 09:47:47 -06:00
{
job_name = "h";
2023-09-25 14:36:25 -06:00
static_configs = [{ targets = [ "100.83.77.133:9002" ]; }];
2022-09-10 09:47:47 -06:00
}
2024-01-04 14:40:08 -07:00
{
job_name = "pwntie";
static_configs = [{ targets = [ "100.84.170.57:9002" ]; }];
}
2022-08-25 12:21:35 -06:00
{
job_name = "namish";
2023-09-12 08:44:05 -06:00
static_configs = [{ targets = [ "10.200.0.100:9100" ]; }];
2022-09-12 08:25:33 -06:00
}
2022-08-25 12:21:35 -06:00
{
job_name = "nginx";
2023-07-11 09:12:50 -06:00
static_configs = [
{
targets = [
"127.0.0.1:${
toString config.services.prometheus.exporters.nginx.port
}"
];
}
];
2022-08-25 12:21:35 -06:00
}
];
};
vaultwarden = {
enable = true;
backupDir = "/backups/bitwarden_rs";
config = {
domain = "https://bw.tapenet.org";
signupsAllowed = false;
rocketPort = 8222;
2022-11-27 08:33:21 -07:00
rocketAddress = "192.168.112.4"; # wg0
2022-08-25 12:21:35 -06:00
rocketLog = "critical";
};
environmentFile = config.sops.secrets."bitwarden_rs.env".path;
2022-08-25 12:21:35 -06:00
};
gitea = {
enable = true;
2024-03-14 06:09:00 -06:00
stateDir = "/media/git/gitea";
2022-08-25 12:21:35 -06:00
appName = "Tape:neT";
2023-12-13 08:07:19 -07:00
#package = inputs.unstable.legacyPackages.${pkgs.system}.gitea;
2023-03-21 06:23:01 -06:00
2022-08-25 12:21:35 -06:00
lfs.enable = true;
settings = {
server = {
DOMAIN = "git.tapenet.org";
ROOT_URL = "https://git.tapenet.org";
2022-08-25 12:21:35 -06:00
START_SSH_SERVER = true;
SSH_SERVER_HOST_KEYS = "ssh/gitea-ed25519";
2022-11-22 21:30:31 -07:00
SSH_PORT = 2222;
DISABLE_REGISTRATION = true;
COOKIE_SECURE = true;
2022-08-25 12:21:35 -06:00
};
};
database = {
type = "postgres";
passwordFile = "${config.sops.secrets.gitea_db_pass.path}";
socket = "/run/postgresql";
};
};
rsnapshot = {
2024-06-27 11:32:25 -06:00
enable = true;
2022-08-25 12:21:35 -06:00
enableManualRsnapshot = true;
extraConfig = ''
2024-06-27 11:32:25 -06:00
snapshot_root /external/snapshots/
2022-08-25 12:21:35 -06:00
retain daily 7
retain manual 3
2024-06-27 11:32:25 -06:00
backup_exec date "+ backup of /media started at %c"
backup /media/ media/
backup_exec date "+ backup of /media ended at %c"
backup_exec date "+ backup of /var started at %c"
backup /var/ var/
backup_exec date "+ backup of /var ended at %c"
2022-08-25 12:21:35 -06:00
'';
2023-09-12 08:44:05 -06:00
cronIntervals = { daily = "50 21 * * *"; };
2022-08-25 12:21:35 -06:00
};
redlib = {
2022-08-25 12:21:35 -06:00
enable = true;
port = 8482;
};
nginx = {
enable = true;
statusPage = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedProxySettings = true;
clientMaxBodySize = "512M";
commonHttpConfig = ''
2023-07-11 09:12:50 -06:00
proxy_cache_path /backups/nginx_cache levels=1:2 keys_zone=my_cache:10m max_size=10g
2022-08-25 12:21:35 -06:00
inactive=${httpCacheTime} use_temp_path=off;
'';
virtualHosts = {
2023-08-05 05:19:58 -06:00
"home.bold.daemon" = {
forceSSL = true;
sslCertificateKey = "${config.sops.secrets.home_key.path}";
sslCertificate = "${config.sops.secrets.home_cert.path}";
extraConfig = ''
proxy_buffering off;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:8123";
proxyWebsockets = true;
};
};
2023-09-25 14:36:25 -06:00
"box.otter-alligator.ts.net" = {
2022-08-25 12:21:35 -06:00
forceSSL = true;
2023-09-25 14:36:25 -06:00
sslCertificateKey = "/etc/nixos/secrets/box.otter-alligator.ts.net.key";
sslCertificate = "/etc/nixos/secrets/box.otter-alligator.ts.net.crt";
2022-08-25 12:21:35 -06:00
locations."/photos" = {
proxyPass = "http://localhost:2343";
proxyWebsockets = true;
};
locations."/pub" = openbsdPub;
};
#"photos.tapenet.org" = {
# forceSSL = true;
# enableACME = true;
2022-08-25 12:21:35 -06:00
# locations."/" = {
# proxyPass = "http://localhost:2343";
# proxyWebsockets = true;
# };
#};
2022-08-25 12:21:35 -06:00
"jelly.bold.daemon" = {
forceSSL = true;
sslCertificateKey = "${config.sops.secrets.jelly_key.path}";
sslCertificate = "${config.sops.secrets.jelly_cert.path}";
locations."/" = {
# TODO: jellyfin.nix doesn't expose the port being used.
proxyPass = "http://localhost:8096";
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
"reddit.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.reddit_key.path}";
sslCertificate = "${config.sops.secrets.reddit_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.redlib.port}";
2022-08-25 12:21:35 -06:00
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
2022-09-03 18:48:26 -06:00
"books.bold.daemon" = {
2022-09-06 11:08:26 -06:00
sslCertificateKey = "${config.sops.secrets.books_key.path}";
sslCertificate = "${config.sops.secrets.books_cert.path}";
forceSSL = true;
2022-09-03 18:48:26 -06:00
locations."/" = {
2022-09-04 07:43:32 -06:00
proxyPass = "http://localhost:${
2023-07-11 09:12:50 -06:00
toString config.services.calibre-web.listen.port
}";
2022-09-03 18:48:26 -06:00
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-09-03 18:48:26 -06:00
'';
};
};
2022-08-25 12:21:35 -06:00
"sonarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.sonarr_key.path}";
sslCertificate = "${config.sops.secrets.sonarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8989";
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
"radarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.radarr_key.path}";
sslCertificate = "${config.sops.secrets.radarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:7878";
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
"prowlarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.prowlarr_key.path}";
sslCertificate = "${config.sops.secrets.prowlarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:9696";
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
"nzb.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.nzb_key.path}";
sslCertificate = "${config.sops.secrets.nzb_cert.path}";
forceSSL = true;
locations."/" = {
2024-03-25 12:12:40 -06:00
proxyPass = "http://localhost:8080";
2022-08-25 12:21:35 -06:00
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
"headphones.bold.daemon" = {
locations."/" = {
proxyPass = "http://localhost:8181";
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
"lidarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.lidarr_key.path}";
sslCertificate = "${config.sops.secrets.lidarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8686";
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
2023-07-31 15:45:35 -06:00
"readarr.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.readarr_key.path}";
sslCertificate = "${config.sops.secrets.readarr_cert.path}";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:8787";
proxyWebsockets = true;
extraConfig = ''
${httpAllow}
deny all;
'';
};
};
2022-08-25 12:21:35 -06:00
2022-11-25 13:06:29 -07:00
"graph.bold.daemon" = {
sslCertificateKey = "${config.sops.secrets.graph_key.path}";
sslCertificate = "${config.sops.secrets.graph_cert.path}";
2022-08-25 12:21:35 -06:00
forceSSL = true;
locations."/" = {
2022-11-22 21:30:31 -07:00
proxyPass = "http://127.0.0.1:${
2023-07-11 09:12:50 -06:00
toString config.services.grafana.settings.server.http_port
}";
2022-08-25 12:21:35 -06:00
proxyWebsockets = true;
extraConfig = ''
2023-07-11 09:12:50 -06:00
${httpAllow}
deny all;
2022-08-25 12:21:35 -06:00
'';
};
};
};
};
postgresqlBackup = {
enable = true;
location = "/backups/postgresql";
};
postgresql = {
enable = true;
2023-12-01 13:42:32 -07:00
#dataDir = "/db/postgres";
package = pkgs.postgresql_16;
2022-08-25 12:21:35 -06:00
2023-12-20 19:54:40 -07:00
enableTCPIP = true;
authentication = pkgs.lib.mkOverride 14 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
2023-09-12 08:44:05 -06:00
ensureDatabases = [ "nextcloud" "gitea" "invidious" ];
2022-08-25 12:21:35 -06:00
ensureUsers = [
{
name = "nextcloud";
2023-12-05 10:24:11 -07:00
ensureDBOwnership = true;
2022-08-25 12:21:35 -06:00
}
{
name = "gitea";
2023-12-05 10:24:11 -07:00
ensureDBOwnership = true;
2022-08-25 12:21:35 -06:00
}
2023-06-05 18:18:55 -06:00
{
name = "invidious";
2023-12-05 10:24:11 -07:00
ensureDBOwnership = true;
2023-06-05 18:18:55 -06:00
}
2022-08-25 12:21:35 -06:00
];
};
};
2023-09-12 08:44:05 -06:00
systemd = {
services = {
2024-09-15 08:04:08 -06:00
tsns = {
serviceConfig = {
Restart = "always";
RestartSecs = 15;
};
};
2023-09-12 08:44:05 -06:00
nginx.serviceConfig = {
ReadWritePaths = [ "/backups/nginx_cache" ];
ReadOnlyPaths = [ "/etc/nixos/secrets" ];
};
2023-09-12 08:44:05 -06:00
gitea.environment = {
GIT_CONFIG_NOGLOBAL = "true";
GIT_CONFIG_NOSYSTEM = "true";
};
#"nextcloud-setup" = {
# requires = [ "postgresql.service" ];
# after = [ "postgresql.service" ];
#};
};
};
2022-08-25 12:21:35 -06:00
2023-09-12 08:44:05 -06:00
users.users = {
qbit = userBase;
root = userBase;
};
2022-08-25 12:21:35 -06:00
programs.zsh.enable = true;
system.stateVersion = "20.03";
}