{ modulesPath, pubkeys, config, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ./disk-config.nix ./adguard.nix ./calibre-web.nix ./prometheus.nix ]; swapDevices = [ { device = "/dev/disk/by-uuid/cc568199-7a9b-4aa2-83f8-2a63982ff4f1"; } ]; age.secrets = { navidrome.file = ../../secrets/navidrome.age; adguard-dns-list = { file = ../../secrets/adguard-dns-list.age; mode = "444"; }; freshrss-default-password = { file = ../../secrets/freshrss-default-password.age; owner = config.services.freshrss.user; }; }; boot.loader.grub = { efiSupport = true; efiInstallAsRemovable = true; }; modules = { meta = { tailscale.ip = "100.64.0.4"; }; system.networking.bluetooth.enable = true; container = { kitchenowl = { enable = true; version = "v0.6.4"; }; }; server = { paperless = { enable = true; openPort = true; settings = { PAPERLESS_URL = "https://paperless.ccnlc.eu"; PAPERLESS_OCR_USER_ARGS = { invalidate_digital_signatures = true; }; }; }; navidrome = { enable = true; library = { path = "/mnt/music"; type = "nfs"; source = { ip = "192.168.178.21"; path = "/mnt/Fort/data/music"; }; }; settings = { Address = "0.0.0.0"; Port = 4533; }; }; }; services = { tailscale = { enable = true; isExitNode = true; tags = [ "server" ]; }; rsync-backup = { enable = true; modules = [ { sources = [ "/var/lib/paperless" ]; target = { location = "paperless-backup"; type = "rsyncd"; host = "nihilus"; }; incremental.enable = true; } { sources = [ "/var/lib/immich" ]; target = { location = "immich-backup"; type = "rsyncd"; host = "nihilus"; }; incremental.enable = true; } { sources = [ "/mnt/music" ]; target = { location = "music-backup"; type = "rsyncd"; host = "nihilus"; }; incremental.enable = true; } { sources = [ "/mnt/shows" ]; target = { location = "shows-backup"; type = "rsyncd"; host = "nihilus"; }; incremental.enable = true; } { sources = [ "/mnt/movies" ]; target = { location = "movies"; type = "rsyncd"; host = "nihilus"; }; incremental.enable = true; } { sources = [ "/mnt/books" ]; target = { location = "books"; type = "rsyncd"; host = "nihilus"; }; incremental.enable = true; } ]; }; }; }; security.acme = { acceptTerms = true; defaults = { email = "contact@ccnlc.eu"; dnsProvider = "ovh"; environmentFile = "/run/secrets/ovh"; }; certs."ccnlc.eu" = { group = "nginx"; extraDomainNames = [ "*.ccnlc.eu" ]; }; }; services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; clientMaxBodySize = "100M"; virtualHosts = let mkVHLocal = mkVH "http://localhost"; mkVH = domain: port: { forceSSL = true; locations."/" = { proxyPass = "${domain}:${toString port}"; extraConfig = '' proxy_ssl_server_name on; proxy_pass_header Authorization; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; ''; }; useACMEHost = "ccnlc.eu"; }; in { "octoprint.ccnlc.eu" = mkVHLocal config.services.octoprint.port; "immich.ccnlc.eu" = mkVHLocal config.services.immich.port; "jellyfin.ccnlc.eu" = mkVHLocal 8096; "ntfy.ccnlc.eu" = mkVHLocal 9393; "dav.ccnlc.eu" = mkVHLocal 5232; "assistant.ccnlc.eu" = mkVHLocal config.services.home-assistant.config.http.server_port; "kitchenowl.ccnlc.eu" = mkVHLocal config.modules.container.kitchenowl.port; "navidrome.ccnlc.eu" = mkVHLocal config.services.navidrome.settings.Port; "paperless.ccnlc.eu" = mkVHLocal config.modules.server.paperless.port; "fritz.ccnlc.eu" = mkVH "http://192.168.178.1" 80; "truenas.ccnlc.eu" = mkVH "https://192.168.178.21" 443; "calibre.ccnlc.eu" = mkVHLocal config.services.calibre-web.listen.port; "prometheus.ccnlc.eu" = mkVHLocal config.services.prometheus.port; "grafana.ccnlc.eu" = mkVHLocal config.services.grafana.settings.server.http_port; ${config.services.freshrss.virtualHost} = { forceSSL = true; useACMEHost = "ccnlc.eu"; }; }; }; services = { openssh = { enable = true; startWhenNeeded = true; settings = { PasswordAuthentication = false; }; }; jellyfin.enable = true; immich.enable = true; radicale = { enable = true; # Documentation at settings = { server = { hosts = [ "127.0.0.1:5232" ]; }; auth = { type = "htpasswd"; htpasswd_filename = "/etc/radicale/users"; htpasswd_encryption = "autodetect"; }; storage = { filesystem_folder = "/var/lib/radicale/collections"; }; }; }; ntfy-sh = { enable = true; settings = let root = "/var/lib/ntfy-sh"; in { base-url = "https://ntfy.ccnlc.eu"; listen-http = "127.0.0.1:9393"; auth-default-access = "deny-all"; behind-proxy = true; attachment-cache-dir = "${root}/attachments"; enable-signup = true; enable-login = true; }; }; octoprint = { enable = true; port = 5000; }; freshrss = { enable = true; passwordFile = config.age.secrets.freshrss-default-password.path; virtualHost = "rss.ccnlc.eu"; baseUrl = "https://rss.ccnlc.eu"; }; home-assistant = { enable = true; openFirewall = true; configWritable = true; extraComponents = [ "tplink_tapo" "tplink" "default_config" "met" "esphome" "mobile_app" "octoprint" "jellyfin" "iron_os" "wake_on_lan" ]; config = { default_config = { }; http = { server_port = 8123; use_x_forwarded_for = true; trusted_proxies = [ "127.0.0.1" "::1" "10.89.0.3" ]; }; }; }; }; networking.firewall.allowedTCPPorts = [ 443 80 ]; fileSystems = { "/mnt/shows" = { device = "192.168.178.21:/mnt/Fort/data/shows"; fsType = "nfs"; options = [ "x-systemd.automount" "ro" ]; }; "/mnt/movies" = { device = "192.168.178.21:/mnt/Fort/data/movies"; fsType = "nfs"; options = [ "x-systemd.automount" "ro" ]; }; }; users.users.root.openssh.authorizedKeys.keys = [ pubkeys.ny ]; system.stateVersion = "23.11"; }