348 lines
8.4 KiB
Nix
348 lines
8.4 KiB
Nix
{
|
|
modulesPath,
|
|
pubkeys,
|
|
config,
|
|
...
|
|
}:
|
|
{
|
|
imports = [
|
|
(modulesPath + "/profiles/qemu-guest.nix")
|
|
./disk-config.nix
|
|
./adguard.nix
|
|
./calibre-web.nix
|
|
./prometheus.nix
|
|
];
|
|
|
|
swapDevices = [
|
|
{ device = "/dev/disk/by-uuid/cc568199-7a9b-4aa2-83f8-2a63982ff4f1"; }
|
|
];
|
|
|
|
age.secrets = {
|
|
navidrome.file = ../../secrets/navidrome.age;
|
|
adguard-dns-list = {
|
|
file = ../../secrets/adguard-dns-list.age;
|
|
mode = "444";
|
|
};
|
|
freshrss-default-password = {
|
|
file = ../../secrets/freshrss-default-password.age;
|
|
owner = config.services.freshrss.user;
|
|
};
|
|
acme = {
|
|
owner = if config.security.acme.useRoot then "root" else "acme";
|
|
file = ../../secrets/acme.age;
|
|
};
|
|
};
|
|
|
|
boot.loader.grub = {
|
|
efiSupport = true;
|
|
efiInstallAsRemovable = true;
|
|
};
|
|
|
|
modules = {
|
|
meta = {
|
|
tailscale.ip = "100.64.0.4";
|
|
};
|
|
system.networking.bluetooth.enable = true;
|
|
container = {
|
|
kitchenowl = {
|
|
enable = true;
|
|
version = "v0.6.4";
|
|
};
|
|
};
|
|
|
|
server = {
|
|
paperless = {
|
|
enable = true;
|
|
openPort = true;
|
|
settings = {
|
|
PAPERLESS_URL = "https://paperless.ccnlc.eu";
|
|
PAPERLESS_OCR_USER_ARGS = {
|
|
invalidate_digital_signatures = true;
|
|
};
|
|
};
|
|
};
|
|
|
|
navidrome = {
|
|
enable = true;
|
|
library = {
|
|
path = "/mnt/music";
|
|
type = "nfs";
|
|
source = {
|
|
ip = "192.168.178.21";
|
|
path = "/mnt/Fort/data/music";
|
|
};
|
|
};
|
|
settings = {
|
|
Address = "0.0.0.0";
|
|
Port = 4533;
|
|
};
|
|
};
|
|
};
|
|
|
|
services = {
|
|
tailscale = {
|
|
enable = true;
|
|
isExitNode = true;
|
|
tags = [ "server" ];
|
|
};
|
|
|
|
rsync-backup = {
|
|
enable = true;
|
|
modules = [
|
|
{
|
|
sources = [
|
|
"/var/lib/paperless"
|
|
"/var/lib/radicale"
|
|
"/var/lib/navidrome"
|
|
"/var/lib/immich"
|
|
"/var/lib/freshrss"
|
|
];
|
|
target = {
|
|
location = "shan";
|
|
type = "rsyncd";
|
|
host = "nihilus";
|
|
};
|
|
incremental.enable = true;
|
|
}
|
|
{
|
|
sources = [ "/var/lib/paperless" ];
|
|
target = {
|
|
location = "paperless-backup";
|
|
type = "rsyncd";
|
|
host = "nihilus";
|
|
};
|
|
incremental.enable = true;
|
|
}
|
|
{
|
|
sources = [ "/var/lib/immich" ];
|
|
target = {
|
|
location = "immich-backup";
|
|
type = "rsyncd";
|
|
host = "nihilus";
|
|
};
|
|
incremental.enable = true;
|
|
}
|
|
{
|
|
sources = [ "/mnt/music" ];
|
|
target = {
|
|
location = "music-backup";
|
|
type = "rsyncd";
|
|
host = "nihilus";
|
|
};
|
|
incremental.enable = true;
|
|
}
|
|
{
|
|
sources = [ "/mnt/shows" ];
|
|
target = {
|
|
location = "shows-backup";
|
|
type = "rsyncd";
|
|
host = "nihilus";
|
|
};
|
|
incremental.enable = true;
|
|
}
|
|
{
|
|
sources = [ "/mnt/movies" ];
|
|
target = {
|
|
location = "movies";
|
|
type = "rsyncd";
|
|
host = "nihilus";
|
|
};
|
|
incremental.enable = true;
|
|
}
|
|
{
|
|
sources = [ "/mnt/books" ];
|
|
target = {
|
|
location = "books";
|
|
type = "rsyncd";
|
|
host = "nihilus";
|
|
};
|
|
incremental.enable = true;
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
security = {
|
|
polkit.enable = true;
|
|
|
|
acme = {
|
|
acceptTerms = true;
|
|
defaults = {
|
|
email = "dns@ccnlc.eu";
|
|
dnsProvider = "ovh";
|
|
dnsResolver = "9.9.9.9"; # Necessary to avoid failing due to a local dns server
|
|
environmentFile = config.age.secrets.acme.path;
|
|
};
|
|
|
|
certs."ccnlc.eu" = {
|
|
group = "nginx";
|
|
extraDomainNames = [ "*.ccnlc.eu" ];
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
clientMaxBodySize = "0";
|
|
virtualHosts =
|
|
let
|
|
mkVHLocal = mkVH "http://localhost";
|
|
mkVH = domain: port: {
|
|
forceSSL = true;
|
|
useACMEHost = "ccnlc.eu";
|
|
locations."/" = {
|
|
proxyPass = "${domain}:${toString port}";
|
|
extraConfig = ''
|
|
proxy_ssl_server_name on;
|
|
proxy_pass_header Authorization;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $http_connection;
|
|
proxy_http_version 1.1;
|
|
'';
|
|
};
|
|
};
|
|
in
|
|
{
|
|
"octoprint.ccnlc.eu" = mkVHLocal config.services.octoprint.port;
|
|
"immich.ccnlc.eu" = mkVHLocal config.services.immich.port;
|
|
"jellyfin.ccnlc.eu" = mkVHLocal 8096;
|
|
"ntfy.ccnlc.eu" = mkVHLocal 9393;
|
|
"dav.ccnlc.eu" = mkVHLocal 5232;
|
|
"assistant.ccnlc.eu" = mkVHLocal config.services.home-assistant.config.http.server_port;
|
|
"kitchenowl.ccnlc.eu" = mkVHLocal config.modules.container.kitchenowl.port;
|
|
"navidrome.ccnlc.eu" = mkVHLocal config.services.navidrome.settings.Port;
|
|
"paperless.ccnlc.eu" = mkVHLocal config.modules.server.paperless.port;
|
|
"fritz.ccnlc.eu" = mkVH "http://192.168.178.1" 80;
|
|
"truenas.ccnlc.eu" = mkVH "https://192.168.178.21" 443;
|
|
"calibre.ccnlc.eu" = mkVHLocal config.services.calibre-web.listen.port;
|
|
"prometheus.ccnlc.eu" = mkVHLocal config.services.prometheus.port;
|
|
"adguard.ccnlc.eu" = mkVHLocal config.services.adguardhome.port;
|
|
"grafana.ccnlc.eu" = mkVHLocal config.services.grafana.settings.server.http_port;
|
|
${config.services.freshrss.virtualHost} = {
|
|
forceSSL = true;
|
|
useACMEHost = "ccnlc.eu";
|
|
};
|
|
};
|
|
};
|
|
|
|
services = {
|
|
openssh = {
|
|
enable = true;
|
|
startWhenNeeded = true;
|
|
settings = {
|
|
PasswordAuthentication = false;
|
|
};
|
|
};
|
|
|
|
jellyfin.enable = true;
|
|
immich.enable = true;
|
|
|
|
radicale = {
|
|
enable = true;
|
|
# Documentation at <https://radicale.org/v3.html#configuration>
|
|
settings = {
|
|
server = {
|
|
hosts = [ "127.0.0.1:5232" ];
|
|
};
|
|
auth = {
|
|
type = "htpasswd";
|
|
htpasswd_filename = "/etc/radicale/users";
|
|
htpasswd_encryption = "autodetect";
|
|
};
|
|
storage = {
|
|
filesystem_folder = "/var/lib/radicale/collections";
|
|
};
|
|
};
|
|
};
|
|
|
|
ntfy-sh = {
|
|
enable = true;
|
|
settings =
|
|
let
|
|
root = "/var/lib/ntfy-sh";
|
|
in
|
|
{
|
|
base-url = "https://ntfy.ccnlc.eu";
|
|
listen-http = "127.0.0.1:9393";
|
|
auth-default-access = "deny-all";
|
|
behind-proxy = true;
|
|
attachment-cache-dir = "${root}/attachments";
|
|
enable-signup = true;
|
|
enable-login = true;
|
|
};
|
|
};
|
|
|
|
octoprint = {
|
|
enable = true;
|
|
port = 5000;
|
|
};
|
|
|
|
freshrss = {
|
|
enable = true;
|
|
passwordFile = config.age.secrets.freshrss-default-password.path;
|
|
virtualHost = "rss.ccnlc.eu";
|
|
baseUrl = "https://rss.ccnlc.eu";
|
|
};
|
|
|
|
home-assistant = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
configWritable = true;
|
|
extraComponents = [
|
|
"tplink_tapo"
|
|
"tplink"
|
|
"default_config"
|
|
"met"
|
|
"esphome"
|
|
"mobile_app"
|
|
"octoprint"
|
|
"jellyfin"
|
|
"iron_os"
|
|
"wake_on_lan"
|
|
];
|
|
config = {
|
|
default_config = { };
|
|
http = {
|
|
server_port = 8123;
|
|
use_x_forwarded_for = true;
|
|
trusted_proxies = [
|
|
"127.0.0.1"
|
|
"::1"
|
|
"10.89.0.3"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
443
|
|
80
|
|
];
|
|
|
|
fileSystems = {
|
|
"/mnt/shows" = {
|
|
device = "192.168.178.21:/mnt/Fort/data/shows";
|
|
fsType = "nfs";
|
|
options = [
|
|
"x-systemd.automount"
|
|
"ro"
|
|
];
|
|
};
|
|
|
|
"/mnt/movies" = {
|
|
device = "192.168.178.21:/mnt/Fort/data/movies";
|
|
fsType = "nfs";
|
|
options = [
|
|
"x-systemd.automount"
|
|
"ro"
|
|
];
|
|
};
|
|
};
|
|
|
|
users.users.root.openssh.authorizedKeys.keys = [ pubkeys.ny ];
|
|
|
|
system.stateVersion = "23.11";
|
|
}
|