From 7a34d9d9b71a2ae7f1c31a1e73993282bd19d37f Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Tue, 5 Sep 2023 13:03:51 -0600 Subject: [PATCH] modularized the servers part of my config --- configuration.org | 266 ++-------------------------------------------- nginx.nix | 10 +- servers.nix | 218 +++++++++++++++++++++++++++++++++++++ 3 files changed, 236 insertions(+), 258 deletions(-) create mode 100644 servers.nix diff --git a/configuration.org b/configuration.org index 8ce415a..321f590 100755 --- a/configuration.org +++ b/configuration.org @@ -72,7 +72,7 @@ cluttered, for example, I may create a module for systemd units. #+begin_src nix imports = [ ./hardware-configuration.nix - ./nginx.nix + ./servers.nix # ./openldap.nix (import "${home-manager}/nixos") # @@ -216,47 +216,11 @@ nixpkgs.config = { }; #+end_src -* SYSTEM USERS -This may be a terrible idea, but because I need some of my service applications -to be part of specific groups so they have the required permissions to accesss -some files, I'm using a declarative approach to set some of them up. - -#+begin_src nix -users.groups = { - nextcloud.gid = 990; - piracy.gid = 985; -}; - -users.users = { - prowlarr = { - isSystemUser = true; - group = "piracy"; - }; - nextcloud = { - isSystemUser = true; - uid = 990; - group = "nextcloud"; - extraGroups = [ "render" ]; - packages = (with pkgs; [ - nodejs_14 - perl - (perlPackages.buildPerlPackage rec { - pname = "Image-ExifTool"; - version = "12.60"; - src = fetchurl { - url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz"; - hash = "sha256-c9vgbQBMMQgqVueNfyRvK7AAL7sYNUR7wyorB289Mq0="; - }; - }) - ]); - }; -#+end_src - * NORMAL USERS Being part of the "wheel" group, means that the user has root privileges. #+begin_src nix -jawz = { +users.users.jawz = { isNormalUser = true; extraGroups = [ "wheel" "networkmanager" "docker" "scanner" "lp" "piracy" "kavita" @@ -385,8 +349,6 @@ telegram-desktop # furry chat # hugo # website engine nicotine-plus # remember Ares? warp # never used, but supposedly cool for sharing files -HentaiAtHome # uh-oh -qbittorrent-nox # piracy is fun! #+end_src ** COMMAND-LINE PACKAGES @@ -582,7 +544,7 @@ symbola markdownlint-cli # Linter prettier # Linter pnpm # Package manager -]); }; }; # <--- end of package list +]); }; # <--- end of package list #+end_src * HOME-MANAGER @@ -741,7 +703,6 @@ may be challenging. #+begin_src nix environment.systemPackages = with pkgs; [ wget - docker-compose # easy way to migrate my docker anywhere! jellyfin-ffmpeg # coolest video converter! dlib ]; @@ -804,17 +765,6 @@ environment.variables = rec { }; #+end_src -* DOCKER -Virtualisation settings for Docker. NixOS offers an option to declaratively run -docker-compose images using [[https://nixos.wiki/wiki/Docker][Arion]]. Could be an interesting thing to try out. - -#+begin_src nix -virtualisation.docker = { - enable = true; - storageDriver = "btrfs"; -}; -#+end_src - * SNAPRAID It's a parity raid utility which creates a scheme similar to what UNRAID offered, except not in real time, I schedule it to run every night, so it keeps @@ -899,13 +849,10 @@ programs = { #+end_src * SERVICES - -** MISC Miscellaneous services, most of which are managed by systemd. #+begin_src nix services = { - # vaultwarden.enable = true; minidlna = { enable = true; openFirewall = true; @@ -917,35 +864,6 @@ services = { ]; }; }; - postgresql = { - enable = true; - ensureDatabases = [ "paperless" "nextcloud" "mealie" ]; - ensureUsers = [ - { - name = "nextcloud"; - ensurePermissions = { - "DATABASE nextcloud" = "ALL PRIVILEGES"; - }; - } - { - name = "paperless"; - ensurePermissions = { - "DATABASE paperless" = "ALL PRIVILEGES"; - }; - } - { - name = "mealie"; - ensurePermissions = { - "DATABASE mealie" = "ALL PRIVILEGES"; - }; - } - ]; - authentication = pkgs.lib.mkOverride 10 '' - local all all trust - host all all 127.0.0.1/32 trust - host all all ::1/128 trust - ''; - }; printing = { enable = true; drivers = [ pkgs.hplip pkgs.hplipWithPlugin ]; @@ -981,99 +899,6 @@ services = { defaultEditor = true; package = pkgs.emacs; }; -#+end_src - -** PIRACY -All the fun stuff happens here >:). - -#+begin_src nix - prowlarr.enable = true; - kavita = { - enable = true; - tokenKeyFile = "${pkgs.writeText "kavitaToken" "A\u002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjj\u002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}"; - }; - sonarr = { - enable = true; - package = unstable.pkgs.sonarr; - group = "piracy"; - }; - radarr = { - enable = true; - package = unstable.pkgs.radarr; - group = "piracy"; - }; - bazarr = { - enable = true; - group = "piracy"; - }; - jellyfin = { - enable = true; - group = "piracy"; - }; -#+end_src - -** NEXTCLOUD -This configuration may not 100% work on a fresh installation, as some of the -settings declared take into account pre-existing configurations and apps. - -#+begin_src nix - nextcloud = { - enable = true; - https = true; - package = pkgs.nextcloud27; - appstoreEnable = true; - configureRedis = true; - maxUploadSize = "512M"; - extraAppsEnable = true; - enableImagemagick = true; - hostName = "cloud.servidos.lat"; - config = { - adminpassFile = "${pkgs.writeText "adminpass" "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}"; - overwriteProtocol = "https"; - defaultPhoneRegion = "MX"; - dbtype = "pgsql"; - dbuser = "nextcloud"; - dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}"; - dbtableprefix = "oc_"; - dbname = "nextcloud"; - trustedProxies = [ "nginx" ]; - extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ]; - }; - phpOptions = { - catch_workers_output = "yes"; - display_errors = "stderr"; - error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; - expose_php = "Off"; - "opcache.enable_cli" = "1"; - "opcache.fast_shutdown" = "1"; - "opcache.interned_strings_buffer" = "16"; - "opcache.jit" = "1255"; - "opcache.jit_buffer_size" = "128M"; - "opcache.max_accelerated_files" = "10000"; - "opcache.memory_consumption" = "128"; - "opcache.revalidate_freq" = "1"; - "opcache.save_comments" = "1"; - "opcache.validate_timestamps" = "0"; - "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; - short_open_tag = "Off"; - }; - extraOptions = { - mail_smtpmode = "sendmail"; - mail_sendmailmode = "pipe"; - "installed" = true; - "memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool"; - enabledPreviewProviders = [ - "OC\\Preview\\Image" - "OC\\Preview\\HEIC" - "OC\\Preview\\TIFF" - "OC\\Preview\\MKV" - "OC\\Preview\\MP4" - "OC\\Preview\\AVI" - "OC\\Preview\\Movie" - ]; - }; - phpExtraExtensions = all: [ all.pdlib all.bz2 ]; - }; }; #+end_src @@ -1083,62 +908,15 @@ the best way to define them for now, is using nix. #+begin_src nix systemd = { + packages = [ pkgs.qbittorrent-nox ]; services = { - docker-compose = { + "qbittorrent-nox@jawz" = { enable = true; - restartIfChanged = true; - description = "Start docker-compose servers"; - after = [ "docker.service" "docker.socket" ]; - requires = [ "docker.service" "docker.socket" ]; - wantedBy = [ "default.target" ]; - environment = { - FILE = "/home/jawz/Development/Docker/docker-compose.yml"; - }; - path = [ - pkgs.docker-compose - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans"; - ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down"; - }; - }; - nextcloud-cronjob = let jawzNextcloudCronjob = pkgs.writeScriptBin - "nextcloud-cronjob" (builtins.readFile ./scripts/nextcloud-cronjob.sh); in { - description = "Runs various nextcloud-related cronjobs"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.bash - jawzNextcloudCronjob - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob"; - }; - }; - qbittorrent-nox = { - enable = true; - description = "qBittorrent-nox service"; - serviceConfig = { - Type = "exec"; - ExecStart= "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --webui-port=9091"; - User = "jawz"; - }; + overrideStrategy = "asDropin"; wantedBy = [ "multi-user.target" ]; }; }; - timers = { - nextcloud-cronjob = { - enable = true; - description = "Runs various nextcloud-related cronjobs"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnCalendar = "*:0/10"; - }; - }; - }; + timers = { }; user = { services = { HentaiAtHome = { @@ -1195,22 +973,6 @@ systemd = { ExecStart = "${jawzTasks}/bin/tasks"; }; }; - update-dns = let jawzUpdateDns = pkgs.writeScriptBin - "update-dns" (builtins.readFile ./scripts/update-dns.sh); in { - restartIfChanged = true; - description = "update DNS of my websites"; - wantedBy = [ "default.target" ]; - path = [ - pkgs.bash - pkgs.nix - jawzUpdateDns - ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 30; - ExecStart = "${jawzUpdateDns}/bin/update-dns"; - }; - }; qbit_manage = let qbit_dir = "/home/jawz/Development/Git/qbit_manage"; in { restartIfChanged = true; description = "Tidy up my torrents"; @@ -1235,15 +997,6 @@ systemd = { OnCalendar = "*:0/10"; }; }; - update-dns = { - enable = true; - description = "update DNS of my websites"; - wantedBy = [ "timers.target" ]; - timerConfig = { - OnBootSec = "1min"; - OnUnitActiveSec = "6h"; - }; - }; qbit_manage = { enable = true; description = "Tidy up my torrents"; @@ -1265,23 +1018,22 @@ Open ports in the firewall. networking = { firewall = let open_firewall_ports = [ - 80 # http - 443 # https 6969 # HentaiAtHome 25152 # ssh + 51413 # torrent ]; open_firewall_port_ranges = [ { from = 1714; to = 1764; } # kdeconnect ]; in { + enable = true; allowedTCPPorts = open_firewall_ports; allowedUDPPorts = open_firewall_ports; allowedTCPPortRanges = open_firewall_port_ranges; allowedUDPPortRanges = open_firewall_port_ranges; }; }; -# networking.firewall.enable = false; #+end_src * MISC SETTINGS diff --git a/nginx.nix b/nginx.nix index 94accb0..b7ca94b 100755 --- a/nginx.nix +++ b/nginx.nix @@ -101,12 +101,12 @@ in { "library.servidos.lat" = proxy kavitaPort // { }; "bookmarks.servidos.lat" = proxy shioriPort // { }; "start.servidos.lat" = proxy flamePort // { }; - "qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { }; "music.servidos.lat" = proxy lidarrPort // { }; "subs.servidos.lat" = proxy bazarrPort // { }; "series.servidos.lat" = proxy sonarrPort // { }; "vault.servidos.lat" = proxy vaultPort // { }; "searx.servidos.lat" = proxy searxPort // { }; + "qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { }; "flix.servidos.lat" = { forceSSL = true; enableACME = true; @@ -192,4 +192,12 @@ in { }; }; }; + networking = { + firewall = let open_firewall_ports = [ 80 443 ]; + in { + enable = true; + allowedTCPPorts = open_firewall_ports; + allowedUDPPorts = open_firewall_ports; + }; + }; } diff --git a/servers.nix b/servers.nix new file mode 100644 index 0000000..6ef31c3 --- /dev/null +++ b/servers.nix @@ -0,0 +1,218 @@ +{ config, lib, pkgs, modulesPath, ... }: +let + unstable = import + (builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") { + config = config.nixpkgs.config; + }; +in { + imports = [ ./nginx.nix ]; + users.groups = { + nextcloud.gid = 990; + piracy.gid = 985; + kavita.gid = 982; + }; + users.users = let + base = uid: { + uid = uid; + group = "piracy"; + isSystemUser = true; + }; + in { + prowlarr = base 987 // { }; + sonarr = base 274 // { }; + radarr = base 275 // { }; + nextcloud = { + isSystemUser = true; + uid = 990; + group = "nextcloud"; + extraGroups = [ "render" ]; + packages = (with pkgs; [ + nodejs_14 + perl + (perlPackages.buildPerlPackage rec { + pname = "Image-ExifTool"; + version = "12.60"; + src = fetchurl { + url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz"; + hash = "sha256-c9vgbQBMMQgqVueNfyRvK7AAL7sYNUR7wyorB289Mq0="; + }; + }) + ]); + }; + }; + services = let + base = { + enable = true; + group = "piracy"; + }; + in { + prowlarr.enable = true; + kavita = { + enable = true; + tokenKeyFile = "${pkgs.writeText "kavitaToken" + "Au002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjju002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}"; + }; + sonarr = base // { package = unstable.pkgs.sonarr; }; + radarr = base // { package = unstable.pkgs.radarr; }; + bazarr = base // { }; + jellyfin = base // { }; + nextcloud = { + enable = true; + https = true; + package = pkgs.nextcloud27; + appstoreEnable = true; + configureRedis = true; + extraAppsEnable = true; + enableImagemagick = true; + maxUploadSize = "512M"; + hostName = "cloud.servidos.lat"; + config = { + adminpassFile = "${pkgs.writeText "adminpass" + "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}"; + overwriteProtocol = "https"; + defaultPhoneRegion = "MX"; + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}"; + dbtableprefix = "oc_"; + dbname = "nextcloud"; + trustedProxies = [ "nginx" ]; + extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ]; + }; + phpOptions = { + catch_workers_output = "yes"; + display_errors = "stderr"; + error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; + expose_php = "Off"; + "opcache.enable_cli" = "1"; + "opcache.fast_shutdown" = "1"; + "opcache.interned_strings_buffer" = "16"; + "opcache.jit" = "1255"; + "opcache.jit_buffer_size" = "128M"; + "opcache.max_accelerated_files" = "10000"; + "opcache.memory_consumption" = "128"; + "opcache.revalidate_freq" = "1"; + "opcache.save_comments" = "1"; + "opcache.validate_timestamps" = "0"; + "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; + short_open_tag = "Off"; + }; + extraOptions = { + mail_smtpmode = "sendmail"; + mail_sendmailmode = "pipe"; + "installed" = true; + "memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool"; + enabledPreviewProviders = [ + "OC\\Preview\\Image" + "OC\\Preview\\HEIC" + "OC\\Preview\\TIFF" + "OC\\Preview\\MKV" + "OC\\Preview\\MP4" + "OC\\Preview\\AVI" + "OC\\Preview\\Movie" + ]; + }; + phpExtraExtensions = all: [ all.pdlib all.bz2 ]; + }; + postgresql = { + enable = true; + ensureDatabases = [ "paperless" "nextcloud" "mealie" ]; + ensureUsers = [ + { + name = "nextcloud"; + ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; }; + } + { + name = "paperless"; + ensurePermissions = { "DATABASE paperless" = "ALL PRIVILEGES"; }; + } + { + name = "mealie"; + ensurePermissions = { "DATABASE mealie" = "ALL PRIVILEGES"; }; + } + ]; + authentication = pkgs.lib.mkOverride 10 '' + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; + }; + }; + virtualisation.docker = { + enable = true; + storageDriver = "btrfs"; + }; + systemd = { + services = { + docker-compose = { + enable = true; + restartIfChanged = true; + description = "Start docker-compose servers"; + after = [ "docker.service" "docker.socket" ]; + requires = [ "docker.service" "docker.socket" ]; + wantedBy = [ "default.target" ]; + environment = { + FILE = "/home/jawz/Development/Docker/docker-compose.yml"; + }; + path = [ pkgs.docker-compose ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = + "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans"; + ExecStop = + "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down"; + }; + }; + nextcloud-cronjob = let + jawzNextcloudCronjob = pkgs.writeScriptBin "nextcloud-cronjob" + (builtins.readFile ./scripts/nextcloud-cronjob.sh); + in { + description = "Runs various nextcloud-related cronjobs"; + wantedBy = [ "default.target" ]; + path = [ pkgs.bash jawzNextcloudCronjob ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + # ${config.services.nextcloud.package} + ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob"; + }; + }; + }; + timers = { + nextcloud-cronjob = { + enable = true; + description = "Runs various nextcloud-related cronjobs"; + wantedBy = [ "timers.target" ]; + timerConfig = { OnCalendar = "*:0/10"; }; + }; + }; + user.services = { + update-dns = let + jawzUpdateDns = pkgs.writeScriptBin "update-dns" + (builtins.readFile ./scripts/update-dns.sh); + in { + restartIfChanged = true; + description = "update DNS of my websites"; + wantedBy = [ "default.target" ]; + path = [ pkgs.bash pkgs.nix jawzUpdateDns ]; + serviceConfig = { + Restart = "on-failure"; + RestartSec = 30; + ExecStart = "${jawzUpdateDns}/bin/update-dns"; + }; + }; + }; + user.timers = { + update-dns = { + enable = true; + description = "update DNS of my websites"; + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1min"; + OnUnitActiveSec = "6h"; + }; + }; + }; + }; +}