jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

modularized the servers part of my config

Browse Source
This commit is contained in:
Danilo Reyes
2023-09-05 13:03:51 -06:00
parent ffc1f1122c
commit 7a34d9d9b7
3 changed files with 236 additions and 258 deletions
Download Patch File Download Diff File Expand all files Collapse all files

266
configuration.org
View File

@@ -72,7 +72,7 @@ cluttered, for example, I may create a module for systemd units.
#+begin_src nix
imports = [
./hardware-configuration.nix
./nginx.nix
./servers.nix
# ./openldap.nix
(import "${home-manager}/nixos")
# <agenix/modules/age.nix>
@@ -216,47 +216,11 @@ nixpkgs.config = {
};
#+end_src
* SYSTEM USERS
This may be a terrible idea, but because I need some of my service applications
to be part of specific groups so they have the required permissions to accesss
some files, I'm using a declarative approach to set some of them up.
#+begin_src nix
users.groups = {
nextcloud.gid = 990;
piracy.gid = 985;
};
users.users = {
prowlarr = {
isSystemUser = true;
group = "piracy";
};
nextcloud = {
isSystemUser = true;
uid = 990;
group = "nextcloud";
extraGroups = [ "render" ];
packages = (with pkgs; [
nodejs_14
perl
(perlPackages.buildPerlPackage rec {
pname = "Image-ExifTool";
version = "12.60";
src = fetchurl {
url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
hash = "sha256-c9vgbQBMMQgqVueNfyRvK7AAL7sYNUR7wyorB289Mq0=";
};
})
]);
};
#+end_src
* NORMAL USERS
Being part of the "wheel" group, means that the user has root privileges.
#+begin_src nix
jawz = {
users.users.jawz = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "docker"
"scanner" "lp" "piracy" "kavita"
@@ -385,8 +349,6 @@ telegram-desktop # furry chat
# hugo # website engine
nicotine-plus # remember Ares?
warp # never used, but supposedly cool for sharing files
HentaiAtHome # uh-oh
qbittorrent-nox # piracy is fun!
#+end_src
** COMMAND-LINE PACKAGES
@@ -582,7 +544,7 @@ symbola
markdownlint-cli # Linter
prettier # Linter
pnpm # Package manager
]); }; }; # <--- end of package list
]); }; # <--- end of package list
#+end_src
* HOME-MANAGER
@@ -741,7 +703,6 @@ may be challenging.
#+begin_src nix
environment.systemPackages = with pkgs; [
wget
docker-compose # easy way to migrate my docker anywhere!
jellyfin-ffmpeg # coolest video converter!
dlib
];
@@ -804,17 +765,6 @@ environment.variables = rec {
};
#+end_src
* DOCKER
Virtualisation settings for Docker. NixOS offers an option to declaratively run
docker-compose images using [[https://nixos.wiki/wiki/Docker][Arion]]. Could be an interesting thing to try out.
#+begin_src nix
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
};
#+end_src
* SNAPRAID
It's a parity raid utility which creates a scheme similar to what UNRAID
offered, except not in real time, I schedule it to run every night, so it keeps
@@ -899,13 +849,10 @@ programs = {
#+end_src
* SERVICES
** MISC
Miscellaneous services, most of which are managed by systemd.
#+begin_src nix
services = {
# vaultwarden.enable = true;
minidlna = {
enable = true;
openFirewall = true;
@@ -917,35 +864,6 @@ services = {
];
};
};
postgresql = {
enable = true;
ensureDatabases = [ "paperless" "nextcloud" "mealie" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"DATABASE nextcloud" = "ALL PRIVILEGES";
};
}
{
name = "paperless";
ensurePermissions = {
"DATABASE paperless" = "ALL PRIVILEGES";
};
}
{
name = "mealie";
ensurePermissions = {
"DATABASE mealie" = "ALL PRIVILEGES";
};
}
];
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all 127.0.0.1/32 trust
host all all ::1/128 trust
'';
};
printing = {
enable = true;
drivers = [ pkgs.hplip pkgs.hplipWithPlugin ];
@@ -981,99 +899,6 @@ services = {
defaultEditor = true;
package = pkgs.emacs;
};
#+end_src
** PIRACY
All the fun stuff happens here >:).
#+begin_src nix
prowlarr.enable = true;
kavita = {
enable = true;
tokenKeyFile = "${pkgs.writeText "kavitaToken" "A\u002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjj\u002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}";
};
sonarr = {
enable = true;
package = unstable.pkgs.sonarr;
group = "piracy";
};
radarr = {
enable = true;
package = unstable.pkgs.radarr;
group = "piracy";
};
bazarr = {
enable = true;
group = "piracy";
};
jellyfin = {
enable = true;
group = "piracy";
};
#+end_src
** NEXTCLOUD
This configuration may not 100% work on a fresh installation, as some of the
settings declared take into account pre-existing configurations and apps.
#+begin_src nix
nextcloud = {
enable = true;
https = true;
package = pkgs.nextcloud27;
appstoreEnable = true;
configureRedis = true;
maxUploadSize = "512M";
extraAppsEnable = true;
enableImagemagick = true;
hostName = "cloud.servidos.lat";
config = {
adminpassFile = "${pkgs.writeText "adminpass" "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}";
overwriteProtocol = "https";
defaultPhoneRegion = "MX";
dbtype = "pgsql";
dbuser = "nextcloud";
dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}";
dbtableprefix = "oc_";
dbname = "nextcloud";
trustedProxies = [ "nginx" ];
extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
};
phpOptions = {
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "128M";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
short_open_tag = "Off";
};
extraOptions = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
"installed" = true;
"memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool";
enabledPreviewProviders = [
"OC\\Preview\\Image"
"OC\\Preview\\HEIC"
"OC\\Preview\\TIFF"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
"OC\\Preview\\Movie"
];
};
phpExtraExtensions = all: [ all.pdlib all.bz2 ];
};
};
#+end_src
@@ -1083,62 +908,15 @@ the best way to define them for now, is using nix.
#+begin_src nix
systemd = {
packages = [ pkgs.qbittorrent-nox ];
services = {
docker-compose = {
"qbittorrent-nox@jawz" = {
enable = true;
restartIfChanged = true;
description = "Start docker-compose servers";
after = [ "docker.service" "docker.socket" ];
requires = [ "docker.service" "docker.socket" ];
wantedBy = [ "default.target" ];
environment = {
FILE = "/home/jawz/Development/Docker/docker-compose.yml";
};
path = [
pkgs.docker-compose
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans";
ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down";
};
};
nextcloud-cronjob = let jawzNextcloudCronjob = pkgs.writeScriptBin
"nextcloud-cronjob" (builtins.readFile ./scripts/nextcloud-cronjob.sh); in {
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
jawzNextcloudCronjob
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob";
};
};
qbittorrent-nox = {
enable = true;
description = "qBittorrent-nox service";
serviceConfig = {
Type = "exec";
ExecStart= "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --webui-port=9091";
User = "jawz";
};
overrideStrategy = "asDropin";
wantedBy = [ "multi-user.target" ];
};
};
timers = {
nextcloud-cronjob = {
enable = true;
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/10";
};
};
};
timers = { };
user = {
services = {
HentaiAtHome = {
@@ -1195,22 +973,6 @@ systemd = {
ExecStart = "${jawzTasks}/bin/tasks";
};
};
update-dns = let jawzUpdateDns = pkgs.writeScriptBin
"update-dns" (builtins.readFile ./scripts/update-dns.sh); in {
restartIfChanged = true;
description = "update DNS of my websites";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
pkgs.nix
jawzUpdateDns
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawzUpdateDns}/bin/update-dns";
};
};
qbit_manage = let qbit_dir = "/home/jawz/Development/Git/qbit_manage"; in {
restartIfChanged = true;
description = "Tidy up my torrents";
@@ -1235,15 +997,6 @@ systemd = {
OnCalendar = "*:0/10";
};
};
update-dns = {
enable = true;
description = "update DNS of my websites";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = "6h";
};
};
qbit_manage = {
enable = true;
description = "Tidy up my torrents";
@@ -1265,23 +1018,22 @@ Open ports in the firewall.
networking = {
firewall = let
open_firewall_ports = [
80 # http
443 # https
6969 # HentaiAtHome
25152 # ssh
51413 # torrent
];
open_firewall_port_ranges = [
{ from = 1714; to = 1764; } # kdeconnect
];
in
{
enable = true;
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
allowedTCPPortRanges = open_firewall_port_ranges;
allowedUDPPortRanges = open_firewall_port_ranges;
};
};
# networking.firewall.enable = false;
#+end_src
* MISC SETTINGS