modularized the servers part of my config

2023-09-05 13:03:51 -06:00 · 2023-09-05 13:03:51 -06:00 · 7a34d9d9b7
commit 7a34d9d9b7
parent ffc1f1122c
3 changed files with 236 additions and 258 deletions
--- a/configuration.org
+++ b/configuration.org
@ -72,7 +72,7 @@ cluttered, for example, I may create a module for systemd units.
 #+begin_src nix
 imports = [
  ./hardware-configuration.nix
-  ./nginx.nix
+  ./servers.nix
  # ./openldap.nix
  (import "${home-manager}/nixos")
  # <agenix/modules/age.nix>
@ -216,47 +216,11 @@ nixpkgs.config = {
 };
 #+end_src
 * SYSTEM USERS
 This may be a terrible idea, but because I need some of my service applications
 to be part of specific groups so they have the required permissions to accesss
 some files, I'm using a declarative approach to set some of them up.
 #+begin_src nix
 users.groups = {
  nextcloud.gid = 990;
  piracy.gid = 985;
 };
 users.users = {
  prowlarr = {
    isSystemUser = true;
    group = "piracy";
  };
  nextcloud = {
    isSystemUser = true;
    uid = 990;
    group = "nextcloud";
    extraGroups = [ "render" ];
    packages = (with pkgs; [
      nodejs_14
      perl
      (perlPackages.buildPerlPackage rec {
        pname = "Image-ExifTool";
        version = "12.60";
        src = fetchurl {
          url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
          hash = "sha256-c9vgbQBMMQgqVueNfyRvK7AAL7sYNUR7wyorB289Mq0=";
        };
      })
    ]);
  };
 #+end_src
 * NORMAL USERS
 Being part of the "wheel" group, means that the user has root privileges.
 #+begin_src nix
-jawz = {
+users.users.jawz = {
  isNormalUser = true;
  extraGroups = [ "wheel" "networkmanager" "docker"
                  "scanner" "lp" "piracy" "kavita"
@ -385,8 +349,6 @@ telegram-desktop # furry chat
 # hugo # website engine
 nicotine-plus # remember Ares?
 warp # never used, but supposedly cool for sharing files
 HentaiAtHome # uh-oh
 qbittorrent-nox # piracy is fun!
 #+end_src
 ** COMMAND-LINE PACKAGES
@ -582,7 +544,7 @@ symbola
  markdownlint-cli # Linter
  prettier # Linter
  pnpm # Package manager
-]); }; }; # <--- end of package list
+]); }; # <--- end of package list
 #+end_src
 * HOME-MANAGER
@ -741,7 +703,6 @@ may be challenging.
 #+begin_src nix
 environment.systemPackages = with pkgs; [
  wget
  docker-compose # easy way to migrate my docker anywhere!
  jellyfin-ffmpeg # coolest video converter!
  dlib
 ];
@ -804,17 +765,6 @@ environment.variables = rec {
 };
 #+end_src
 * DOCKER
 Virtualisation settings for Docker.  NixOS offers an option to declaratively run
 docker-compose images using [[https://nixos.wiki/wiki/Docker][Arion]].  Could be an interesting thing to try out.
 #+begin_src nix
 virtualisation.docker = {
    enable = true;
    storageDriver = "btrfs";
 };
 #+end_src
 * SNAPRAID
 It's a parity raid utility which creates a scheme similar to what UNRAID
 offered, except not in real time, I schedule it to run every night, so it keeps
@ -899,13 +849,10 @@ programs = {
 #+end_src
 * SERVICES
 ** MISC
 Miscellaneous services, most of which are managed by systemd.
 #+begin_src nix
 services = {
  # vaultwarden.enable = true;
  minidlna = {
    enable = true;
    openFirewall = true;
@ -917,35 +864,6 @@ services = {
      ];
    };
  };
  postgresql = {
    enable = true;
    ensureDatabases = [ "paperless" "nextcloud" "mealie" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensurePermissions = {
          "DATABASE nextcloud" = "ALL PRIVILEGES";
        };
      }
      {
        name = "paperless";
        ensurePermissions = {
          "DATABASE paperless" = "ALL PRIVILEGES";
        };
      }
      {
        name = "mealie";
        ensurePermissions = {
          "DATABASE mealie" = "ALL PRIVILEGES";
        };
      }
    ];
    authentication = pkgs.lib.mkOverride 10 ''
      local all all              trust
      host  all all 127.0.0.1/32 trust
      host  all all ::1/128      trust
      '';
  };
  printing = {
    enable = true;
    drivers = [ pkgs.hplip pkgs.hplipWithPlugin ];
@ -981,99 +899,6 @@ services = {
    defaultEditor = true;
    package = pkgs.emacs;
  };
 #+end_src
 ** PIRACY
 All the fun stuff happens here >:).
 #+begin_src nix
  prowlarr.enable = true;
  kavita = {
    enable = true;
    tokenKeyFile = "${pkgs.writeText "kavitaToken"  "A\u002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjj\u002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}";
  };
  sonarr = {
    enable = true;
    package = unstable.pkgs.sonarr;
    group = "piracy";
  };
  radarr = {
    enable = true;
    package = unstable.pkgs.radarr;
    group = "piracy";
  };
  bazarr = {
    enable = true;
    group = "piracy";
  };
  jellyfin = {
    enable = true;
    group = "piracy";
  };
 #+end_src
 ** NEXTCLOUD
 This configuration may not 100% work on a fresh installation, as some of the
 settings declared take into account pre-existing configurations and apps.
 #+begin_src nix
  nextcloud = {
    enable = true;
    https = true;
    package = pkgs.nextcloud27;
    appstoreEnable = true;
    configureRedis = true;
    maxUploadSize = "512M";
    extraAppsEnable = true;
    enableImagemagick = true;
    hostName = "cloud.servidos.lat";
    config = {
      adminpassFile = "${pkgs.writeText "adminpass" "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}";
      overwriteProtocol = "https";
      defaultPhoneRegion = "MX";
      dbtype = "pgsql";
      dbuser = "nextcloud";
      dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}";
      dbtableprefix = "oc_";
      dbname = "nextcloud";
      trustedProxies = [ "nginx" ];
      extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
    };
    phpOptions = {
      catch_workers_output = "yes";
      display_errors = "stderr";
      error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
      expose_php = "Off";
      "opcache.enable_cli" = "1";
      "opcache.fast_shutdown" = "1";
      "opcache.interned_strings_buffer" = "16";
      "opcache.jit" = "1255";
      "opcache.jit_buffer_size" = "128M";
      "opcache.max_accelerated_files" = "10000";
      "opcache.memory_consumption" = "128";
      "opcache.revalidate_freq" = "1";
      "opcache.save_comments" = "1";
      "opcache.validate_timestamps" = "0";
      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
      short_open_tag = "Off";
    };
    extraOptions = {
      mail_smtpmode = "sendmail";
      mail_sendmailmode = "pipe";
      "installed" = true;
      "memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool";
      enabledPreviewProviders = [
        "OC\\Preview\\Image"
        "OC\\Preview\\HEIC"
        "OC\\Preview\\TIFF"
        "OC\\Preview\\MKV"
        "OC\\Preview\\MP4"
        "OC\\Preview\\AVI"
        "OC\\Preview\\Movie"
      ];
    };
    phpExtraExtensions = all: [ all.pdlib all.bz2 ];
  };
 };
 #+end_src
@ -1083,62 +908,15 @@ the best way to define them for now, is using nix.
 #+begin_src nix
 systemd = {
  packages = [ pkgs.qbittorrent-nox ];
  services = {
-    docker-compose = {
+    "qbittorrent-nox@jawz" = {
      enable = true;
-      restartIfChanged = true;
+      overrideStrategy = "asDropin";
      description = "Start docker-compose servers";
      after = [ "docker.service" "docker.socket" ];
      requires = [ "docker.service" "docker.socket" ];
      wantedBy = [ "default.target" ];
      environment = {
        FILE = "/home/jawz/Development/Docker/docker-compose.yml";
      };
      path = [
        pkgs.docker-compose
      ];
      serviceConfig = {
        Restart = "on-failure";
        RestartSec = 30;
        ExecStart = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans";
        ExecStop = "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down";
      };
    };
    nextcloud-cronjob = let jawzNextcloudCronjob = pkgs.writeScriptBin
      "nextcloud-cronjob" (builtins.readFile ./scripts/nextcloud-cronjob.sh); in {
        description = "Runs various nextcloud-related cronjobs";
        wantedBy = [ "default.target" ];
        path = [
          pkgs.bash
          jawzNextcloudCronjob
        ];
        serviceConfig = {
          Restart = "on-failure";
          RestartSec = 30;
          ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob";
        };
      };
    qbittorrent-nox = {
      enable = true;
      description = "qBittorrent-nox service";
      serviceConfig = {
        Type = "exec";
        ExecStart= "${pkgs.qbittorrent-nox}/bin/qbittorrent-nox --webui-port=9091";
        User = "jawz";
      };
      wantedBy = [ "multi-user.target" ];
    };
  };
-  timers = {
+  timers = { };
    nextcloud-cronjob = {
      enable = true;
      description = "Runs various nextcloud-related cronjobs";
      wantedBy = [ "timers.target" ];
      timerConfig = {
        OnCalendar = "*:0/10";
      };
    };
  };
  user = {
    services = {
      HentaiAtHome = {
@ -1195,22 +973,6 @@ systemd = {
          ExecStart = "${jawzTasks}/bin/tasks";
        };
      };
      update-dns = let jawzUpdateDns = pkgs.writeScriptBin
        "update-dns" (builtins.readFile ./scripts/update-dns.sh); in {
          restartIfChanged = true;
          description = "update DNS of my websites";
          wantedBy = [ "default.target" ];
          path = [
            pkgs.bash
            pkgs.nix
            jawzUpdateDns
          ];
          serviceConfig = {
            Restart = "on-failure";
            RestartSec = 30;
            ExecStart = "${jawzUpdateDns}/bin/update-dns";
          };
        };
      qbit_manage = let qbit_dir = "/home/jawz/Development/Git/qbit_manage"; in {
        restartIfChanged = true;
        description = "Tidy up my torrents";
@ -1235,15 +997,6 @@ systemd = {
          OnCalendar = "*:0/10";
        };
      };
      update-dns = {
        enable = true;
        description = "update DNS of my websites";
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnBootSec = "1min";
          OnUnitActiveSec = "6h";
        };
      };
      qbit_manage = {
        enable = true;
        description = "Tidy up my torrents";
@ -1265,23 +1018,22 @@ Open ports in the firewall.
 networking = {
  firewall = let
    open_firewall_ports = [
      80 # http
      443 # https
      6969 # HentaiAtHome
      25152 # ssh
      51413 # torrent
    ];
    open_firewall_port_ranges = [
      { from = 1714;  to = 1764; } # kdeconnect
    ];
    in
    {
    enable = true;
    allowedTCPPorts = open_firewall_ports;
    allowedUDPPorts = open_firewall_ports;
    allowedTCPPortRanges = open_firewall_port_ranges;
    allowedUDPPortRanges = open_firewall_port_ranges;
  };
 };
 # networking.firewall.enable = false;
 #+end_src
 * MISC SETTINGS
--- a/nginx.nix
+++ b/nginx.nix
@ -101,12 +101,12 @@ in {
      "library.servidos.lat" = proxy kavitaPort // { };
      "bookmarks.servidos.lat" = proxy shioriPort // { };
      "start.servidos.lat" = proxy flamePort // { };
      "qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { };
      "music.servidos.lat" = proxy lidarrPort // { };
      "subs.servidos.lat" = proxy bazarrPort // { };
      "series.servidos.lat" = proxy sonarrPort // { };
      "vault.servidos.lat" = proxy vaultPort // { };
      "searx.servidos.lat" = proxy searxPort // { };
      "qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { };
      "flix.servidos.lat" = {
        forceSSL = true;
        enableACME = true;
@ -192,4 +192,12 @@ in {
      };
    };
  };
  networking = {
    firewall = let open_firewall_ports = [ 80 443 ];
    in {
      enable = true;
      allowedTCPPorts = open_firewall_ports;
      allowedUDPPorts = open_firewall_ports;
    };
  };
 }
--- a/servers.nix
+++ b/servers.nix
@ -0,0 +1,218 @@
 { config, lib, pkgs, modulesPath, ... }:
 let
  unstable = import
    (builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") {
      config = config.nixpkgs.config;
    };
 in {
  imports = [ ./nginx.nix ];
  users.groups = {
    nextcloud.gid = 990;
    piracy.gid = 985;
    kavita.gid = 982;
  };
  users.users = let
    base = uid: {
      uid = uid;
      group = "piracy";
      isSystemUser = true;
    };
  in {
    prowlarr = base 987 // { };
    sonarr = base 274 // { };
    radarr = base 275 // { };
    nextcloud = {
      isSystemUser = true;
      uid = 990;
      group = "nextcloud";
      extraGroups = [ "render" ];
      packages = (with pkgs; [
        nodejs_14
        perl
        (perlPackages.buildPerlPackage rec {
          pname = "Image-ExifTool";
          version = "12.60";
          src = fetchurl {
            url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
            hash = "sha256-c9vgbQBMMQgqVueNfyRvK7AAL7sYNUR7wyorB289Mq0=";
          };
        })
      ]);
    };
  };
  services = let
    base = {
      enable = true;
      group = "piracy";
    };
  in {
    prowlarr.enable = true;
    kavita = {
      enable = true;
      tokenKeyFile = "${pkgs.writeText "kavitaToken"
        "Au002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjju002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}";
    };
    sonarr = base // { package = unstable.pkgs.sonarr; };
    radarr = base // { package = unstable.pkgs.radarr; };
    bazarr = base // { };
    jellyfin = base // { };
    nextcloud = {
      enable = true;
      https = true;
      package = pkgs.nextcloud27;
      appstoreEnable = true;
      configureRedis = true;
      extraAppsEnable = true;
      enableImagemagick = true;
      maxUploadSize = "512M";
      hostName = "cloud.servidos.lat";
      config = {
        adminpassFile = "${pkgs.writeText "adminpass"
          "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}";
        overwriteProtocol = "https";
        defaultPhoneRegion = "MX";
        dbtype = "pgsql";
        dbuser = "nextcloud";
        dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}";
        dbtableprefix = "oc_";
        dbname = "nextcloud";
        trustedProxies = [ "nginx" ];
        extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
      };
      phpOptions = {
        catch_workers_output = "yes";
        display_errors = "stderr";
        error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
        expose_php = "Off";
        "opcache.enable_cli" = "1";
        "opcache.fast_shutdown" = "1";
        "opcache.interned_strings_buffer" = "16";
        "opcache.jit" = "1255";
        "opcache.jit_buffer_size" = "128M";
        "opcache.max_accelerated_files" = "10000";
        "opcache.memory_consumption" = "128";
        "opcache.revalidate_freq" = "1";
        "opcache.save_comments" = "1";
        "opcache.validate_timestamps" = "0";
        "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
        short_open_tag = "Off";
      };
      extraOptions = {
        mail_smtpmode = "sendmail";
        mail_sendmailmode = "pipe";
        "installed" = true;
        "memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool";
        enabledPreviewProviders = [
          "OC\\Preview\\Image"
          "OC\\Preview\\HEIC"
          "OC\\Preview\\TIFF"
          "OC\\Preview\\MKV"
          "OC\\Preview\\MP4"
          "OC\\Preview\\AVI"
          "OC\\Preview\\Movie"
        ];
      };
      phpExtraExtensions = all: [ all.pdlib all.bz2 ];
    };
    postgresql = {
      enable = true;
      ensureDatabases = [ "paperless" "nextcloud" "mealie" ];
      ensureUsers = [
        {
          name = "nextcloud";
          ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
        }
        {
          name = "paperless";
          ensurePermissions = { "DATABASE paperless" = "ALL PRIVILEGES"; };
        }
        {
          name = "mealie";
          ensurePermissions = { "DATABASE mealie" = "ALL PRIVILEGES"; };
        }
      ];
      authentication = pkgs.lib.mkOverride 10 ''
        local all all              trust
        host  all all 127.0.0.1/32 trust
        host  all all ::1/128      trust
      '';
    };
  };
  virtualisation.docker = {
    enable = true;
    storageDriver = "btrfs";
  };
  systemd = {
    services = {
      docker-compose = {
        enable = true;
        restartIfChanged = true;
        description = "Start docker-compose servers";
        after = [ "docker.service" "docker.socket" ];
        requires = [ "docker.service" "docker.socket" ];
        wantedBy = [ "default.target" ];
        environment = {
          FILE = "/home/jawz/Development/Docker/docker-compose.yml";
        };
        path = [ pkgs.docker-compose ];
        serviceConfig = {
          Restart = "on-failure";
          RestartSec = 30;
          ExecStart =
            "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans";
          ExecStop =
            "${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down";
        };
      };
      nextcloud-cronjob = let
        jawzNextcloudCronjob = pkgs.writeScriptBin "nextcloud-cronjob"
          (builtins.readFile ./scripts/nextcloud-cronjob.sh);
      in {
        description = "Runs various nextcloud-related cronjobs";
        wantedBy = [ "default.target" ];
        path = [ pkgs.bash jawzNextcloudCronjob ];
        serviceConfig = {
          Restart = "on-failure";
          RestartSec = 30;
          # ${config.services.nextcloud.package}
          ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob";
        };
      };
    };
    timers = {
      nextcloud-cronjob = {
        enable = true;
        description = "Runs various nextcloud-related cronjobs";
        wantedBy = [ "timers.target" ];
        timerConfig = { OnCalendar = "*:0/10"; };
      };
    };
    user.services = {
      update-dns = let
        jawzUpdateDns = pkgs.writeScriptBin "update-dns"
          (builtins.readFile ./scripts/update-dns.sh);
      in {
        restartIfChanged = true;
        description = "update DNS of my websites";
        wantedBy = [ "default.target" ];
        path = [ pkgs.bash pkgs.nix jawzUpdateDns ];
        serviceConfig = {
          Restart = "on-failure";
          RestartSec = 30;
          ExecStart = "${jawzUpdateDns}/bin/update-dns";
        };
      };
    };
    user.timers = {
      update-dns = {
        enable = true;
        description = "update DNS of my websites";
        wantedBy = [ "timers.target" ];
        timerConfig = {
          OnBootSec = "1min";
          OnUnitActiveSec = "6h";
        };
      };
    };
  };
 }