jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

renamed computers

Browse Source
This commit is contained in:
Danilo Reyes
2023-09-24 18:15:29 -06:00
parent b8b4589dca
commit 81a348a442
9 changed files with 1476 additions and 241 deletions
Download Patch File Download Diff File Expand all files Collapse all files

619
workstation/configuration.org Executable file → Normal file
View File

@@ -1,15 +1,17 @@
#+TITLE: JawZ NixOS server configuration
#+TITLE: JawZ NixOS workstation configuration
#+AUTHOR: Danilo Reyes
#+PROPERTY: header-args :tangle configuration.nix
#+auto_tangle: t
* TODO [0/6]
- [ ] System configurations [0/8]
- [ ] fail2ban
- [ ] Bluetooth multiple devices + pass-through
- [ ] dotfiles [0/4]
- [ ] migrate config to home-manager
- [ ] migrate dconf to home-manager
- [ ] Misc [0/3]
- [ ] Figure out how to get rid of xterm
* DECLARATION
Here I will declare the dependencies and variables that will be used multiple
times through the config file, such as the current version of NixOS,
@@ -26,25 +28,29 @@ configurations.
- unstable: a sort of overlay that allows to prepend "unstable" to a package,
to pull from the unstable channel rather than precompiled binaries on a case
by case use.
- nixGaming: a channel containing some tweaks and optimized packages for gaming.
- jawz*: scripts that will be reused multiple times through the config, such as
on systemd, and as such this feels like a safe way to compile them only once.
#+begin_src nix
{ config, pkgs, lib, ... }:
{ config, lib, pkgs, ... }:
let
version = "23.05";
myEmail = "CaptainJawZ@outlook.com";
myName = "Danilo Reyes";
cpuArchitecture = "skylake";
cpuArchitecture = "znver3";
home-manager = builtins.fetchTarball
# "https://github.com/nix-community/home-manager/archive/master.tar.gz";
"https://github.com/nix-community/home-manager/archive/release-${version}.tar.gz";
unstable = import
(builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") {
(builtins.fetchTarball
"https://github.com/nixos/nixpkgs/tarball/master") {
config = config.nixpkgs.config;
};
jawzManageLibrary = pkgs.writeScriptBin
"manage-library" (builtins.readFile ../scripts/manage-library.sh);
nixGaming = import
(builtins.fetchTarball
"https://github.com/fufexan/nix-gaming/archive/master.tar.gz");
jawzTasks = pkgs.writeScriptBin
"tasks" (builtins.readFile ../scripts/tasks.sh);
in
@@ -57,14 +63,15 @@ cluttered, for example, I may create a module for systemd units.
- agenix: an encryption system which cleans up the nix-configuration files from
passwords and other secrets.
- pipewireLowLatency: better sound for games, but also, music sounds a bit less
compressed, who knows, I'm half deaf.
#+begin_src nix
imports = [
./hardware-configuration.nix
./servers.nix
# ./openldap.nix
# <agenix/modules/age.nix>
./fstab.nix
(import "${home-manager}/nixos")
nixGaming.nixosModules.pipewireLowLatency
];
#+end_src
@@ -79,30 +86,28 @@ can not be bothered to figure out whether I need TCP or UDP so let's open both,
and repetition is maddening.
#+begin_src nix
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
networking = {
useDHCP = lib.mkDefault true;
enableIPv6 = false;
hostName = "server";
hostName = "workstation";
networkmanager.enable = true;
extraHosts = ''
192.168.1.64 workstation
192.168.1.69 server
'';
firewall = let
open_firewall_ports = [
6969 # HentaiAtHome
51413 # torrent sedding
9091 # qbittorrent
2049 # nfs
openFirewallPorts = [
7860 # gpt
6674 # ns-usbloader
];
openFirewallPortRanges = [
{ from = 1714; to = 1764; } # kdeconnect
];
open_firewall_port_ranges = [ ];
in
{
enable = true;
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
allowedTCPPortRanges = open_firewall_port_ranges;
allowedUDPPortRanges = open_firewall_port_ranges;
allowedTCPPorts = openFirewallPorts;
allowedUDPPorts = openFirewallPorts;
allowedTCPPortRanges = openFirewallPortRanges;
allowedUDPPortRanges = openFirewallPortRanges;
};
};
#+end_src
@@ -157,24 +162,24 @@ nix = let featuresList = [
"big-parallel"
"kvm"
"gccarch-${cpuArchitecture}"
"gccarch-znver3"
"gccarch-skylake"
];
in {
gc = {
automatic = true;
dates = "weekly";
};
# buildMachines = [ {
# hostName = "workstation";
# system = "x86_64-linux";
# sshUser = "nixremote";
# maxJobs = 4;
# speedFactor = 1;
# supportedFeatures = featuresList;
# } ];
buildMachines = [ {
hostName = "server";
system = "x86_64-linux";
sshUser = "nixremote";
maxJobs = 4;
speedFactor = 1;
supportedFeatures = featuresList;
} ];
distributedBuilds = true;
settings = {
cores = 6;
cores = 12;
auto-optimise-store = true;
system-features = featuresList;
substituters = [
@@ -193,23 +198,58 @@ nix = let featuresList = [
};
#+end_src
* DISPLAY MANAGER
Rather than having the server be completely headless, temporarily I'm enabling
xfce as a minimal display manager.
* GNOME
At the time of writing this file, I require of X11, as the NVIDIA support for
Wayland is not perfect yet. At the time being, the ability to switch through
GDM from Wayland to XORG, it's pretty handy, but in the future these settings
will require an update.
Sets up GNOME as the default desktop environment, while excluding some
undesirable packages from installing.
Lastly, since there is not a dedicated customization module per-say I setup qt
options in here, for the sake of gnome consistency.
#+begin_src nix
services = {
xserver = {
enable = true;
displayManager.defaultSession = "xfce";
videoDrivers = [ "nvidia" ];
enable = true;
displayManager.gdm.enable = true;
desktopManager = {
xfce.enable = true;
xterm.enable = false;
gnome.enable = true;
};
layout = "us";
libinput.enable = true;
};
};
environment.gnome.excludePackages = (with pkgs; [
gnome-photos
gnome-tour
gnome-text-editor
gnome-connections
# gnome-shell-extensions
baobab
])
++ (with pkgs.gnome; [
# totem
gedit
gnome-music
epiphany
gnome-characters
yelp
gnome-font-viewer
cheese
]);
# Sets up QT to use adwaita themes.
qt = {
enable = true;
# platformTheme = "gnome";
style = "adwaita-dark";
};
#+end_src
* SOUND
@@ -217,14 +257,31 @@ In order to avoid issues with PipeWire, the wiki recommends to disable
pulseaudio. This is a basic PipeWire configuration that can support alsa/pulse
backends.
lowLatency is a module of nix-gaming, and hardware bluetooth settings are there
to allegedly improve the quality of bluetooth in the system, to this day,
bluetooth and I remain enemies.
#+begin_src nix
hardware.pulseaudio.enable = false;
sound.enable = false;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
lowLatency = {
enable = true;
quantum = 64;
rate = 48000;
};
};
hardware = {
pulseaudio.enable = false;
bluetooth.enable = true;
bluetooth.settings = {
General = {
Enable = "Source,Sink,Media,Socket";
};
};
};
#+end_src
@@ -279,43 +336,23 @@ Being part of the "wheel" group, means that the user has root privileges. The
piracy.gid is so I have read/write access permissions on all the hard drives
split among my multiple systems, the rest of the groups are self explanatory.
- nixremote: is a low-privilege user set exclusively with the intention to be a
proxy to build the nix-store remotely.
#+begin_src nix
users = {
groups.nixremote = {
name = "nixremote";
gid = 555;
};
users.nixremote = {
isNormalUser = true;
createHome = true;
group = "nixremote";
home = "/var/nixremote/";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICiyTwryzw8CblPldplDpVUkXD9C1fXVgO8LeXdE5cuR root@battlestation"
];
};
};
users.users.jawz = {
groups = { piracy.gid = 985; };
users.jawz = {
isNormalUser = true;
extraGroups = [ "wheel" "networkmanager" "docker"
"scanner" "lp" "piracy" "kavita"
"render" "video"
extraGroups = [ "wheel" "networkmanager" "scanner"
"lp" "piracy" "kavita" "video" "docker"
];
initialPassword = "password";
openssh = {
authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKDXxfFRSgII4w/S1mrekPQdfXNifqRxwJa0wpQo72wB jawz@workstation";
authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB5GaQM4N+yGAByibOFQOBVMV/6TjOfaGIP+NunMiK76 gpodeacero\cdreyes@100CDREYES"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJZ/TtwLIR/JNp1Sr3TLV/eQK52n2htF8sg/RYfz60z3 jawz@server"
];
};
#+end_src
This section of the document categorizes and organizes all he packages that I
want installed, attempting to group them as dependencies of others when
necessary.
* USER PACKAGES
This section of the document categorizes and organizes all he packages that I
want installed, attempting to group them as dependencies of others when
@@ -327,12 +364,145 @@ Begin the block to install user packages.
packages = (with pkgs; [
#+end_src
** GUI PACKAGES
All of my GUI applications categorized to make it easier to identify what each
application does, and the justification for is existence on my system.
*** ART AND DEVELOPMENT
Art and development applications are together, as a game-developer one of my
goals is to create a workflow between this ecosystem of applications.
#+begin_src nix
godot_4 # game development
gdtoolkit # gdscript language server
blender # cgi animation and sculpting
gimp # the coolest bestest art program to never exist
krita # art to your heart desire!
mypaint # not the best art program
mypaint-brushes # but it's got some
mypaint-brushes1 # nice damn brushes
# drawpile # arty party with friends!!
pureref # create inspiration/reference boards
#+end_src
*** GAMING
So far gaming has been a lot less painful than I could have originally
anticipated, most everything seems to run seamlessly.
Most packages on this section are set to unstable so we compile the newest
possible binaries, which is handy mostly for frequently developed emulators.
I never figured out why, but lutris will give me wine errors unless both wine64
and wineWow are installed.
=note= Steam is setup way later on the config file.
=note= Roblox uninstalled as there is ongoing drama regarding Linux users.
#+begin_src nix
(lutris.override {
extraPkgs = pkgs: [
winetricks
wine64Packages.stable
wineWowPackages.stable
];
})
# nixGaming.packages.${pkgs.hostPlatform.system}.wine-tkg
# nixGaming.packages.${pkgs.hostPlatform.system}.wine-discord-ipc-bridge
# vulkan-tools # needed? stuff for vulkan drivers I suppose
unstable.heroic # install epic games
gamemode # optimizes linux to have better gaming performance
# grapejuice # roblox manager
# minecraft # minecraft official launcher
parsec-bin # remote gaming with friends
protonup-qt # update proton-ge
unstable.ns-usbloader # load games into my switch
# emulators
unstable.rpcs3 # ps3 emulator
unstable.pcsx2 # ps2 emulator
unstable.cemu # wii u emulator
unstable.dolphin-emu # wii emulator
unstable.citra-nightly # 3Ds emulator
unstable.snes9x-gtk # snes emulator
#+end_src
*** PRODUCTIVITY
An assorted list of productivity-oriented apps which I will never use.
#+begin_src nix
libreoffice-fresh # office, but based
calibre # ugly af eBook library manager
foliate # gtk eBook reader
newsflash # feed reader, syncs with nextcloud
wike # gtk wikipedia wow!
denaro # manage your finances
furtherance # I made this one tehee track time utility
gnome.simple-scan # scanner
#+end_src
*** MISC
Most of these apps, are part of the gnome circle, and I decide to install them
if just for a try and play a little. Most are kept commented out as an archive,
so I remember their names in case I want to check them out or recommend them to
someone.
#+begin_src nix
blanket # background noise
pika-backup # backups
metadata-cleaner # remove any metadata and geolocation from files
# sequeler # friendly SQL client
# czkawka # duplicate finder
# celeste # sync tool for any cloud provider
#+end_src
*** MULTIMEDIA
Overwhelmingly player applications, used for videos and music, while most of my
consumption has moved towards jellyfin, it's still worth the install of most
of these, for now.
#+begin_src nix
celluloid # video player
cozy # audiobooks player
komikku # manga & comic GUI downloader
gnome-podcasts # podcast player
handbrake # video converter, may be unnecessary
curtail # image compressor
pitivi # video editor
identity # compare images or videos
gnome-obfuscate # censor private information
mousai # poor man shazam
tagger # tag music files
obs-studio # screen recorder & streamer
shortwave # listen to world radio
nextcloud-client # self-hosted google-drive alternative
#+end_src
*** WEB
Stuff that I use to interact with the web, web browsers, chats, download
managers, etc.
#+begin_src nix
firefox # web browser that allows to disable spyware
tor-browser-bundle-bin # dark web, so dark!
chromium # web browser with spyware included
telegram-desktop # furry chat
nicotine-plus # remember Ares?
warp # never used, but supposedly cool for sharing files
(pkgs.discord.override {
# withOpenASAR = true;
withVencord = true;
})
# hugo # website engine
#+end_src
** COMMAND-LINE PACKAGES
cli and tui packages, which on their own right are as or more powerful than the
packages on the previous section.
=note= exa is no longer maintained, and will soon be replaced by eza, a maintained
fork.
** COMMAND-LINE PACKAGES
#+begin_src nix
unstable.yt-dlp # downloads videos from most video websites
@@ -340,28 +510,32 @@ unstable.gallery-dl # similar to yt-dlp but for most image gallery websites
fd # modern find, faster searches
fzf # fuzzy finder! super cool and useful
gdu # disk-space utility, somewhat useful
du-dust # rusty du
trashy # oop! didn't meant to delete that
gdu # disk-space utility checker, somewhat useful
du-dust # rusty du similar to gdu
ripgrep # modern grep
trashy # oop! did not meant to delete that
unstable.eza # like ls but with colors
gocryptfs # encrypted filesystem! shhh!!!
rmlint # probably my favourite app, amazing dupe finder that integrates well with BTRFS
ffmpeg # not ffmpreg, the coolest video conversion tool!
# torrenttools # create torrent files from the terminal!
# vcsi # video thumbnails for torrents, can I replace it with ^?
#+end_src
** MY SCRIPTS
Here I compile my own scripts into binaries
*** MY SCRIPTS
Here I compile my own scripts into binaries.
#+begin_src nix
jawzManageLibrary
jawzTasks
(writeScriptBin "ffmpeg4discord" (builtins.readFile ../scripts/ffmpeg4discord.py))
(writeScriptBin "ffmpreg" (builtins.readFile ../scripts/ffmpreg.sh))
(writeScriptBin "chat-dl" (builtins.readFile ../scripts/chat-dl.sh))
(writeScriptBin "split-dir" (builtins.readFile ../scripts/split-dir.sh))
(writeScriptBin "pika-list" (builtins.readFile ../scripts/pika-list.sh))
(writeScriptBin "run" (builtins.readFile ../scripts/run.sh))
(writeScriptBin "pika-list" (builtins.readFile ../scripts/pika-list.sh))
#+end_src
** DEVELOPMENT PACKAGES
*** DEVELOPMENT PACKAGES
Assorted development packages and libraries, categorized by languages.
#+begin_src nix
@@ -403,9 +577,10 @@ pipenv # python development workflow for humans
# JS
nodejs # not as bad as I thought
# jq # linting
#+end_src
** PYTHON
*** PYTHON
#+begin_src nix
]) ++ (with pkgs.python3Packages; [
@@ -439,21 +614,9 @@ nodejs # not as bad as I thought
propagatedBuildInputs =
[ tqdm ];
})
# (buildPythonApplication rec {
# pname = "qbit_manage";
# version = "4.0.3";
# src = fetchPypi {
# inherit pname version;
# sha256 = "sha256-7eVqbLpMHS1sBw2vYS4cTtyVdnnknGtEI8190VlXflk=";
# };
# doCheck = true;
# buildInputs = [ setuptools ];
# propagatedBuildInputs =
# [ gitpython requests retrying ruamel-yaml schedule unstable.qbittorrent-api ];
# })
#+end_src
** NODEJS PACKAGES
*** NODEJS PACKAGES
Mostly language servers and linters.
#+begin_src nix
@@ -471,7 +634,7 @@ Mostly language servers and linters.
#+end_src
** HUNSPELL
These dictionaries work with Firefox, Doom Emacs and LibreOffice.
These dictionaries are compatible with Firefox, Doom Emacs and LibreOffice.
#+begin_src nix
hunspell
@@ -485,18 +648,47 @@ Themes and other customization, making my DE look the way I want is one of the
main draws of Linux for me.
#+begin_src nix
# Themes
adw-gtk3
gnome.gnome-tweaks # tweaks for the gnome desktop environment
# gradience # theme customizer, allows you to modify adw-gtk3 themes
# Fonts
(nerdfonts.override {
fonts = [ "Agave" "CascadiaCode" "SourceCodePro"
"Ubuntu" "FiraCode" "Iosevka" ];
})
symbola
(papirus-icon-theme.override {
color = "adwaita";
})
#+end_src
** CLOSING USER PACKAGES
** GNOME EXTENSIONS
The last line can be commented to allow for the installation of gnome-extensions
from the unstable channel.
#+begin_src nix
]); }; # <--- end of package list
# lm_sensors # for extension, displays cpu temp
libgda # for pano shell extension
]) ++ (with pkgs.gnomeExtensions; [
appindicator # applets for open applications
panel-scroll # scroll well to change workspaces
reading-strip # like putting a finger on every line I read
tactile # window manager
pano # clipboard manager
# freon # hardware temperature monitor
# blur-my-shell # make the overview more visually appealing
# gamemode # I guess I'm a gamer now?
# burn-my-windows
# forge # window manager
# ]) ++ (with unstable.pkgs.gnomeExtensions; [
#+end_src
** CLOSE USER PACKAGES
#+begin_src nix
]); }; };# <--- end of package list
#+end_src
* HOME-MANAGER
@@ -546,11 +738,15 @@ programs.bash = {
f = "fzf --multi --exact -i";
sc = "systemctl --user";
jc = "journalctl --user -xefu";
open-gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl && xdg-open $(fd . ./ Husbands -tdirectory -d 1 | fzf -i)\"";
unique-extensions = "fd -tf | rev | cut -d. -f1 | rev | tr '[:upper:]' '[:lower:]' | sort | uniq --count | sort -rn";
open-gallery = "cd /mnt/disk2/scrapping/JawZ/gallery-dl \
&& xdg-open \"$(fd . ./ Husbands -tdirectory -d 1 | fzf -i)\"";
unique-extensions = "fd -tf | rev | cut -d. -f1 | rev \
| tr '[:upper:]' '[:lower:]' | sort \
| uniq --count | sort -rn";
};
enableVteIntegration = true;
initExtra = ''
,#+begin_src bash
$HOME/.local/bin/pokemon-colorscripts -r --no-title
# Lists
list_root="${config.xdg.configHome}"/jawz/lists/jawz
@@ -565,8 +761,12 @@ programs.bash = {
fi
nixos-reload () {
nixfmt /home/jawz/Development/NixOS/workstation/*.nix
sudo nixos-rebuild switch -I nixos-config=/home/jawz/Development/NixOS/workstation/configuration.nix
NIXOSDIR=/home/jawz/Development/NixOS
nix-store --add-fixed sha256 $NIXOSDIR/scripts/PureRef-1.11.1_x64.Appimage
nixfmt $NIXOSDIR/battlestation/*.nix
sudo unbuffer nixos-rebuild switch -I \
nixos-config=$NIXOSDIR/battlestation/configuration.nix \
|& nom
}
'';
};
@@ -654,6 +854,7 @@ services = {
enable = true;
defaultEditor = true;
package = pkgs.emacs;
startWithUserSession = "graphical";
};
};
#+end_src
@@ -677,10 +878,19 @@ some applications use.
#+begin_src nix
environment = {
etc = {
"wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = ''
bluez_monitor.properties = {
["bluez5.enable-sbc-xq"] = true,
["bluez5.enable-msbc"] = true,
["bluez5.enable-hw-volume"] = true,
["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"
}
'';
};
systemPackages = with pkgs; [
wget
jellyfin-ffmpeg # coolest video converter!
dlib
gwe
];
variables = rec {
# PATH
@@ -732,50 +942,6 @@ environment = {
};
#+end_src
* SNAPRAID
It's a parity raid utility which creates a scheme similar to what UNRAID
offered, except not in real time, I schedule it to run every night, so it keeps
my files sync, while it is possible to use snapraid as a solution to keep a
historic backup of your files, I am more concerned with the whole disk recovery
in case of failure, as such a frequent sync fits my preferences.
#+begin_src nix
snapraid = {
enable = true;
touchBeforeSync = true;
sync.interval = "02:00";
scrub = {
plan = 10;
olderThan = 10;
interval = "4:00";
};
parityFiles = [
"/mnt/parity/snapraid.parity"
];
extraConfig = ''
autosave 5000
'';
exclude = [
"/tmp/"
"/lost+found/"
"/multimedia/downloads/"
"/scrapping/nextcloud/"
"/backups/"
"/glue/Spankbank/____UNORGANIZED/Chaturbate/"
"/nextcloud/nextcloud.log"
];
dataDisks = {
d1 = "/mnt/disk1/";
d2 = "/mnt/disk2/";
};
contentFiles = [
"/var/snapraid.content"
"/mnt/disk1/snapraid.content"
"/mnt/disk2/snapraid.content"
];
};
#+end_src
* PROGRAMS
Some programs get enabled and installed through here, as well as the activation
of some services.
@@ -792,17 +958,17 @@ programs = {
enable = true;
enableSSHSupport = true;
};
msmtp = {
geary = {
enable = true;
accounts.default = {
auth = true;
host = "smtp.gmail.com";
port = 587;
tls = true;
from = "stunner6399@gmail.com";
user = "stunner6399@gmail.com";
password = "eqyctcgjdykqeuwt";
};
};
steam = {
enable = true;
remotePlay.openFirewall = true;
dedicatedServer.openFirewall = true;
};
kdeconnect = {
enable = true;
package = pkgs.gnomeExtensions.gsconnect;
};
};
#+end_src
@@ -810,39 +976,35 @@ programs = {
* SERVICES
Miscellaneous services, most of which are managed by systemd.
- minidlna: allows me to watch my media on my tv.
- avahi: allows to discover/connect to devices through their hostname on the
same network.
- fstrim/btrfs: file-system services.
- hardware.openrgb: enables to tune hardware RGB.
- psd: profile-sync-daemon, loads the chrome/firefox profile to ram.
#+begin_src nix
services = {
minidlna = {
printing = {
enable = true;
openFirewall = true;
settings = {
inotify = "yes";
media_dir = [
"/mnt/disk2/glue"
"/mnt/seedbox/glue"
"/mnt/disk1/multimedia/downloads"
];
};
drivers = [ pkgs.hplip pkgs.hplipWithPlugin ];
};
avahi = {
enable = true;
nssmdns = true;
};
psd.enable = true;
fstrim.enable = true;
btrfs.autoScrub = {
enable = true;
fileSystems = [
"/"
"/mnt/disk1"
"/mnt/disk2"
];
};
hardware.openrgb = {
enable = true;
package = unstable.openrgb;
motherboard = "amd";
};
openssh = {
enable = true;
openFirewall = true;
@@ -861,56 +1023,10 @@ the best way to define them for now, is using nix.
#+begin_src nix
systemd = {
packages = [ pkgs.qbittorrent-nox ];
services = {
"qbittorrent-nox@jawz" = {
enable = true;
overrideStrategy = "asDropin";
wantedBy = [ "multi-user.target" ];
};
};
services = { };
timers = { };
user = {
services = {
HentaiAtHome = {
enable = true;
restartIfChanged = true;
description = "Run hentai@home server";
wantedBy = [ "default.target" ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
WorkingDirectory="/mnt/hnbox";
ExecStart = "${pkgs.HentaiAtHome}/bin/HentaiAtHome";
};
};
unpackerr = {
enable = true;
restartIfChanged = true;
description = "Run unpackerr";
wantedBy = [ "default.target" ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${pkgs.unpackerr}/bin/unpackerr -c /home/jawz/.config/unpackerr.conf";
};
};
manage-library = {
enable = true;
restartIfChanged = true;
description = "Run the manage library bash script";
wantedBy = [ "default.target" ];
path = [
pkgs.bash
pkgs.nix
jawzManageLibrary
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawzManageLibrary}/bin/manage-library";
};
};
tasks = {
restartIfChanged = true;
description = "Run a tasks script which keeps a lot of things organized";
@@ -926,20 +1042,6 @@ systemd = {
ExecStart = "${jawzTasks}/bin/tasks";
};
};
qbit_manage = let qbit_dir = "/home/jawz/Development/Git/qbit_manage"; in {
restartIfChanged = true;
description = "Tidy up my torrents";
wantedBy = [ "default.target" ];
path = [
pkgs.python3
pkgs.pipenv
];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${qbit_dir}/.venv/bin/python3 ${qbit_dir}/qbit_manage.py -r -c ${qbit_dir}/config.yml";
};
};
};
timers = {
tasks = {
@@ -950,14 +1052,6 @@ systemd = {
OnCalendar = "*:0/10";
};
};
qbit_manage = {
enable = true;
description = "Tidy up my torrents";
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "*:0/10";
};
};
};
};
};
@@ -980,24 +1074,67 @@ Computer-specific hardware settings. The power management settings are
defaulted to "performance".
- nvidia: GPU drivers.
- cpu.intel: microcode patches.
- sane: hp scanner drivers.
- cpu.amd: microcode patches.
- opentabletdriver: overrides the default generic nvidia drivers.
- opengl: required for gaming, as pug drivers as well as video acceleration.
#+begin_src nix
powerManagement.cpuFreqGovernor = lib.mkDefault "performance";
hardware = {
cpu.amd.updateMicrocode =
lib.mkDefault config.hardware.enableRedistributableFirmware;
nvidia = {
modesetting.enable = true;
powerManagement.enable = true;
};
cpu.intel.updateMicrocode = lib.mkDefault true;
sane = {
enable = true;
extraBackends = [ pkgs.hplip pkgs.hplipWithPlugin ];
};
opentabletdriver = {
enable = true;
package = unstable.opentabletdriver;
daemon.enable = false;
};
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
extraPackages = with pkgs; [
nvidia-vaapi-driver
vaapiVdpau
libvdpau-va-gl
];
};
};
### TEMPORARY PATCH, pinning up the linux kernel due to a bug with newer versions.
boot.kernelPackages = pkgs.linuxPackagesFor (pkgs.linux_6_1.override {
argsOverride = rec {
src = pkgs.fetchurl {
url = "mirror://kernel/linux/kernel/v6.x/linux-${version}.tar.xz";
sha256 = "Vnc3mQ28kmWWageGOSghqfpVn9NGSU/R7/BQ2+s4OlI=";
};
version = "6.1.52";
modDirVersion = "6.1.52";
};
});
#+end_src
* DOCKER
Basic docker settings to be able to run some images, although most docker images
run on my server.
#+begin_src nix
virtualisation.docker = {
enable = true;
storageDriver = "btrfs";
enableNvidia = true;
};
#+end_src
* CLOSE SYSTEM
#+begin_src nix
}
#+end_src

91
workstation/fstab.nix Normal file
View File

@@ -0,0 +1,91 @@
{ config, pkgs, modulesPath, ... }: {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
#plymouth = { enable = true; };
loader = {
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
grub = {
enable = true;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
};
};
initrd.luks.devices = {
nvme = {
device = "/dev/disk/by-uuid/e9618e85-a631-4374-b2a4-22c376d6e41b";
preLVM = true;
};
};
kernelModules = [ "kvm-intel" ];
kernel.sysctl = { "vm.swappiness" = 80; };
extraModulePackages = [ ];
initrd = {
availableKernelModules =
[ "xhci_pci" "ahci" "usbhid" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
};
fileSystems = let
mount = disk: {
device = "workstation:/${disk}";
fsType = "nfs";
};
in {
"/mnt/disk1" = mount "disk1" // { };
"/mnt/disk2" = mount "disk2" // { };
"/mnt/jawz" = mount "jawz" // { };
"/mnt/seedbox" = mount "seedbox" // { };
"/" = {
device = "/dev/mapper/nvme";
fsType = "btrfs";
options = [
"subvol=nixos"
"ssd"
"compress=zstd:3"
"x-systemd.device-timeout=0"
"space_cache=v2"
"commit=120"
"datacow"
"noatime"
];
};
"/home" = {
device = "/dev/mapper/nvme";
fsType = "btrfs";
options = [
"subvol=home"
"ssd"
"compress=zstd:3"
"x-systemd.device-timeout=0"
"space_cache=v2"
"commit=120"
"datacow"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/ac6d349a-96b9-499e-9009-229efd7743a5";
fsType = "ext4";
};
"/boot/efi" = {
device = "/dev/disk/by-uuid/B05D-B5FB";
fsType = "vfat";
};
};
swapDevices = [{
device = "/dev/disk/by-partuuid/c1bd22d7-e62c-440a-88d1-6464be1aa1b0";
randomEncryption = {
enable = true;
cipher = "aes-xts-plain64";
keySize = 512;
sectorSize = 4096;
};
}];
}

170
workstation/hardware-configuration.nix
View File

@@ -1,170 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let
unstable = import
(builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") {
config = config.nixpkgs.config;
};
in {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
#plymouth = { enable = true; };
loader = {
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
grub = {
enable = true;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
};
};
initrd.luks.devices = {
nvme = {
device = "/dev/disk/by-uuid/af72f45c-cf7c-4e7d-8eab-2a95ab754921";
preLVM = true;
};
disk1 = {
device = "/dev/disk/by-uuid/a9b0f346-7e38-40a6-baf6-3ad80cafc842";
preLVM = true;
};
disk2 = {
device = "/dev/disk/by-uuid/0ed12b83-4c56-4ba8-b4ea-75a9e927d771";
preLVM = true;
};
hnbox = {
device = "/dev/disk/by-uuid/c7dd2d5a-b0b3-46a0-aca9-3d4975c1f0bc";
preLVM = true;
};
seedbox = {
device = "/dev/disk/by-uuid/04f06a3e-a91f-476b-9a4b-b9c722ba99e7";
preLVM = true;
};
};
kernelModules = [ "kvm-intel" ];
kernel.sysctl = { "vm.swappiness" = 80; };
extraModulePackages = [ ];
initrd = {
availableKernelModules =
[ "xhci_pci" "ahci" "usbhid" "nvme" "usb_storage" "sd_mod" ];
kernelModules = [ ];
};
};
fileSystems = {
"/" = {
device = "/dev/mapper/nvme";
fsType = "btrfs";
options = [
"subvol=nix"
"ssd"
"compress=zstd:3"
"x-systemd.device-timeout=0"
"space_cache=v2"
"commit=120"
"datacow"
"noatime"
];
};
"/home" = {
device = "/dev/mapper/nvme";
fsType = "btrfs";
options = [
"subvol=home"
"ssd"
"compress=zstd:3"
"x-systemd.device-timeout=0"
"space_cache=v2"
"commit=120"
"datacow"
];
};
"/mnt/disk1" = {
device = "/dev/mapper/disk1";
fsType = "btrfs";
options = [ "compress=zstd:3" "space_cache=v2" "commit=120" "datacow" ];
};
"/var/lib/nextcloud/data" = {
device = "/mnt/disk1/nextcloud";
options = [ "bind" ];
};
"/mnt/jellyfin/media" = {
device = "/mnt/disk1/multimedia/media";
options = [ "bind" "ro" ];
};
"/mnt/disk2" = {
device = "/dev/mapper/disk2";
fsType = "btrfs";
options = [ "compress=zstd:3" "space_cache=v2" "commit=120" "datacow" ];
};
"/mnt/hnbox" = {
device = "/dev/mapper/hnbox";
fsType = "btrfs";
options = [ "compress=zstd:3" "space_cache=v2" "commit=120" "datacow" ];
};
"/mnt/seedbox" = {
device = "/dev/mapper/seedbox";
fsType = "btrfs";
options = [ "compress=zstd:3" "space_cache=v2" "commit=120" "datacow" ];
};
"/mnt/jellyfin/external" = {
device = "/mnt/seedbox/external";
options = [ "bind" "ro" ];
};
"/mnt/parity" = {
device = "/dev/disk/by-uuid/643b727a-555d-425c-943c-62f5b93631c9";
fsType = "xfs";
options = [ "defaults" ];
};
"/boot" = {
device = "/dev/disk/by-uuid/c574cb53-dc40-46db-beff-0fe8a4787156";
fsType = "ext4";
};
"/boot/efi" = {
device = "/dev/disk/by-uuid/CBE7-5DEB";
fsType = "vfat";
};
"/export/disk1" = {
device = "/mnt/disk1";
options = [ "bind" ];
};
"/export/disk2" = {
device = "/mnt/disk2";
options = [ "bind" ];
};
"/export/seedbox" = {
device = "/mnt/seedbox";
options = [ "bind" ];
};
"/export/jawz" = {
device = "/home/jawz";
options = [ "bind" ];
};
};
services.nfs = {
server = {
enable = true;
exports = ''
/export 192.168.1.64(rw,fsid=0,no_subtree_check)
/export/disk1 192.168.1.64(rw,nohide,insecure,no_subtree_check)
/export/disk2 192.168.1.64(rw,nohide,insecure,no_subtree_check)
/export/seedbox 192.168.1.64(rw,nohide,insecure,no_subtree_check)
/export/jawz 192.168.1.64(rw,nohide,insecure,no_subtree_check)
'';
};
};
swapDevices = [{
device = "/dev/disk/by-partuuid/cb0ad486-ebf8-4bfc-ad7c-96bdc68576ca";
randomEncryption = {
enable = true;
cipher = "aes-xts-plain64";
keySize = 512;
sectorSize = 4096;
};
}];
}

200
workstation/nginx.nix
View File

@@ -1,200 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let
localhost = "127.0.0.1";
battlestation = "192.168.1.64";
jellyfinPort = "8096";
gptPort = "7860";
nextcloudPort = 80;
flamePort = 5005;
secretFlamePort = 5007;
lidarrPort = 8686;
sonarrPort = 8989;
prowlarrPort = 9696;
radarrPort = 7878;
bazarrPort = config.services.bazarr.listenPort;
kavitaPort = config.services.kavita.port;
vaultPort = config.services.vaultwarden.config.ROCKET_PORT;
in {
services.nginx = {
enable = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
# recommendedProxySettings = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
### GLOBAL
# Add HSTS header with preloading to HTTPS requests.
# Adding this header to HTTP requests is discouraged
map $scheme $hsts_header {
https "max-age=31536000; includeSubdomains; preload";
}
add_header Strict-Transport-Security $hsts_header;
# Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
# Minimize information leaked to other domains
add_header 'Referrer-Policy' 'origin-when-cross-origin';
# Disable embedding as a frame
# add_header X-Frame-Options DENY;
# Prevent injection of code in other mime types (XSS Attacks)
add_header X-Content-Type-Options nosniff;
# Enable XSS protection of the browser.
# May be unnecessary when CSP is configured properly (see above)
add_header X-XSS-Protection "1; mode=block";
# This might create errors
proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
# NEXTCLOUD
# upstream php-handler {
# server ${localhost}:9000;
# #server unix:/var/run/php/php7.4-fpm.sock;
# }
# Set the `immutable` cache control options only for assets with a cache busting `v` argument
# map $arg_v $asset_immutable {
# "" "";
# default "immutable";
# }
# JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
'';
virtualHosts = let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
http2 = true;
};
proxy = port:
base { "/".proxyPass = "http://${localhost}:${toString (port)}/"; };
proxyArr = port:
proxy port // {
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_redirect off;
proxy_http_version 1.1;
'';
};
in {
"movies.servidos.lat" = proxyArr radarrPort // { };
"indexer.servidos.lat" = proxyArr prowlarrPort // { };
"music.servidos.lat" = proxyArr lidarrPort // { };
"library.servidos.lat" = proxy kavitaPort // { };
"start.servidos.lat" = proxy flamePort // { };
"subs.servidos.lat" = proxy bazarrPort // { };
"series.servidos.lat" = proxy sonarrPort // { };
"vault.servidos.lat" = proxy vaultPort // { };
"qampqwn4wprhqny8h8zj.servidos.lat" = proxy secretFlamePort // { };
"flix.servidos.lat" = {
forceSSL = true;
enableACME = true;
http2 = true;
extraConfig = ''
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address
resolver ${localhost} valid=30;
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://${localhost}:${jellyfinPort}/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
'';
locations = {
"/" = {
proxyPass = "http://${localhost}:${jellyfinPort}";
proxyWebsockets = true;
};
"/socket" = {
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
"~ /Items/(.*)/Images" = {
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
proxy_cache jellyfin;
proxy_cache_revalidate on;
proxy_cache_lock on;
'';
};
"~* ^/Videos/(.*)/(?!live)" = {
proxyPass = "http://${localhost}:${jellyfinPort}";
extraConfig = ''
# Set size of a slice (this amount will be always requested from the backend by nginx)
# Higher value means more latency, lower more overhead
# This size is independent of the size clients/browsers can request
# slice 2m;
proxy_cache jellyfin-videos;
proxy_cache_valid 200 206 301 302 30d;
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 15s;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Transmit slice range to the backend
proxy_set_header Range 2m;
# This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time
# The first client will trigger the download, the other clients will have to wait until the slice is cached
# Esp. practical during SyncPlay
proxy_cache_lock on;
proxy_cache_lock_age 60s;
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=2m";
# add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
'';
};
};
};
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
http2 = true;
serverAliases = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
};
};
};
networking = {
firewall = let open_firewall_ports = [ 80 443 ];
in {
enable = true;
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
};
};
}

83
workstation/openldap.nix
View File

@@ -1,83 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let hostname = "servidos.lat";
in {
services.openldap = {
enable = true;
# enable plain and secure connections
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
# settings for acme ssl
olcTLSCACertificateFile = "/var/lib/acme/${hostname}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${hostname}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${hostname}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=example,dc=com";
# your admin account, do not use writeText on a production system
olcRootDN = "cn=admin,dc=example,dc=com";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcAccess = [
# custom access rules for userPassword attributes
''
{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
# allow read on anything else
''
{1}to *
by * read''
];
};
};
};
};
# ensure openldap is launched after certificates are created
systemd.services.openldap = {
wants = [ "acme-${hostname}.service" ];
after = [ "acme-${hostname}.service" ];
};
# make acme certificates accessible by openldap
security.acme.defaults.group = "certs";
users.groups.certs.members = [ "openldap" ];
# trigger the actual certificate generation for your hostname
security.acme.certs."${hostname}" = { extraDomainNames = [ ]; };
# example using hetzner dns to run letsencrypt verification
security.acme.defaults.dnsProvider = "hetzner";
security.acme.defaults.credentialsFile = pkgs.writeText "credentialsFile" ''
HETZNER_API_KEY=<your-hetzner-dns-api-key>
'';
}

0
workstation/secrets.nix_wip
View File

265
workstation/servers.nix
View File

@@ -1,265 +0,0 @@
{ config, lib, pkgs, modulesPath, ... }:
let
localhost = "127.0.0.1";
postgresPort = toString (config.services.postgresql.port);
unstable = import
(builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") {
config = config.nixpkgs.config;
};
in {
imports = [ ./nginx.nix ];
nixpkgs.config = {
permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ];
};
users.groups = { piracy.gid = 985; };
users.users = let base = { isSystemUser = true; };
in {
prowlarr = base // { group = "piracy"; };
nextcloud = base // {
extraGroups = [ "render" ];
packages = (with pkgs; [
nodejs_14
perl
(perlPackages.buildPerlPackage rec {
pname = "Image-ExifTool";
version = "12.60";
src = fetchurl {
url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
hash = "sha256-c9vgbQBMMQgqVueNfyRvK7AAL7sYNUR7wyorB289Mq0=";
};
})
]);
};
};
services = let
base = {
enable = true;
group = "piracy";
};
in {
sonarr = base // { package = unstable.pkgs.sonarr; };
radarr = base // { package = unstable.pkgs.radarr; };
bazarr = base // { };
jellyfin = base // { };
prowlarr.enable = true;
paperless = {
enable = true;
address = "0.0.0.0";
consumptionDirIsPublic = true;
extraConfig = {
PAPERLESS_DBENGINE = "postgress";
PAPERLESS_DBHOST = "${localhost}";
PAPERLESS_DBNAME = "paperless";
PAPERLESS_DBUSER = "paperless";
PAPERLESS_DBPASS = "sopacerias";
PAPERLESS_DBPORT = "${postgresPort}";
PAPERLESS_CONSUMER_IGNORE_PATTERN =
builtins.toJSON [ ".DS_STORE/*" "desktop.ini" ];
PAPERLESS_TIME_ZONE = "America/Mexico_City";
PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
optimize = 1;
pdfa_image_compression = "lossless";
};
};
};
vaultwarden = {
enable = true;
dbBackend = "postgresql";
package = unstable.pkgs.vaultwarden;
config = {
ROCKET_ADDRESS = "${localhost}";
ROCKET_PORT = 8222;
WEBSOCKET_PORT = 8333;
ADMIN_TOKEN =
"x9BLqz2QmnU5RmrMLt2kPpoPBTNPZxNFw/b8XrPgpQML2/01+MYENl87dmhDX+Jm";
DATABASE_URL =
"postgresql://vaultwarden:sopacerias@${localhost}:${postgresPort}/vaultwarden";
ENABLE_DB_WAL = false;
WEBSOCKET_ENABLED = true;
SHOW_PASSWORD_HINT = false;
SIGNUPS_ALLOWED = false;
EXTENDED_LOGGING = true;
LOG_LEVEL = "warn";
};
};
kavita = {
enable = true;
tokenKeyFile = "${pkgs.writeText "kavitaToken"
"Au002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjju002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}";
};
nextcloud = {
enable = true;
https = true;
package = pkgs.nextcloud27;
appstoreEnable = true;
configureRedis = true;
extraAppsEnable = true;
enableImagemagick = true;
maxUploadSize = "512M";
hostName = "cloud.servidos.lat";
config = {
adminpassFile = "${pkgs.writeText "adminpass"
"Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}";
overwriteProtocol = "https";
defaultPhoneRegion = "MX";
dbtype = "pgsql";
dbuser = "nextcloud";
dbpassFile = "${pkgs.writeText "dbpass" "sopacerias"}";
dbtableprefix = "oc_";
dbname = "nextcloud";
trustedProxies = [ "nginx" ];
extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
};
phpOptions = {
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "128M";
"opcache.max_accelerated_files" = "10000";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "1";
"opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
short_open_tag = "Off";
};
extraOptions = {
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
"installed" = true;
"memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool";
enabledPreviewProviders = [
"OC\\Preview\\Image"
"OC\\Preview\\HEIC"
"OC\\Preview\\TIFF"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
"OC\\Preview\\Movie"
];
};
phpExtraExtensions = all: [ all.pdlib all.bz2 ];
};
postgresql = {
enable = true;
ensureDatabases = [ "paperless" "nextcloud" "mealie" "vaultwarden" ];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = { "DATABASE nextcloud" = "ALL PRIVILEGES"; };
}
{
name = "paperless";
ensurePermissions = { "DATABASE paperless" = "ALL PRIVILEGES"; };
}
{
name = "mealie";
ensurePermissions = { "DATABASE mealie" = "ALL PRIVILEGES"; };
}
{
name = "vaultwarden";
ensurePermissions = { "DATABASE vaultwarden" = "ALL PRIVILEGES"; };
}
];
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all ${localhost}/32 trust
host all all ::1/128 trust
'';
};
};
environment.systemPackages = with pkgs; [ docker-compose ];
virtualisation.docker = {
enable = true;
enableNvidia = true;
storageDriver = "btrfs";
};
systemd = {
services = {
docker-compose = {
enable = true;
restartIfChanged = true;
description = "Start docker-compose servers";
after = [ "docker.service" "docker.socket" ];
requires = [ "docker.service" "docker.socket" ];
wantedBy = [ "default.target" ];
environment = {
FILE = "/home/jawz/Development/Docker/docker-compose.yml";
};
path = [ pkgs.docker-compose ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart =
"${pkgs.docker-compose}/bin/docker-compose -f \${FILE} up --remove-orphans";
ExecStop =
"${pkgs.docker-compose}/bin/docker-compose -f \${FILE} down";
};
};
nextcloud-cronjob = let
jawzNextcloudCronjob = pkgs.writeScriptBin "nextcloud-cronjob"
(builtins.readFile ../scripts/nextcloud-cronjob.sh);
in {
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "default.target" ];
path = [ pkgs.bash jawzNextcloudCronjob ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
# ${config.services.nextcloud.package}
ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob";
};
};
};
timers = {
nextcloud-cronjob = {
enable = true;
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "timers.target" ];
timerConfig = { OnCalendar = "*:0/10"; };
};
};
user.services = {
update-dns = let
jawzUpdateDns = pkgs.writeScriptBin "update-dns"
(builtins.readFile ../scripts/update-dns.sh);
in {
restartIfChanged = true;
description = "update DNS of my websites";
wantedBy = [ "default.target" ];
path = [ pkgs.bash pkgs.nix jawzUpdateDns ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawzUpdateDns}/bin/update-dns";
};
};
};
user.timers = {
update-dns = {
enable = true;
description = "update DNS of my websites";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = "6h";
};
};
};
};
networking = {
firewall = let open_firewall_ports = [ config.services.paperless.port ];
in {
enable = true;
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
};
};
}