jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

restructured directories + modularized btrfs mount

Browse Source
This commit is contained in:
Danilo Reyes
2024-04-18 20:24:00 -06:00
parent bad3a00e3c
commit d271979bec
75 changed files with 65 additions and 1873 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1017
hosts/miniserver/configuration.org Normal file
View File

File diff suppressed because it is too large Load Diff

228
hosts/miniserver/docker.nix Normal file
View File

@@ -0,0 +1,228 @@
{ config, lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ docker-compose ];
virtualisation = let postgresSocket = "/run/postgresql";
in {
docker = {
enable = true;
enableNvidia = true;
# dockerCompat = true;
# defaultNetwork.settings.dns_enabled = true;
autoPrune = {
enable = true;
flags = [ "--all" ];
dates = "weekly";
};
};
oci-containers = {
backend = "docker";
containers = {
collabora = {
autoStart = true;
image = "collabora/code";
imageFile = pkgs.dockerTools.pullImage {
imageName = "collabora/code";
imageDigest =
"sha256:aab41379baf5652832e9237fcc06a768096a5a7fccc66cf8bd4fdb06d2cbba7f";
sha256 = "sha256-M66lynhzaOEFnE15Sy1N6lBbGDxwNw6ap+IUJAvoCLs=";
};
ports = [ "9980:9980" ];
environment = {
TZ = "America/Mexico_City";
domain = "cloud.servidos.lat";
aliasgroup1 = "cloud.servidos.lat:443";
aliasgroup2 = "cloud.rotehaare.art:443";
dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru";
extra_params = ''
--o:ssl.enable=false
--o:ssl.termination=true
'';
};
extraOptions = [ "--cap-add" "MKNOD" ];
};
# metube = {
# image = "ghcr.io/alexta69/metube";
# ports = [ "8881:8081" ];
# volumes = [
# "/var/lib/docker-configs/metube:/downloads"
# "/home/jawz/.local/share/cookies.txt:/cookies.txt"
# ];
# environment = {
# TZ = "America/Mexico_City";
# YTDL_OPTIONS = ''{"cookiefile":"/cookies.txt"}'';
# };
# };
vocechat = {
image = "privoce/vocechat-server:latest";
ports = [ "3001:3000" ];
volumes =
[ "/var/lib/docker-configs/vocechat:/home/vocechat-server/data" ];
environment = { TZ = "America/Mexico_City"; };
};
ryot = {
image = "ghcr.io/ignisda/ryot:latest";
ports = [ "8765:8000" ];
environment = {
TZ = "America/Mexico_City";
DATABASE_URL = "postgres:///ryot?host=${postgresSocket}";
SERVER_INSECURE_COOKIE = "true";
VIDEO_GAMES_TWITCH_CLIENT_ID = "tfu0hw0zbdbu4lco4h72nqkb8krxp9";
VIDEO_GAMES_TWITCH_CLIENT_SECRET = "582ecfb01ihv6wnt8zbc9pf3hs9p54";
};
volumes = [ "${postgresSocket}:${postgresSocket}" ];
labels = {
"flame.type" = "application";
"flame.name" = "Ryot";
"flame.url" = "tracker.servidos.lat";
"flame.icon" = "radar";
};
};
multi-scrobbler = {
image = "foxxmd/multi-scrobbler";
ports = [ "9078:9078" ];
environment = {
TZ = "America/Mexico_City";
PUID = "1000";
PGID = "100";
BASE_URL = "https://scrobble.servidos.lat";
# JELLYFIN_USER = "jawz";
# JELLYFIN_SERVER = "DaniloFlix";
DEEZER_CLIENT_ID = "657431";
DEEZER_CLIENT_SECRET = "cb2ad03682dd5a55dfef857388ef181e";
DEEZER_REDIRECT_URI = "http://192.168.1.69:9078/deezer/callback";
MALOJA_URL = "https://maloja.servidos.lat";
MALOJA_API_KEY =
"LsnY2Ed484JlzUmF6EwhpGJ0gUCjJ2G5s1oJTwALJN8w1N3K6eXpfjBQp3raNPLA";
WS_ENABLE = "true";
};
volumes = [ "/var/lib/docker-configs/multi-scrobbler:/config" ];
labels = {
"flame.type" = "application";
"flame.name" = "Multi-scrobbler";
"flame.url" = "scrobble.servidos.lat";
"flame.icon" = "broadcast";
};
};
maloja = {
image = "krateng/maloja";
ports = [ "42010:42010" ];
environment = {
TZ = "America/Mexico_City";
MALOJA_TIMEZONE = "-6";
PUID = "1000";
PGID = "100";
MALOJA_DATA_DIRECTORY = "/mljdata";
MALOJA_SKIP_SETUP = "true";
MALOJA_FORCE_PASSWORD = "chichis";
};
volumes = [ "/var/lib/docker-configs/maloja:/mljdata" ];
labels = {
"flame.type" = "application";
"flame.name" = "Maloja";
"flame.url" = "maloja.servidos.lat";
"flame.icon" = "bookmark-music";
};
};
# flaresolverr = {
# autoStart = true;
# image = "ghcr.io/flaresolverr/flaresolverr:latest";
# ports = [ "8191:8191" ];
# };
flame = {
autoStart = true;
image = "pawelmalak/flame";
ports = [ "5005:5005" ];
volumes = [
"/var/lib/docker-configs/flame:/app/data"
"/var/run/docker.sock:/var/run/docker.sock"
];
environment = {
TZ = "America/Mexico_City";
PUID = "1000";
PGID = "100";
PASSWORD = "RkawpqMc8lR56QyU7JSfiLhG";
};
};
flame-nsfw = {
autoStart = true;
image = "pawelmalak/flame";
ports = [ "5007:5005" ];
volumes = [ "/var/lib/docker-configs/flame-nsfw:/app/data" ];
environment = {
TZ = "America/Mexico_City";
PUID = "1000";
PGID = "100";
PASSWORD = "RkawpqMc8lR56QyU7JSfiLhG";
};
};
# lidarr = {
# autoStart = true;
# image = "lscr.io/linuxserver/lidarr:latest";
# ports = [ "8686:8686" ];
# environment = {
# TZ = "America/Mexico_City";
# PUID = "1000";
# PGID = "100";
# };
# volumes = [
# "/mnt/pool/multimedia:/data"
# "/mnt/pool/multimedia/media/Music:/music"
# "/mnt/pool/multimedia/media/MusicVideos:/music-videos"
# "/var/lib/docker-configs/lidarr/files:/config"
# "/var/lib/docker-configs/lidarr/custom-services.d:/custom-services.d"
# "/var/lib/docker-configs/lidarr/custom-cont-init.d:/custom-cont-init.d"
# ];
# labels = {
# "flame.type" = "application";
# "flame.name" = "Lidarr";
# "flame.url" = "music.servidos.lat";
# "flame.icon" = "music";
# };
# };
mealie = {
autoStart = true;
image = "ghcr.io/mealie-recipes/mealie:v1.4.0";
ports = [ "9925:9000" ];
volumes = [ "/var/lib/docker-configs/mealie:/app/data/" ];
environment = {
TZ = "America/Mexico_City";
ALLOW_SIGNUP = "true";
PUID = "1000";
PGID = "100";
MAX_WORKERS = "1";
WEB_CONCURRENCY = "1";
BASE_URL = "https://mealie.servidos.lat";
SMTP_HOST = "smtp.gmail.com";
SMTP_PORT = "587";
SMTP_FROM_EMAIL = "stunner6399@gmail.com";
SMTP_USER = "stunner6399@gmail.com";
SMTP_PASSWORD = "ywofhisexfawslob";
};
extraOptions = [
"--memory=1g" # VA-API (omit for NVENC)
];
labels = {
"flame.type" = "application";
"flame.name" = "Mealie";
"flame.url" = "mealie.servidos.lat";
"flame.icon" = "fridge";
};
};
go-vod = {
autoStart = true;
image = "radialapps/go-vod";
environment = {
TZ = "America/Mexico_City";
NEXTCLOUD_HOST = "https://${config.services.nextcloud.hostName}";
NVIDIA_VISIBLE_DEVICES = "all";
};
volumes = [ "ncdata:/var/www/html:ro" ];
extraOptions = [
"--device=/dev/dri" # VA-API (omit for NVENC)
];
};
};
};
};
}

155
hosts/miniserver/fstab.nix Normal file
View File

@@ -0,0 +1,155 @@
{ config, lib, pkgs, modulesPath, ... }: {
imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
boot = {
loader = {
efi = {
canTouchEfiVariables = true;
efiSysMountPoint = "/boot/efi";
};
grub = {
enable = true;
device = "nodev";
efiSupport = true;
enableCryptodisk = true;
};
};
initrd.luks.devices = {
nvme = {
device = "/dev/disk/by-uuid/30fd7d86-9bed-42a6-8a4e-a2ddb0031233";
preLVM = true;
};
# disk1 = {
# device = "/dev/disk/by-uuid/a9b0f346-7e38-40a6-baf6-3ad80cafc842";
# preLVM = true;
# };
# disk2 = {
# device = "/dev/disk/by-uuid/0ed12b83-4c56-4ba8-b4ea-75a9e927d771";
# preLVM = true;
# };
# disk3 = {
# device = "/dev/disk/by-uuid/8cd728f6-0d5b-4cea-8f7d-01aad11192c1";
# preLVM = true;
# };
# disk4 = {
# device = "/dev/disk/by-uuid/7fcac808-491f-4846-a4a9-a34cc77cb43d";
# preLVM = true;
# };
};
kernelModules = [ "kvm-intel" ];
kernel.sysctl = {
"vm.swappiness" = 80;
"net.ipv6.conf.all.disable_ipv6" = 1;
"net.ipv6.conf.lo.disable_ipv6" = 1;
"net.ipv6.conf.default.disable_ipv6" = 1;
};
extraModulePackages = [ ];
initrd = {
availableKernelModules = [
"xhci_pci"
"ahci"
"usbhid"
"nvme"
"usbhid"
"usb_storage"
"sd_mod"
"sdhci_pci"
];
kernelModules = [ "kvm-intel" ];
};
};
fileSystems = {
"/" = {
device = "/dev/mapper/nvme";
fsType = "btrfs";
options = [
"subvol=nix"
"ssd"
"compress=zstd:3"
"x-systemd.device-timeout=0"
"space_cache=v2"
"commit=120"
"datacow"
"noatime"
];
};
"/home" = {
device = "/dev/mapper/nvme";
fsType = "btrfs";
options = [
"subvol=home"
"ssd"
"compress=zstd:3"
"x-systemd.device-timeout=0"
"space_cache=v2"
"commit=120"
"datacow"
];
};
# "/mnt/pool" = {
# device = "/dev/disk/by-uuid/1e7cf787-e34d-4e3e-ac3c-0c07309dbd34";
# fsType = "btrfs";
# options = [
# "subvol=@data"
# "compress=zstd:3"
# "space_cache=v2"
# "commit=120"
# "datacow"
# ];
# };
"/boot" = {
device = "/dev/disk/by-uuid/bf0aeb95-94cc-4377-b6e4-1dbb4958b334";
fsType = "ext4";
};
"/boot/efi" = {
device = "/dev/disk/by-uuid/0C7B-4D4C";
fsType = "vfat";
};
"/var/lib/nextcloud/data" = {
device = "/mnt/pool/nextcloud";
options = [ "bind" ];
depends = [ "/mnt/pool" ];
};
# "/mnt/jellyfin/media" = {
# device = "/mnt/pool/multimedia/media";
# options = [ "bind" "ro" ];
# depends = [ "/mnt/pool" ];
# };
# NFS
"/export/pool" = {
device = "/mnt/pool";
options = [ "bind" ];
depends = [ "/mnt/pool" ];
};
"/export/jawz" = {
device = "/home/jawz";
options = [ "bind" ];
depends = [ "/mnt/pool" ];
};
"/export/disks" = {
device = "/mnt/disks";
options = [ "bind" ];
depends = [ "/mnt/disks" ];
};
};
services.nfs = {
server = {
enable = true;
exports = ''
/export workstation(rw,fsid=0,no_subtree_check)
/export/jawz workstation(rw,nohide,insecure,no_subtree_check)
/export/disks workstation(rw,nohide,insecure,no_subtree_check)
/export/pool workstation(rw,nohide,insecure,no_subtree_check)
'';
};
};
swapDevices = [{
device = "/dev/nvme0n1p3";
randomEncryption = {
enable = true;
cipher = "aes-xts-plain64";
keySize = 512;
sectorSize = 4096;
};
}];
}

37
hosts/miniserver/mail.nix Normal file
View File

@@ -0,0 +1,37 @@
{ config, pkgs, ... }:
let
version = "23.05";
domain = "danilo-reyes.com";
in {
imports = [
(builtins.fetchTarball {
# Pick a release version you are interested in and set its hash, e.g.
url =
"https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-${version}/nixos-mailserver-nixos-${version}.tar.gz";
# To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
# release="nixos-23.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
sha256 = "1ngil2shzkf61qxiqw11awyl81cr7ks2kv3r3k243zz7v2xakm5c";
})
];
mailserver = {
enable = true;
fqdn = "mail.${domain}";
domains = [ domain ];
# A list of all login accounts. To create the password hashes, use
# nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
loginAccounts = {
"contact@${domain}" = {
hashedPasswordFile = ../dotfiles/secrets/mailserver;
aliases = [ "jawz@${domain}" ];
};
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "acme-nginx";
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "contact@${domain}";
}

260
hosts/miniserver/nginx.nix Normal file
View File

@@ -0,0 +1,260 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let
localhost = "127.0.0.1";
workstation = "192.168.1.64";
domain = "servidos.lat";
jellyfinPort = 8096;
nextcloudPort = 80;
collaboraPort = 9980;
flamePort = 5005;
secretFlamePort = 5007;
lidarrPort = 8686;
qbitPort = 9091;
prowlarrPort = 9696;
radarrPort = 7878;
sonarrPort = 8989;
mealiePort = 9925;
ryotPort = 8765;
scrobblePort = 9078;
malojaPort = 42010;
darkwirePort = 3001;
jiraPort = 8091;
metatubePort = 8881;
bazarrPort = config.services.bazarr.listenPort;
kavitaPort = config.services.kavita.port;
vaultPort = config.services.vaultwarden.config.ROCKET_PORT;
audiobookPort = config.services.audiobookshelf.port;
microbinPort = config.services.microbin.settings.MICROBIN_PORT;
in {
services.nginx = {
enable = true;
clientMaxBodySize = "4096m";
# recommendedTlsSettings = true;
# recommendedGzipSettings = true;
# recommendedOptimisation = true;
sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
appendHttpConfig = ''
# JELLYFIN
proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=90d max_size=35000m;
proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=30d use_temp_path=off;
map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; }
map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; }
'';
virtualHosts = let
base = locations: {
inherit locations;
forceSSL = true;
enableACME = true;
http2 = true;
};
proxy = port:
base { "/".proxyPass = "http://${localhost}:${toString (port)}/"; };
proxyArr = port:
proxy port // {
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_redirect off;
proxy_http_version 1.1;
'';
};
in {
# "movies.${domain}" = proxyArr radarrPort // { };
# "indexer.${domain}" = proxyArr prowlarrPort // { };
# "music.${domain}" = proxyArr lidarrPort // { };
# "library.${domain}" = proxy kavitaPort // { };
"start.${domain}" = proxy flamePort // { };
# "subs.${domain}" = proxy bazarrPort // { };
# "series.${domain}" = proxy sonarrPort // { };
"vault.${domain}" = proxy vaultPort // { };
"copy.${domain}" = proxy microbinPort // { };
"mealie.${domain}" = proxy mealiePort // { };
"tracker.${domain}" = proxy ryotPort // { };
"scrobble.${domain}" = proxy scrobblePort // { };
"maloja.${domain}" = proxy malojaPort // { };
"jira.${domain}" = proxy jiraPort // { };
"bajameesta.${domain}" = proxy metatubePort // { };
"qampqwn4wprhqny8h8zj.${domain}" = proxy secretFlamePort // { };
"xfwmrle6h6skqujbeizw.${domain}" = proxy qbitPort // { };
"audiobooks.${domain}" = base {
"/" = {
proxyPass = "http://${localhost}:${toString (audiobookPort)}";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
proxy_redirect http:// https://;
'';
};
};
"dontcancelmeplz.${domain}" = base {
"/" = {
proxyPass = "http://${localhost}:${toString (darkwirePort)}";
proxyWebsockets = true;
extraConfig = ''
# Ensuring it can use websockets
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto http;
proxy_redirect http:// $scheme://;
# The proxy must preserve the host because gotify verifies the host with the origin
# for WebSocket connections
proxy_set_header Host $host;
# These sets the timeout so that the websocket can stay alive
proxy_connect_timeout 1m;
proxy_send_timeout 1m;
proxy_read_timeout 1m;
'';
};
};
"flix.${domain}" = {
forceSSL = true;
enableACME = true;
http2 = true;
extraConfig = ''
# use a variable to store the upstream proxy
# in this example we are using a hostname which is resolved via DNS
# (if you aren't using DNS remove the resolver line and change the variable to point to an IP address
resolver ${localhost} valid=30;
location = / {
return 302 http://$host/web/;
#return 302 https://$host/web/;
}
location = /web/ {
# Proxy main Jellyfin traffic
proxy_pass http://${localhost}:${
toString (jellyfinPort)
}/web/index.html;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Protocol $scheme;
proxy_set_header X-Forwarded-Host $http_host;
}
'';
locations = {
"/" = {
proxyPass = "http://${localhost}:${toString (jellyfinPort)}";
proxyWebsockets = true;
};
"/socket" = {
proxyPass = "http://${localhost}:${toString (jellyfinPort)}";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
'';
};
"~ /Items/(.*)/Images" = {
proxyPass = "http://${localhost}:${toString (jellyfinPort)}";
extraConfig = ''
proxy_cache jellyfin;
proxy_cache_revalidate on;
proxy_cache_lock on;
'';
};
"~* ^/Videos/(.*)/(?!live)" = {
proxyPass = "http://${localhost}:${toString (jellyfinPort)}";
extraConfig = ''
# Set size of a slice (this amount will be always requested from the backend by nginx)
# Higher value means more latency, lower more overhead
# This size is independent of the size clients/browsers can request
# slice 2m;
proxy_cache jellyfin-videos;
proxy_cache_valid 200 206 301 302 30d;
proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires;
proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504;
proxy_connect_timeout 15s;
proxy_http_version 1.1;
proxy_set_header Connection "";
# Transmit slice range to the backend
proxy_set_header Range 2m;
# This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time
# The first client will trigger the download, the other clients will have to wait until the slice is cached
# Esp. practical during SyncPlay
proxy_cache_lock on;
proxy_cache_lock_age 60s;
proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=2m";
# add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache
'';
};
};
};
${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
http2 = true;
serverAliases = [ "cloud.rotehaare.art" ];
locations = {
"/".proxyWebsockets = true;
# uh, equals what?
"~ ^/nextcloud/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|oc[ms]-provider/.+|.+/richdocumentscode/proxy).php(?:$|/)" =
{ };
};
};
"collabora.${domain}" = let
collaboraString = "http://${localhost}:${toString (collaboraPort)}";
collaboraProxy = {
proxyPass = collaboraString;
extraConfig = ''
proxy_set_header Host $host;
'';
};
collaboraSocket = {
proxyPass = collaboraString;
extraConfig = ''
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
'';
};
in base {
# static files
"^~ /loleaflet" = collaboraProxy;
# WOPI discovery URL
"^~ /hosting/discovery" = collaboraProxy;
# Capabilities
"^~ /hosting/capabilities" = collaboraProxy;
# download, presentation, image upload and websocket
"~ ^/lool" = collaboraSocket;
# Admin Console websocket
"^~ /lool/adminws" = collaboraSocket;
};
};
};
networking = {
firewall = let open_firewall_ports = [ 80 443 ];
in {
enable = true;
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
};
};
}

83
hosts/miniserver/openldap.nix Normal file
View File

@@ -0,0 +1,83 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
let hostname = "servidos.lat";
in {
services.openldap = {
enable = true;
# enable plain and secure connections
urlList = [ "ldap:///" "ldaps:///" ];
settings = {
attrs = {
olcLogLevel = "conns config";
# settings for acme ssl
olcTLSCACertificateFile = "/var/lib/acme/${hostname}/full.pem";
olcTLSCertificateFile = "/var/lib/acme/${hostname}/cert.pem";
olcTLSCertificateKeyFile = "/var/lib/acme/${hostname}/key.pem";
olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
olcTLSCRLCheck = "none";
olcTLSVerifyClient = "never";
olcTLSProtocolMin = "3.1";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=example,dc=com";
# your admin account, do not use writeText on a production system
olcRootDN = "cn=admin,dc=example,dc=com";
olcRootPW.path = pkgs.writeText "olcRootPW" "pass";
olcAccess = [
# custom access rules for userPassword attributes
''
{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
# allow read on anything else
''
{1}to *
by * read''
];
};
};
};
};
# ensure openldap is launched after certificates are created
systemd.services.openldap = {
wants = [ "acme-${hostname}.service" ];
after = [ "acme-${hostname}.service" ];
};
# make acme certificates accessible by openldap
security.acme.defaults.group = "certs";
users.groups.certs.members = [ "openldap" ];
# trigger the actual certificate generation for your hostname
security.acme.certs."${hostname}" = { extraDomainNames = [ ]; };
# example using hetzner dns to run letsencrypt verification
security.acme.defaults.dnsProvider = "hetzner";
security.acme.defaults.credentialsFile = pkgs.writeText "credentialsFile" ''
HETZNER_API_KEY=<your-hetzner-dns-api-key>
'';
}

55
hosts/miniserver/scripts/update-dns.sh Normal file
View File

@@ -0,0 +1,55 @@
#!/usr/bin/env nix-shell
#! nix-shell -i bash -p bash curl jq dig
# Shell script to update namecheap.com dynamic dns
# for a domain to your external IP address
# namecheap
hostnames=(cloud @ 6fxAtnPxEeI8hN)
domain=rotehaare.art
password=60d672be5d9d4828a0f96264babe0ac1
ip=$(curl -s ipecho.net/plain)
for hostname in "${hostnames[@]}"; do
curl "https://dynamicdns.park-your-domain.com/update?host=$hostname&domain=$domain&password=$password&ip=$ip"
done
# cloudflare
zone_id=833996ed25eb09f1a50606e0457790e4
record=servidos.lat
record_id=6b117173e53a7511ba36ceb9637ede63
cloudflare_token=VdKosfThQmOcuywLOUq9DY4-df9EmbHrDWyf_vUb
# get record_id
# curl -s -X GET "https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records?type=A&name=${record}" \
# -H "Authorization: Bearer ${cloudflare_token}" \
# -H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id'
curr_ip=$(curl -s -X GET https://checkip.amazonaws.com)
curr_reg=$(dig ${record} +short @1.1.1.1)
if echo "${curr_reg}" | grep "${curr_ip}"; then
echo "$(date --rfc-3339=seconds) - OK - Current record matches current IP (${curr_ip})"
else
curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/${zone_id}/dns_records/${record_id}" \
-H "Authorization: Bearer ${cloudflare_token}" \
-H "Content-Type: application/json" \
--data "{\"type\":\"A\",\"name\":\"${record}\",\"content\":\"$curr_ip\",\"ttl\":1,\"proxied\":false}" >/dev/null
echo "$(date --rfc-3339=seconds) - NOK - Record Updated to $curr_ip from ${curr_reg}"
fi
# godaddy
domain=danilo-reyes.com
host=@
APIKey=AEjhf24Sczj_BpoXZmSK1Zha3pvRpRYxnf
APISecret=5pumrt9iMaSxR8U4PjhRCE
WanIP=$(curl -s "https://api.ipify.org")
GDIP=$(curl -s -X GET -H "Authorization: sso-key ${APIKey}:${APISecret}" "https://api.godaddy.com/v1/domains/${domain}/records/A/${host}" | cut -d'[' -f 2 | cut -d']' -f 1)
if [ "$WanIP" != "$GDIP" ] && [ "$WanIP" != "" ]; then
echo "Actualizando ip godaddy"
curl -s -X PUT "https://api.godaddy.com/v1/domains/${domain}/records/A/${host}" \
-H "Authorization: sso-key ${APIKey}:${APISecret}" \
-H "Content-Type: application/json" \
-d "[{\"data\": \"${WanIP}\"}]"
fi

336
hosts/miniserver/servers.nix Normal file
View File

@@ -0,0 +1,336 @@
{ config, lib, pkgs, modulesPath, ... }:
let
localhost = "127.0.0.1";
postgresSocket = "/run/postgresql";
unstable = import
(builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") {
config = config.nixpkgs.config;
};
in {
imports = [ ./nginx.nix ];
nixpkgs.config = {
permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ];
};
environment.systemPackages = with pkgs;
[
# Upgrades postgres
(let
# XXX specify the postgresql package you'd like to upgrade to.
# Do not forget to list the extensions you need.
newPostgres = pkgs.postgresql_16.withPackages (pp:
[
# pp.plv8
]);
in pkgs.writeScriptBin "upgrade-pg-cluster" ''
set -eux
# XXX it's perhaps advisable to stop all services that depend on postgresql
systemctl stop postgresql
export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}"
export NEWBIN="${newPostgres}/bin"
export OLDDATA="${config.services.postgresql.dataDir}"
export OLDBIN="${config.services.postgresql.package}/bin"
install -d -m 0700 -o postgres -g postgres "$NEWDATA"
cd "$NEWDATA"
sudo -u postgres $NEWBIN/initdb -D "$NEWDATA"
sudo -u postgres $NEWBIN/pg_upgrade \
--old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \
--old-bindir $OLDBIN --new-bindir $NEWBIN \
"$@"
'')
];
users.groups = { piracy.gid = 985; };
users.users = let base = { isSystemUser = true; };
in {
# # prowlarr = base // { group = "piracy"; };
# # kavita = base // {
# # group = "kavita";
# # extraGroups = [ "piracy" ];
# # };
nextcloud = base // {
extraGroups = [ "render" ];
packages = (with pkgs; [
nodejs
(python3.withPackages (ps: with ps; [ tensorflow ]))
perl
(perlPackages.buildPerlPackage rec {
pname = "Image-ExifTool";
version = "12.70";
src = fetchurl {
url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz";
hash = "sha256-TLJSJEXMPj870TkExq6uraX8Wl4kmNerrSlX3LQsr/4=";
};
})
]);
};
};
programs = {
msmtp = {
enable = true;
accounts.default = {
auth = true;
host = "smtp.gmail.com";
port = 587;
tls = true;
from = "stunner6399@gmail.com";
user = "stunner6399@gmail.com";
password = "eqyctcgjdykqeuwt";
};
};
};
services = let
base = {
enable = true;
group = "piracy";
};
in {
# sonarr = base // { package = pkgs.sonarr; };
# radarr = base // { package = pkgs.radarr; };
# bazarr = base // { };
jellyfin = base // { };
# prowlarr.enable = true;
jira.enable = true;
microbin = {
enable = true;
settings = {
MICROBIN_HIDE_LOGO = false;
MICROBIN_PORT = 8080;
MICROBIN_HIGHLIGHTSYNTAX = true;
MICROBIN_PRIVATE = true;
MICROBIN_QR = true;
MICROBIN_ENCRYPTION_CLIENT_SIDE = true;
MICROBIN_ENCRYPTION_SERVER_SIDE = true;
};
};
# audiobookshelf = {
# enable = true;
# group = "piracy";
# port = 5687;
# };
# paperless = {
# enable = true;
# address = "0.0.0.0";
# consumptionDirIsPublic = true;
# consumptionDir = "/home/jawz/Backups/Scans";
# extraConfig = {
# PAPERLESS_DBENGINE = "postgress";
# PAPERLESS_DBNAME = "paperless";
# PAPERLESS_DBHOST = postgresSocket;
# PAPERLESS_CONSUMER_IGNORE_PATTERN =
# builtins.toJSON [ ".DS_STORE/*" "desktop.ini" ];
# PAPERLESS_TIME_ZONE = "America/Mexico_City";
# PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
# optimize = 1;
# pdfa_image_compression = "lossless";
# };
# };
# };
vaultwarden = {
enable = true;
dbBackend = "postgresql";
package = pkgs.vaultwarden;
config = {
ROCKET_ADDRESS = "${localhost}";
ROCKET_PORT = 8222;
WEBSOCKET_PORT = 8333;
ADMIN_TOKEN =
"x9BLqz2QmnU5RmrMLt2kPpoPBTNPZxNFw/b8XrPgpQML2/01+MYENl87dmhDX+Jm";
DATABASE_URL = "postgresql:///vaultwarden?host=${postgresSocket}";
ENABLE_DB_WAL = false;
WEBSOCKET_ENABLED = true;
SHOW_PASSWORD_HINT = false;
SIGNUPS_ALLOWED = false;
EXTENDED_LOGGING = true;
LOG_LEVEL = "warn";
};
};
# kavita = {
# enable = true;
# tokenKeyFile = "${pkgs.writeText "kavitaToken"
# "Au002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjju002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}";
# };
nextcloud = {
enable = true;
https = true;
package = pkgs.nextcloud27;
appstoreEnable = true;
configureRedis = true;
extraAppsEnable = true;
enableImagemagick = true;
maxUploadSize = "16G";
hostName = "cloud.servidos.lat";
config = {
adminpassFile = "${pkgs.writeText "adminpass"
"Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}";
overwriteProtocol = "https";
defaultPhoneRegion = "MX";
dbtype = "pgsql";
dbhost = postgresSocket;
dbtableprefix = "oc_";
dbname = "nextcloud";
trustedProxies = [ "nginx" ];
extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ];
};
phpOptions = {
catch_workers_output = "yes";
display_errors = "stderr";
error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
expose_php = "Off";
"opcache.enable_cli" = "1";
"opcache.fast_shutdown" = "1";
"opcache.interned_strings_buffer" = "16";
"opcache.jit" = "1255";
"opcache.jit_buffer_size" = "256M";
"opcache.max_accelerated_files" = "10000";
"opcache.huge_code_pages" = "1";
"opcache.enable_file_override" = "1";
"opcache.memory_consumption" = "128";
"opcache.revalidate_freq" = "60";
"opcache.save_comments" = "1";
"opcache.validate_timestamps" = "0";
"openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
short_open_tag = "Off";
};
extraOptions = {
"allow_local_remote_servers" = true;
mail_smtpmode = "sendmail";
mail_sendmailmode = "pipe";
"installed" = true;
"memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool";
enabledPreviewProviders = [
"OC\\Preview\\Image"
"OC\\Preview\\HEIC"
"OC\\Preview\\TIFF"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
"OC\\Preview\\Movie"
];
};
phpExtraExtensions = all: [ all.pdlib all.bz2 ];
};
postgresql = {
enable = true;
ensureDatabases = [ "jawz" "paperless" "nextcloud" "ryot" "vaultwarden" ];
package = pkgs.postgresql_16;
ensureUsers = [
{
name = "jawz";
ensureDBOwnership = true;
}
{
name = "nextcloud";
ensureDBOwnership = true;
}
{
name = "paperless";
ensureDBOwnership = true;
}
{
name = "ryot";
ensureDBOwnership = true;
}
{
name = "vaultwarden";
ensureDBOwnership = true;
}
];
authentication = pkgs.lib.mkOverride 10 ''
local all all trust
host all all ${localhost}/32 trust
host all all ::1/128 trust
'';
};
};
systemd = {
services = {
# sub-sync = {
# restartIfChanged = true;
# description = "syncronizes subtitles downloaded & modified today";
# wantedBy = [ "default.target" ];
# path = [
# pkgs.bash
# pkgs.nix
# jawzSubs
# ];
# serviceConfig = {
# Restart = "on-failure";
# RestartSec = 30;
# ExecStart = "${jawzSubs}/bin/sub-sync all";
# Type = "forking";
# User = "root";
# };
# };
nextcloud-cronjob = let
jawzNextcloudCronjob = pkgs.writeScriptBin "nextcloud-cronjob"
(builtins.readFile ../scripts/nextcloud-cronjob.sh);
in {
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "multi-user.target" ];
path = [ pkgs.bash jawzNextcloudCronjob ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob";
};
};
};
timers = {
nextcloud-cronjob = {
enable = true;
description = "Runs various nextcloud-related cronjobs";
wantedBy = [ "timers.target" ];
timerConfig = { OnCalendar = "*:0/10"; };
};
# sub-sync = {
# enable = true;
# description = "syncronizes subtitles downloaded & modified today";
# wantedBy = [ "timers.target" ];
# timerConfig = {
# OnCalendar = "22:00";
# };
# };
};
user.services = {
update-dns = let
jawzUpdateDns = pkgs.writeScriptBin "update-dns"
(builtins.readFile ../scripts/update-dns.sh);
in {
restartIfChanged = true;
description = "update DNS of my websites";
wantedBy = [ "default.target" ];
path = [ pkgs.bash pkgs.nix jawzUpdateDns ];
serviceConfig = {
Restart = "on-failure";
RestartSec = 30;
ExecStart = "${jawzUpdateDns}/bin/update-dns";
};
};
};
user.timers = {
update-dns = {
enable = true;
description = "update DNS of my websites";
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "1min";
OnUnitActiveSec = "30m";
};
};
};
};
networking = {
firewall = let open_firewall_ports = [ config.services.paperless.port ];
in {
enable = true;
allowedTCPPorts = open_firewall_ports;
allowedUDPPorts = open_firewall_ports;
};
};
}