{ config, lib, pkgs, modulesPath, ... }: let localhost = "127.0.0.1"; postgresSocket = "/run/postgresql"; unstable = import (builtins.fetchTarball "https://github.com/nixos/nixpkgs/tarball/master") { config = config.nixpkgs.config; }; in { imports = [ ./nginx.nix ]; nixpkgs.config = { permittedInsecurePackages = [ "nodejs-14.21.3" "openssl-1.1.1v" ]; }; environment.systemPackages = with pkgs; [ # Upgrades postgres (let # XXX specify the postgresql package you'd like to upgrade to. # Do not forget to list the extensions you need. newPostgres = pkgs.postgresql_16.withPackages (pp: [ # pp.plv8 ]); in pkgs.writeScriptBin "upgrade-pg-cluster" '' set -eux # XXX it's perhaps advisable to stop all services that depend on postgresql systemctl stop postgresql export NEWDATA="/var/lib/postgresql/${newPostgres.psqlSchema}" export NEWBIN="${newPostgres}/bin" export OLDDATA="${config.services.postgresql.dataDir}" export OLDBIN="${config.services.postgresql.package}/bin" install -d -m 0700 -o postgres -g postgres "$NEWDATA" cd "$NEWDATA" sudo -u postgres $NEWBIN/initdb -D "$NEWDATA" sudo -u postgres $NEWBIN/pg_upgrade \ --old-datadir "$OLDDATA" --new-datadir "$NEWDATA" \ --old-bindir $OLDBIN --new-bindir $NEWBIN \ "$@" '') ]; users.groups = { piracy.gid = 985; }; users.users = let base = { isSystemUser = true; }; in { prowlarr = base // { group = "piracy"; }; kavita = base // { group = "kavita"; extraGroups = [ "piracy" ]; }; nextcloud = base // { extraGroups = [ "render" ]; packages = (with pkgs; [ nodejs (python3.withPackages (ps: with ps; [ tensorflow ])) perl (perlPackages.buildPerlPackage rec { pname = "Image-ExifTool"; version = "12.70"; src = fetchurl { url = "https://exiftool.org/Image-ExifTool-${version}.tar.gz"; hash = "sha256-TLJSJEXMPj870TkExq6uraX8Wl4kmNerrSlX3LQsr/4="; }; }) ]); }; }; services = let base = { enable = true; group = "piracy"; }; in { sonarr = base // { package = pkgs.sonarr; }; radarr = base // { package = pkgs.radarr; }; bazarr = base // { }; jellyfin = base // { }; prowlarr.enable = true; microbin = { enable = true; settings = { MICROBIN_HIDE_LOGO = false; MICROBIN_PORT = 8080; MICROBIN_HIGHLIGHTSYNTAX = true; MICROBIN_PRIVATE = true; MICROBIN_QR = true; MICROBIN_ENCRYPTION_CLIENT_SIDE = true; MICROBIN_ENCRYPTION_SERVER_SIDE = true; }; }; audiobookshelf = { enable = true; group = "piracy"; port = 5687; }; paperless = { enable = true; address = "0.0.0.0"; consumptionDirIsPublic = true; consumptionDir = "/mnt/pool/home/Scans"; extraConfig = { PAPERLESS_DBENGINE = "postgress"; PAPERLESS_DBNAME = "paperless"; PAPERLESS_DBHOST = postgresSocket; PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [ ".DS_STORE/*" "desktop.ini" ]; PAPERLESS_TIME_ZONE = "America/Mexico_City"; PAPERLESS_OCR_USER_ARGS = builtins.toJSON { optimize = 1; pdfa_image_compression = "lossless"; }; }; }; vaultwarden = { enable = true; dbBackend = "postgresql"; package = pkgs.vaultwarden; config = { ROCKET_ADDRESS = "${localhost}"; ROCKET_PORT = 8222; WEBSOCKET_PORT = 8333; ADMIN_TOKEN = "x9BLqz2QmnU5RmrMLt2kPpoPBTNPZxNFw/b8XrPgpQML2/01+MYENl87dmhDX+Jm"; DATABASE_URL = "postgresql:///vaultwarden?host=${postgresSocket}"; ENABLE_DB_WAL = false; WEBSOCKET_ENABLED = true; SHOW_PASSWORD_HINT = false; SIGNUPS_ALLOWED = false; EXTENDED_LOGGING = true; LOG_LEVEL = "warn"; }; }; kavita = { enable = true; tokenKeyFile = "${pkgs.writeText "kavitaToken" "Au002BRkRxBjlQrmWSuXWTGUcpXZjzMo2nJ0Z4g4OZ1S4c2zp6oaesGUXzKp2mhvOwjju002BNoURG3CRIE2qnGybvOgAlDxAZCPBzSNRcx6RJ1lFRgvI8wQR6Nd5ivYX0RMo4S8yOH8XIDhzN6vNo31rCjyv2IycX0JqiJPIovfbvXn9Y="}"; }; nextcloud = { enable = true; https = true; package = pkgs.nextcloud27; appstoreEnable = true; configureRedis = true; extraAppsEnable = true; enableImagemagick = true; maxUploadSize = "16G"; hostName = "cloud.servidos.lat"; config = { adminpassFile = "${pkgs.writeText "adminpass" "Overlying-Hatchback-Charting-Encounter-Deface-Gallantly7"}"; overwriteProtocol = "https"; defaultPhoneRegion = "MX"; dbtype = "pgsql"; dbhost = postgresSocket; dbtableprefix = "oc_"; dbname = "nextcloud"; trustedProxies = [ "nginx" ]; extraTrustedDomains = [ "cloud.rotehaare.art" "danilo-reyes.com" ]; }; phpOptions = { catch_workers_output = "yes"; display_errors = "stderr"; error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT"; expose_php = "Off"; "opcache.enable_cli" = "1"; "opcache.fast_shutdown" = "1"; "opcache.interned_strings_buffer" = "16"; "opcache.jit" = "1255"; "opcache.jit_buffer_size" = "256M"; "opcache.max_accelerated_files" = "10000"; "opcache.huge_code_pages" = "1"; "opcache.enable_file_override" = "1"; "opcache.memory_consumption" = "128"; "opcache.revalidate_freq" = "60"; "opcache.save_comments" = "1"; "opcache.validate_timestamps" = "0"; "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt"; short_open_tag = "Off"; }; extraOptions = { "allow_local_remote_servers" = true; mail_smtpmode = "sendmail"; mail_sendmailmode = "pipe"; "installed" = true; "memories.exiftool" = "/etc/profiles/per-user/nextcloud/bin/exiftool"; enabledPreviewProviders = [ "OC\\Preview\\Image" "OC\\Preview\\HEIC" "OC\\Preview\\TIFF" "OC\\Preview\\MKV" "OC\\Preview\\MP4" "OC\\Preview\\AVI" "OC\\Preview\\Movie" ]; }; phpExtraExtensions = all: [ all.pdlib all.bz2 ]; }; postgresql = { enable = true; ensureDatabases = [ "paperless" "nextcloud" "ryot" "vaultwarden" ]; package = pkgs.postgresql_16; ensureUsers = [ { name = "nextcloud"; ensureDBOwnership = true; } { name = "paperless"; ensureDBOwnership = true; } { name = "ryot"; ensureDBOwnership = true; } { name = "vaultwarden"; ensureDBOwnership = true; } ]; authentication = pkgs.lib.mkOverride 10 '' local all all trust host all all ${localhost}/32 trust host all all ::1/128 trust ''; }; }; systemd = { services = { nextcloud-cronjob = let jawzNextcloudCronjob = pkgs.writeScriptBin "nextcloud-cronjob" (builtins.readFile ../scripts/nextcloud-cronjob.sh); in { description = "Runs various nextcloud-related cronjobs"; wantedBy = [ "default.target" ]; path = [ pkgs.bash jawzNextcloudCronjob ]; serviceConfig = { Restart = "on-failure"; RestartSec = 30; ExecStart = "${jawzNextcloudCronjob}/bin/nextcloud-cronjob"; }; }; }; timers = { nextcloud-cronjob = { enable = true; description = "Runs various nextcloud-related cronjobs"; wantedBy = [ "timers.target" ]; timerConfig = { OnCalendar = "*:0/10"; }; }; }; user.services = { update-dns = let jawzUpdateDns = pkgs.writeScriptBin "update-dns" (builtins.readFile ../scripts/update-dns.sh); in { restartIfChanged = true; description = "update DNS of my websites"; wantedBy = [ "default.target" ]; path = [ pkgs.bash pkgs.nix jawzUpdateDns ]; serviceConfig = { Restart = "on-failure"; RestartSec = 30; ExecStart = "${jawzUpdateDns}/bin/update-dns"; }; }; }; user.timers = { update-dns = { enable = true; description = "update DNS of my websites"; wantedBy = [ "timers.target" ]; timerConfig = { OnBootSec = "1min"; OnUnitActiveSec = "30m"; }; }; }; }; networking = { firewall = let open_firewall_ports = [ config.services.paperless.port ]; in { enable = true; allowedTCPPorts = open_firewall_ports; allowedUDPPorts = open_firewall_ports; }; }; }