batteredbunny/server.nix
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions

Initial commit

Browse source
This commit is contained in:
server 2024-02-23 01:56:51 +02:00 committed by batteredbunny
commit e636d18943
7 changed files with 1565 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

181
caddy.nix Normal file
View file

@ -0,0 +1,181 @@
{config, pkgs, lib, inputs, ...}: let
settings = import ./settings.nix {};
# pkgs.schildichat-web
elementClient = pkgs.element-web.override {
conf = {
default_server_config = {
m.homeserver = "matrix.catnip.ee:443";
};
};
};
wellKnownMatrix = ''
handle /.well-known/matrix/client {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.homeserver":{"base_url":"https://matrix.catnip.ee/"},"org.matrix.msc3575.proxy":{"url":"https://sliding-sync.catnip.ee"}}`
}
handle /.well-known/matrix/server {
header Content-Type application/json
header Access-Control-Allow-Origin *
respond `{"m.server": "matrix.catnip.ee:443"}`
}
'';
in {
services.caddy = {
enable = true;
email = "anonymous_shiba@protonmail.com";
virtualHosts = {
"drasl.snailcore.net".extraConfig = ''
reverse_proxy :${toString settings.ports.drasl}
'';
"lastfm.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.lastfm}
'';
"social.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.firefish}
'';
"forge.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.forgejo}
'';
"http://bazarr".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
reverse_proxy @local :${toString settings.ports.bazarr}
'';
"http://archive".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
reverse_proxy @local :${toString settings.ports.archivebox}
'';
"http://scrutiny".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
reverse_proxy @local :${toString settings.ports.scrutiny}
'';
"http://prowlarr".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
reverse_proxy @local :${toString settings.ports.prowlarr}
'';
"http://radarr".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
reverse_proxy @local :${toString settings.ports.radarr}
'';
"http://sonarr".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
reverse_proxy @local :${toString settings.ports.sonarr}
'';
"http://qbittorrent".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
reverse_proxy @local :${toString settings.ports.qbittorrent}
'';
"http://files".extraConfig = ''
@local remote_ip private_ranges 100.64.0.0/10
root * /mnt/media
file_server @local browse {
hide .Trash-1000
}
'';
"files.catnip.ee" = {
extraConfig = ''
basicauth * {
mrow {env.FILES_PASSWORD_HASH}
}
root * /mnt/media
file_server browse {
hide .Trash-1000
}
'';
};
"chat.catnip.ee".extraConfig = ''
root * ${elementClient}
file_server
'';
"sliding-sync.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.matrix-sliding-sync}
'';
"matrix.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.synapse}
${wellKnownMatrix}
handle /telegram/* {
reverse_proxy :${toString settings.ports.mautrix-telegram}
}
handle_path /synapse-admin* {
root * ${pkgs.synapse-admin}
file_server
}
'';
"ntfy.catnip.ee".extraConfig = ''
reverse_proxy ${config.services.ntfy-sh.settings.listen-http}
# Redirect HTTP to HTTPS, but only for GET topic addresses, since we want
# it to work with curl without the annoying https:// prefix.
@httpget {
protocol http
method GET
path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
}
redir @httpget https://{host}{uri}
'';
"waka.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.wakapi}
'';
# docker authentik
"auth.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.authentik}
'';
"cloud.catnip.ee".extraConfig = ''
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains"
Referrer-Policy no-referrer
Referrer-Policy same-origin
Referrer-Policy strict-origin
Referrer-Policy strict-origin-when-cross-origin
Referrer-Policy no-referrer-when-downgrade
}
reverse_proxy 127.0.0.1:${toString settings.ports.nextcloud}
'';
"uptime.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.uptime_kuma}
'';
"catnip.ee" = {
extraConfig = ''
root * ${inputs.catnip-website}
file_server browse {
hide .git
}
${wellKnownMatrix}
'';
serverAliases = [
"www.catnip.ee"
];
};
"vue.jellyfin.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.jellyfin_vue}
'';
"jellyfin.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.jellyfin}
'';
"plex.catnip.ee".extraConfig = ''
reverse_proxy :${toString settings.ports.plex}
'';
":80".extraConfig = ''
respond awawaw
'';
};
};
}

818
configuration.nix Normal file
View file

@ -0,0 +1,818 @@
{ config, pkgs, lib, inputs, system, ... }: let
settings = import ./settings.nix {};
in {
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./containers.nix
./caddy.nix
inputs.nix-minecraft.nixosModules.minecraft-servers
];
nixpkgs = {
overlays = [ inputs.nix-minecraft.overlay ];
config.allowUnfree = true;
};
system.autoUpgrade = {
enable = true;
allowReboot = true;
flake = "/etc/nixos";
flags = [
"--update-input"
"nixpkgs"
"--update-input"
"nix-minecraft"
];
};
nix = {
gc = {
automatic = true;
dates = "weekly";
};
optimise = {
automatic = true;
dates = ["06:00"];
};
settings = {
experimental-features = ["nix-command" "flakes"];
auto-optimise-store = true;
allowed-users = [
"@wheel"
"owo"
];
};
};
boot = {
supportedFilesystems = ["ntfs" "btrfs" "mergerfs"];
kernelPackages = pkgs.linuxPackages_latest;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
systemd.services = {
tailscaled.environment = {
TS_NO_LOGS_NO_SUPPORT = "true";
};
modded-mc-server = {
enable = true;
path = with pkgs; [
openjdk17-bootstrap
mcrcon
];
serviceConfig = let
# authlib = pkgs.fetchurl {
# url = "https://github.com/yushijinhun/authlib-injector/releases/download/v1.2.4/authlib-injector-1.2.4.jar";
# hash = "sha256-eVsnbLQIVe0E3H/KvCptFQ3kYAtUKHWmUi5l9rJbyp8=";
# };
in {
User = "owo";
WorkingDirectory = "/home/owo/Documents/aof7";
ExecStart = pkgs.writeShellScript "start.sh" ''
cd /home/owo/Documents/aof7
java -jar serverstarter-2.4.0.jar
'';
ExecStop = pkgs.writeShellScript "stop.sh" ''
mcrcon -H localhost -P 25575 -p "12345" stop
while kill -0 $MAINPID 2>/dev/null
do
sleep 0.5
done
'';
Restart = "always";
};
wantedBy = [ "default.target" ];
};
lastfm-status = let
package = inputs.lastfm-status.packages.${system}.default;
in {
enable = true;
serviceConfig = {
Type = "exec";
User = "owo";
ExecStart = "${lib.getExe package} --port ${toString settings.ports.lastfm}";
};
wantedBy = [ "multi-user.target" ];
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
};
# paths: ~/.config/qBittorrent/ and ~/.local/share/qBittorrent/
qbittorrent = {
enable = true;
description = "Activates qbittorrent nox on startup";
unitConfig = {
Documentation = "man:qbittorrent-nox(1)";
};
serviceConfig = {
Type = "exec";
User="owo";
ExecStart="${lib.getExe pkgs.qbittorrent-nox} --webui-port=${toString settings.ports.qbittorrent} --torrenting-port=${toString settings.ports.qbittorrent-out}";
};
path = [
pkgs.curl
];
wantedBy = [
"multi-user.target"
];
wants = [
"network-online.target"
];
after = [
"network-online.target"
];
};
unpackerr = {
enable = true;
description = "Activates unpackerr on startup";
serviceConfig = {
Type = "exec";
User="owo";
ExecStart="${lib.getExe pkgs.unpackerr} -c /mnt/important/server_configs/unpackerr/unpackerr.conf";
};
wantedBy = [
"multi-user.target"
];
wants = [
"network-online.target"
];
after = [
"network-online.target"
];
};
};
fileSystems = {
"/mnt/important" = {
device = "/dev/disk/by-uuid/dd9449e5-3d28-4029-8434-aae3b7314e35";
fsType = "btrfs";
};
"/mnt/drive4" = {
device = "/dev/disk/by-uuid/a7874217-07af-485c-9e60-2370c305771e";
fsType = "btrfs";
};
"/mnt/drive3" = {
device = "/dev/disk/by-uuid/ba80a5be-d676-4cba-8fc8-aa21af116b88";
fsType = "btrfs";
};
"/mnt/drive2" = {
device = "/dev/disk/by-uuid/3203fc16-136f-4b17-b844-7584394ea870"; # 18tb hdd
fsType = "ext4";
};
"/mnt/drive1" = {
device = "/dev/disk/by-uuid/23aa13b8-3e1a-4cd7-890d-68a54d8f13fa"; # 16tb hdd
fsType = "btrfs";
};
"/mnt/media" = {
device = "/mnt/drive1/media:/mnt/drive2/media:/mnt/drive3/media:/mnt/drive4/media";
fsType = "fuse.mergerfs";
depends = [
"/mnt/drive1"
"/mnt/drive2"
"/mnt/drive3"
"/mnt/drive4"
];
options = [
"cache.files=partial"
"dropcacheonclose=true"
"category.create=mfs"
];
};
};
networking = {
hostName = "server";
networkmanager.enable = true;
nameservers = [
# "127.0.0.1"
"1.1.1.1" "1.0.0.1" # cloudflare
];
};
time.timeZone = "Europe/Tallinn";
i18n = {
defaultLocale = "en_GB.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "et_EE.UTF-8";
LC_IDENTIFICATION = "et_EE.UTF-8";
LC_MEASUREMENT = "et_EE.UTF-8";
LC_MONETARY = "et_EE.UTF-8";
LC_NAME = "et_EE.UTF-8";
LC_NUMERIC = "et_EE.UTF-8";
LC_PAPER = "et_EE.UTF-8";
LC_TELEPHONE = "et_EE.UTF-8";
LC_TIME = "et_EE.UTF-8";
};
};
services.xserver = {
enable = true;
xkb = {
variant = "";
layout = "us";
};
videoDrivers = ["nvidia"];
# Enable the KDE Plasma Desktop Environment.
displayManager.sddm.enable = true;
desktopManager.plasma5.enable = true;
};
sound.enable = true;
hardware.pulseaudio.enable = false;
security = {
sudo.wheelNeedsPassword = false;
rtkit.enable = true;
};
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
};
hardware = {
opengl = {
enable = true;
driSupport = true;
driSupport32Bit = true;
};
nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.stable;
modesetting.enable = true;
open = false;
nvidiaSettings = true;
};
};
virtualisation = {
docker = {
enable = true;
enableNvidia = true;
autoPrune.enable = true;
liveRestore = false;
};
podman = {
enable = true;
enableNvidia = true;
autoPrune.enable = true;
};
};
environment.systemPackages = with pkgs; [
mergerfs
mergerfs-tools
ffmpeg # nextcloud
];
programs = {
git.enable = true;
fish.enable = true;
mosh.enable = true;
gnome-disks.enable = true;
ssh.startAgent = true;
};
security.acme = {
acceptTerms = true;
defaults.email = "ghostkaya+acme@proton.me";
certs = {
${config.services.coturn.realm} = {
dnsProvider = "cloudflare";
credentialsFile = "/etc/secrets/acme.env";
postRun = "systemctl restart coturn.service";
group = "turnserver";
};
};
};
systemd.services.mautrix-telegram.path = with pkgs; [
lottieconverter # for animated stickers conversion, unfree package
ffmpeg # if converting animated stickers to webm (very slow!)
];
services = {
minecraft-servers = {
enable = true;
eula = true;
servers = let
drasl = "https://drasl.snailcore.net";
in {
paper-vanilla = {
enable = true;
package = pkgs.paper-server;
openFirewall = true;
autoStart = true;
jvmOpts = "-Xmx2G -Xms1G -Dminecraft.api.env=custom -Dminecraft.api.auth.host=${drasl}/auth -Dminecraft.api.account.host=${drasl}/account -Dminecraft.api.session.host=${drasl}/session -Dminecraft.api.services.host=${drasl}/services";
serverProperties = {
motd = "catnip enthutiasts";
spawn-protection = 0;
max-players = 69;
};
};
};
};
gitea-actions-runner = {
package = pkgs.forgejo-actions-runner;
instances = {
forge = {
enable = true;
url = "https://forge.catnip.ee";
name = "runner";
labels = [
"golang:docker://golang:latest"
"rust:docker://rust:latest"
"ubuntu:docker://ubuntu:latest"
];
tokenFile = "/etc/secrets/gitea-actions-runner.env";
};
};
};
forgejo = {
enable = true;
database.type = "postgres";
settings = {
server = {
DOMAIN = "forge.catnip.ee";
HTTP_PORT = settings.ports.forgejo;
SSH_PORT = 2222;
START_SSH_SERVER = true;
ROOT_URL = "https://${config.services.forgejo.settings.server.DOMAIN}";
};
service = {
DISABLE_REGISTRATION = true;
};
};
};
# /var/lib/nextcloud
nextcloud = {
enable = true;
package = pkgs.nextcloud28;
hostName = "cloud.catnip.ee";
https = true;
configureRedis = true;
config = {
adminuser = "admin";
dbhost = "localhost:${toString config.services.mysql.replication.masterPort}";
dbtype = "mysql";
adminpassFile = "/etc/secrets/nextcloud";
};
autoUpdateApps.enable = true;
database.createLocally = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit contacts calendar tasks mail user_saml ;
integration_github = pkgs.fetchNextcloudApp rec {
url = "https://github.com/nextcloud-releases/integration_github/releases/download/v2.0.6/integration_github-v2.0.6.tar.gz";
sha256 = "sha256-hmcMaEtsn/+UZumVLNTsWy3WBKGryAGrDWJ5RZWmTWY=";
license = "agpl3";
};
};
extraAppsEnable = true;
settings = {
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PDF"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOfficeDoc"
"OC\\Preview\\Image"
"OC\\Preview\\Photoshop"
"OC\\Preview\\TIFF"
"OC\\Preview\\SVG"
"OC\\Preview\\Font"
"OC\\Preview\\MP3"
"OC\\Preview\\Movie"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
];
};
};
# /var/lib/mysql
mysql = {
enable = true;
ensureDatabases = [
"nextcloud"
];
ensureUsers = [{
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}];
};
nginx.virtualHosts.${config.services.nextcloud.hostName} = {
listen = [{
addr = "127.0.0.1";
port = settings.ports.nextcloud;
}];
};
i2pd = {
enable = true;
proto.httpProxy.enable = true;
};
privoxy = {
enable = true;
settings = {
listen-address = ":${toString settings.ports.privoxy}";
forward = ".i2p localhost:${toString config.services.i2pd.proto.httpProxy.port}";
# forward = ".ygg localhost:1234";
};
};
tailscale = {
enable = true;
useRoutingFeatures = "server";
extraUpFlags = [
"--advertise-exit-node"
];
permitCertUid = "caddy";
port = 0;
};
blocky = {
enable = true;
settings = {
caching = {
minTime = "5m";
maxTime ="30m";
prefetching = true;
};
ports.dns = 53;
upstream.default = [
"1.1.1.1" "1.0.0.1" # cloudflare
"8.8.8.8" "8.8.4.4" # google
"9.9.9.9" "149.112.112.112" # quad9
"https://dns.nextdns.io"
];
customDNS = let
localDomains = names: ip: builtins.listToAttrs (map (x: { name = x; value = ip; } ) names);
in {
mapping = localDomains [
"catnip.ee"
"files"
"qbittorrent"
"scrutiny"
"archive"
"sonarr" "radarr" "prowlarr" "bazarr"
] "100.93.150.89";
};
conditional = let
opennic = names: ip: builtins.listToAttrs (map (x: { name = x; value = ip; } ) names);
in {
mapping = opennic [
"epic"
"geek"
"chan"
"fur"
"cyb"
"oss"
"pirate"
"neo"
"libre"
"dyn"
"glue"
"indy"
"bbs"
"gopher"
"null"
"o"
"oz"
"parody"
"bazar"
"coin"
"lib"
"emc"
"ku"
"uu"
"ti"
"te"
] "138.197.140.189";
};
blocking = {
blackLists.ads = [
"https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
"https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt"
];
whiteLists.ads = [
"newrelic.com"
"one.newrelic.com"
];
clientGroupsBlock.default = [
"ads"
];
};
};
};
prowlarr = { # port 9696, /var/lib/prowlarr
enable = true;
};
radarr = { # port 7878
enable = true;
dataDir = "${settings.server_configs}/radarr";
};
sonarr = { # port 8989
enable = true;
dataDir = "${settings.server_configs}/sonarr";
};
bazarr = { # /var/lib/bazarr/
enable = true;
listenPort = settings.ports.bazarr;
};
plex = {
enable = true;
openFirewall = true;
dataDir = "${settings.server_configs}/plex";
};
eternal-terminal.enable = true;
coturn = rec {
enable = true;
no-cli = true;
no-tcp-relay = true;
min-port = 49000;
max-port = 50000;
use-auth-secret = true;
static-auth-secret-file = "/etc/secrets/coturn";
realm = "turn.catnip.ee";
cert = "${config.security.acme.certs.${realm}.directory}/full.pem";
pkey = "${config.security.acme.certs.${realm}.directory}/key.pem";
extraConfig = ''
# for debugging
verbose
# ban private IP ranges
no-multicast-peers
denied-peer-ip=0.0.0.0-0.255.255.255
denied-peer-ip=10.0.0.0-10.255.255.255
denied-peer-ip=100.64.0.0-100.127.255.255
denied-peer-ip=127.0.0.0-127.255.255.255
denied-peer-ip=169.254.0.0-169.254.255.255
denied-peer-ip=172.16.0.0-172.31.255.255
denied-peer-ip=192.0.0.0-192.0.0.255
denied-peer-ip=192.0.2.0-192.0.2.255
denied-peer-ip=192.88.99.0-192.88.99.255
denied-peer-ip=192.168.0.0-192.168.255.255
denied-peer-ip=198.18.0.0-198.19.255.255
denied-peer-ip=198.51.100.0-198.51.100.255
denied-peer-ip=203.0.113.0-203.0.113.255
denied-peer-ip=240.0.0.0-255.255.255.255
denied-peer-ip=::1
denied-peer-ip=64:ff9b::-64:ff9b::ffff:ffff
denied-peer-ip=::ffff:0.0.0.0-::ffff:255.255.255.255
denied-peer-ip=100::-100::ffff:ffff:ffff:ffff
denied-peer-ip=2001::-2001:1ff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=2002::-2002:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fc00::-fdff:ffff:ffff:ffff:ffff:ffff:ffff:ffff
denied-peer-ip=fe80::-febf:ffff:ffff:ffff:ffff:ffff:ffff:ffff
'';
};
# /var/lib/postgresql
postgresql = {
enable = true;
package = pkgs.postgresql_15;
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER "matrix-synapse";
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
LOCALE 'C'
ENCODING 'UTF8'
TEMPLATE template0;
'';
identMap = ''
superuser_map root matrix-synapse
superuser_map matrix-synapse matrix-synapse
superuser_map root matrix-sliding-sync
superuser_map matrix-sliding-sync matrix-sliding-sync
superuser_map root forgejo
superuser_map forgejo forgejo
superuser_map root postgres
superuser_map postgres postgres
'';
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method optional_ident_map
local sameuser all peer map=superuser_map
'';
};
mautrix-telegram = {
enable = true;
environmentFile = "/etc/secrets/mautrix-telegram.env";
settings = {
homeserver = {
address = "http://localhost:${toString settings.ports.synapse}";
domain = "catnip.ee";
};
appservice = {
address = "http://localhost:${toString settings.ports.mautrix-telegram}";
port = settings.ports.mautrix-telegram;
provisioning.enabled = false;
id = "telegram";
public = {
enabled = true;
prefix = "/telegram";
external = "https://matrix.catnip.ee/telegram";
};
};
bridge = {
relaybot.authless_portals = false;
permissions = {
"@admin:catnip.ee" = "admin";
"@kaya:catnip.ee" = "admin";
"catnip.ee" = "full";
};
backfill = {
enable = true;
forward_limits = {
initial = {
user = -1;
normal_group = -1;
supergroup = 1000;
channel = 1000;
};
sync = {
user = -1;
normal_group = -1;
supergroup = 1000;
channel = 1000;
};
};
};
animated_sticker = {
target = "gif";
args = {
width = 256;
height = 256;
fps = 30; # only for webm
background = "020202"; # only for gif, transparency not supported
};
};
};
telegram = {
device_info = {
device_model = "GooglePixel 6";
system_version = "SDK 32";
app_version = "8.7.4 (26367)";
lang_code = "en";
system_lang_code = "en";
};
};
};
};
matrix-sliding-sync = {
enable = true;
createDatabase = true;
environmentFile = "/etc/secrets/mautrix-telegram.env";
settings = {
SYNCV3_SERVER = "https://matrix.catnip.ee";
SYNCV3_BINDADDR = "127.0.0.1:${toString settings.ports.matrix-sliding-sync}";
};
};
matrix-synapse = {
enable = true;
extraConfigFiles = [
"/etc/secrets/synapse.yaml"
];
settings = {
enable_registration = true;
registration_requires_token = true;
max_upload_size = "250M";
server_name = "catnip.ee";
public_baseurl = "https://matrix.catnip.ee/";
database = {
name = "psycopg2";
args = {
database = "matrix-synapse";
user = "matrix-synapse";
};
};
app_service_config_files = [
# sudo rm /var/lib/matrix-synapse/telegram-registration.yaml
# sudo cp /var/lib/mautrix-telegram/telegram-registration.yaml /var/lib/matrix-synapse/
# sudo chown matrix-synapse:matrix-synapse /var/lib/matrix-synapse/telegram-registration.yaml
# sudo systemctl restart matrix-synapse
"/var/lib/matrix-synapse/telegram-registration.yaml"
];
listeners = [{
bind_addresses = [ "127.0.0.1" ];
port = settings.ports.synapse;
resources = [{
compress = true;
names = [ "client" "federation" ];
}];
tls = false;
type = "http";
x_forwarded = true;
}];
turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
};
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
# /var/lib/ntfy-sh/
ntfy-sh = {
enable = true;
settings = {
listen-http = ":${toString settings.ports.ntfy}";
base-url = "https://ntfy.catnip.ee";
};
};
# /var/lib/jellyfin
jellyfin.enable = true;
cloudflare-dyndns = {
enable = true;
apiTokenFile = "/etc/secrets/cloudflare-dyndns.env";
domains = [
"catnip.ee"
];
};
};
networking.firewall = {
enable = true;
allowedUDPPortRanges = with config.services.coturn; [{
from = min-port;
to = max-port;
}];
allowedUDPPorts = [
53 # blocky
3478 5349 # coturn
settings.ports.qbittorrent-out # qbittorrent
];
allowedTCPPorts = [
53 # blocky
80 443 # HTTP/HTTPS
3478 5349 # coturn
settings.ports.qbittorrent-out # qbittorrent
settings.ports.privoxy
25566 # modded minecraft
2222 # forgejo ssh
];
};
users = {
defaultUserShell = pkgs.fish;
users.owo = {
isNormalUser = true;
extraGroups = [ "networkmanager" "wheel" "docker" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhXnulnINZ/hBBwHhzl35UsFcFUwxwaaFVFwCgIgOHmlJhknhpq5UQDbV6JoouFMgN48uBDD5/vcYjvS0UYFMBTox0MmJK+Yt4AnNusHkf8j1XCiXxHsicQilxJgu7yZJJRd2TAIqWlautW+VjuXOssN08x0pvtiupefDz6Li7A4SnS1iGsNTgypJaemquEYRge3hC043kaubuSgqNKknK65zA9aLp9h31r9W5K6N+k+ll+TPyyWZdsJMnaqWmoIS1+fpAdG5wMPZbR503dLPFzdprwy8FSoTzkD8aKyEdtzzQboS3b7s2DfFvOy3uoKy5bcMOl6Fm1dos90TFiOjCQmF9+WKG8qteeAtizd04Fmi8JRipODCgkvDFj8YAHaB2w5+xNpCYwJTOdHQZflOo25725aIDXZ2afg3evSdVZgJ0PPiWs6fnJMqbJCrzLsBxfN7vAbWzHHTBIuXrtidwY/x/XTs5n4mm4OukyOQF5YjYXy39WIlzjk3uMR0m8ec= lain@navi"
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTbuZLmu2F2EWMl1cXwZqYQwuFDyMyPf+d6MospDs+UaFzKFJdtDlb5+uFkkz9gHf8rCBOnXi6bLGgZNxUhTgEBka0RQVCIqRDjOJAWtwG0zLg/mQ9c1Ug2/9kH/PRjy+GGGzz3GVw7HNZNUjAkNr/kIX4t0L8uBqqkgcM/woBH8S/rV3Xs30XWi9mNkx1J4Z5fqtBBeF2GAd02i2PsUMnGfZSwwJy3mhBhI+Vw5mtsS1QJWd9LrsRfLbtzVHWm4MGr3O0F34ij8BV1uzaHfopn0vKilI/dq8HfjuYjKr33CB5f3C1OdcuFfwqE3ZDxZcaOshqXimt9MrYLXaMv0i7I7a3r33ij2hl9d9oh3Z72yt+wAAdgTJ23Xrwzr4P9Iu4BsayG5bQC6IVLv3Eef5TcPKSXmmtCr2hFLYUMQmlPptrUOf1tmB/7oYo3vJe2cz07PxuxZZ20F3MXugoUTfsnuwAH2chT4xL/TnS4Kbs12QoPFjdG1v/0Z8fVD1ysoU= mina@navi"
];
packages = with pkgs; [
firefox
helix
mpv
croc
ffmpeg
speedtest-cli
htop
progress
duperemove
tmux
];
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

231
containers.nix Normal file
View file

@ -0,0 +1,231 @@
{
pkgs,
config,
lib,
...
}: let
settings = import ./settings.nix {};
backend = config.virtualisation.oci-containers.backend;
in {
system.activationScripts = {
docker-network-setup =
if backend == "docker"
then ''
${lib.getExe pkgs.docker} network inspect authentik || ${lib.getExe pkgs.docker} network create authentik
${lib.getExe pkgs.docker} network inspect authentik-internal || ${lib.getExe pkgs.docker} network create authentik-internal
${lib.getExe pkgs.docker} network inspect ${settings.firefish_docker_network} || ${lib.getExe pkgs.docker} network create ${settings.firefish_docker_network}
''
else "";
};
virtualisation.oci-containers = {
backend = "docker";
containers = {
drasl = {
autoStart = true;
image = "unmojang/drasl";
ports = [
"${toString settings.ports.drasl}:25585"
];
volumes = [
"${settings.server_configs}/drasl/config:/etc/drasl"
"${settings.server_configs}/drasl/data:/var/lib/drasl"
];
};
firefish = {
autoStart = true;
image = "registry.joinfirefish.org/firefish/firefish";
ports = [
"${toString settings.ports.firefish}:3000"
];
volumes = [
"${settings.server_configs}/firefish/files:/firefish/files"
"${settings.server_configs}/firefish/config:/firefish/.config:ro"
];
environment = {
NODE_ENV = "production";
};
extraOptions = [
"--network=${settings.firefish_docker_network}"
];
dependsOn = [
"firefish-redis"
"firefish-db"
"firefish-meilisearch"
];
};
firefish-redis = {
autoStart = true;
image = "docker.io/redis:7.0-alpine";
volumes = [
"/home/owo/firefish/redis:/data"
];
extraOptions = [
"--network=${settings.firefish_docker_network}"
];
};
firefish-db = {
autoStart = true;
image = "docker.io/postgres:15-alpine";
environment = {
POSTGRES_USER = "firefish";
POSTGRES_DB = "firefish";
};
volumes = [
"/home/owo/firefish/db:/var/lib/postgresql/data"
];
extraOptions = [
"--network=${settings.firefish_docker_network}"
];
};
firefish-meilisearch = {
autoStart = true;
image = "getmeili/meilisearch:v1.1.1";
volumes = [
"${settings.server_configs}/firefish/meili_data:/meili_data"
];
extraOptions = [
"--network=${settings.firefish_docker_network}"
];
};
# imgur-grab = {
# autoStart = true;
# image = "atdr.meo.ws/archiveteam/imgur-grab";
# cmd = [
# "--concurrent" "10"
# "kaya"
# ];
# };
scrutiny = {
autoStart = true;
image = "ghcr.io/analogj/scrutiny:master-omnibus";
ports = [
"${toString settings.ports.scrutiny}:8080"
];
volumes = [
"${settings.server_configs}/scrutiny/scrutiny:/opt/scrutiny/config"
"${settings.server_configs}/scrutiny/influxdb2:/opt/scrutiny/influxdb"
"/run/udev:/run/udev:ro"
];
extraOptions = [
"--cap-add=SYS_RAWIO"
"--cap-add=SYS_ADMIN"
"--device=/dev/nvme0n1"
"--device=/dev/sda"
"--device=/dev/sdb"
"--device=/dev/sdc"
"--device=/dev/sdd"
"--device=/dev/sdf"
"--device=/dev/sde"
];
};
plextraktsync = {
autoStart = true;
image = "ghcr.io/taxel/plextraktsync";
cmd = [ "watch" ];
environment = {
PUID="1000";
PGID="1000";
TZ="Europe/Tallinn";
};
volumes = [
"${settings.server_configs}/plextraktsync:/app/config"
];
};
cross-seed = {
autoStart = true;
image = "crossseed/cross-seed";
volumes = [
"${settings.server_configs}/cross-seed/config:/config"
"${settings.server_configs}/cross-seed/cross-seed:/cross-seeds"
"/home/owo/.local/share/qBittorrent/BT_backup:/torrents"
];
cmd = [
"daemon"
];
extraOptions = [
"--network=host"
];
};
watchtower = {
autoStart = true;
image = "containrrr/watchtower:latest-dev";
volumes = [
"/var/run/docker.sock:/var/run/docker.sock"
"/home/owo/.docker/config.json:/config.json"
];
environment = {
WATCHTOWER_NOTIFICATIONS="shoutrrr";
};
cmd = [
"--interval=30"
];
};
archivebox = {
autoStart = true;
image = "archivebox/archivebox:master";
cmd = [
"server"
"0.0.0.0:8000"
];
ports = [
"${toString settings.ports.archivebox}:8000"
];
environment = {
ALLOWED_HOSTS="*";
MEDIA_MAX_SIZE="750m";
};
volumes = [
"${settings.server_configs}/archivebox/data:/data"
];
};
wakapi = {
autoStart = true;
image = "ghcr.io/muety/wakapi:latest";
environment = {
WAKAPI_MAIL_SENDER = "Wakapi <wakapi@catnip.ee>";
WAKAPI_MAIL_SMTP_HOST = "sly.ee";
WAKAPI_MAIL_SMTP_PORT = "465";
WAKAPI_MAIL_SMTP_USER = "wakapi@catnip.ee";
WAKAPI_MAIL_SMTP_TLS = "true";
};
environmentFiles = [
"/etc/secrets/wakapi.env"
];
ports = [
"${toString settings.ports.wakapi}:3000"
];
volumes = [
"${settings.server_configs}/wakapi:/data"
];
extraOptions = [
#"--pull=always"
];
};
uptime-kuma = {
autoStart = true;
image = "louislam/uptime-kuma:latest";
ports = [
"${toString settings.ports.uptime_kuma}:3001"
];
volumes = [
"${settings.server_configs}/uptime-kuma:/app/data"
];
extraOptions = [
#"--pull=always"
];
};
jellyfin-vue = {
autoStart = true;
image = "jellyfin/jellyfin-vue:unstable";
ports = [
"${toString settings.ports.jellyfin_vue}:80"
];
extraOptions = [
#"--pull=always"
];
};
};
};
}

232
flake.lock generated Normal file
View file

@ -0,0 +1,232 @@
{
"nodes": {
"catnip-website": {
"flake": false,
"locked": {
"lastModified": 1703869764,
"narHash": "sha256-l1TPQ35EJ9SyBkmytOjA3idzdeNlUghRSq3kcx/Fk1M=",
"ref": "refs/heads/main",
"rev": "b377fde7c7deba5a5dbcbf6b04352dc158ed4b91",
"revCount": 3,
"type": "git",
"url": "ssh://forgejo@forge.catnip.ee:2222/batteredbunny/catnip.ee"
},
"original": {
"type": "git",
"url": "ssh://forgejo@forge.catnip.ee:2222/batteredbunny/catnip.ee"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1705309234,
"narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1681202837,
"narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "cfacdce06f30d2b68473a46042957675eebb3401",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"lastfm-status": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1704596513,
"narHash": "sha256-6Jete3tMd3XqPyhG0pfiwvlIy/8WAFl8hXpo+ruL9Z4=",
"owner": "BatteredBunny",
"repo": "lastfm-status",
"rev": "880be8092b4c8b0ffc370f55f93233fe2cac337c",
"type": "github"
},
"original": {
"owner": "BatteredBunny",
"repo": "lastfm-status",
"type": "github"
}
},
"nix-minecraft": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1708478105,
"narHash": "sha256-PdsoOusWA5Y0n15ivodpz63+9RWXTjqDvHg5yfXFiXg=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
"rev": "b5847bf0f5ded2b731468a562ab3e4a1f0db9ae6",
"type": "github"
},
"original": {
"owner": "Infinidoge",
"repo": "nix-minecraft",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1704194953,
"narHash": "sha256-RtDKd8Mynhe5CFnVT8s0/0yqtWFMM9LmCzXv/YKxnq4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "bd645e8668ec6612439a9ee7e71f7eac4099d4f6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1698318101,
"narHash": "sha256-gUihHt3yPD7bVqg+k/UVHgngyaJ3DMEBchbymBMvK1E=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "63678e9f3d3afecfeafa0acead6239cdb447574c",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1708475490,
"narHash": "sha256-g1v0TsWBQPX97ziznfJdWhgMyMGtoBFs102xSYO4syU=",
"owner": "Nixos",
"repo": "nixpkgs",
"rev": "0e74ca98a74bc7270d28838369593635a5db3260",
"type": "github"
},
"original": {
"owner": "Nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"catnip-website": "catnip-website",
"flake-utils": "flake-utils",
"lastfm-status": "lastfm-status",
"nix-minecraft": "nix-minecraft",
"nixpkgs": "nixpkgs_3"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
}
},
"root": "root",
"version": 7
}

24
flake.nix Normal file
View file

@ -0,0 +1,24 @@
{
inputs = {
nixpkgs.url = "github:Nixos/nixpkgs/nixos-unstable";
lastfm-status.url = "github:BatteredBunny/lastfm-status";
nix-minecraft.url = "github:Infinidoge/nix-minecraft";
catnip-website = {
url = "git+ssh://forgejo@forge.catnip.ee:2222/batteredbunny/catnip.ee";
flake = false;
};
};
outputs = {
self,
nixpkgs,
flake-utils,
...
}@inputs: {
nixosConfigurations.server = nixpkgs.lib.nixosSystem rec {
system = "x86_64-linux";
specialArgs = {inherit inputs system; };
modules = [ ./configuration.nix ];
};
};
}

40
hardware-configuration.nix Normal file
View file

@ -0,0 +1,40 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/5d0d7a21-3a0f-4f36-8cc2-0c2c7520e276";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/9F41-6A23";
fsType = "vfat";
};
swapDevices =
[ { device = "/dev/disk/by-uuid/79545188-d3b9-4d87-ba5f-8875dc92586a"; }
];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

39
settings.nix Normal file
View file

@ -0,0 +1,39 @@
{...}: {
# Docker config locations
server_configs = "/mnt/important/server_configs";
server_configs_home = "/home/owo/Documents/server_configs";
firefish_docker_network = "firefishinternal";
ports = {
# ports from docker-compose.yml
authentik = 9000;
matrix-sliding-sync = 8010;
mautrix-telegram = 8009;
synapse = 8008;
prowlarr = 9696;
radarr = 7878;
sonarr = 8989;
drasl = 4017;
firefish = 4016;
privoxy = 4015;
lastfm = 4014;
scrutiny = 4012;
qbittorrent-out = 36163;
qbittorrent = 4010;
archivebox = 4009;
nextcloud = 4008;
bazarr = 4007;
ntfy = 4006;
forgejo = 4005;
jellyfin_vue = 4004;
jellyfin = 8096;
uptime_kuma = 4002;
wakapi = 4001;
plex = 32400;
};
}