batteredbunny/server.nix
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions
server.nix/configuration.nix

578 lines
16 KiB
Nix
Raw Blame History

{ config
, pkgs
, inputs
, settings
, ...
}: {
imports = [
./hardware-configuration.nix
./containers
./caddy
./gui.nix
./drives.nix
./games/palworld.nix
./games/minecraft
./services/mautrix.nix
./services/jellyfin.nix
./services/mastodon.nix
./services/archivebox.nix
./services/cross-seed.nix
./services/forgejo.nix
./services/wakapi.nix
./services/blocky.nix
./services/coturn.nix
./services/feishin.nix
./services/ntfy.nix
inputs.lastfm-status.nixosModules.default
inputs.confess.nixosModules.default
inputs.common-modules.nixosModules.nixos-upgrade
inputs.common-modules.nixosModules.qbittorrent-nox
inputs.common-modules.nixosModules.unpackerr
inputs.common-modules.nixosModules.cross-seed
];
nixpkgs = {
config.allowUnfree = true;
overlays = [
inputs.nix-minecraft-plugin-upgrade.overlays.default
];
};
system.autoUpgrade = {
enable = true;
allowReboot = true;
flake = "/etc/nixos";
updateFlake = true;
# minecraft plugin auto update
extraCommands =
let
plugins = [
"simple-voice-chat" # https://modrinth.com/plugin/simple-voice-chat
"worldedit" # https://modrinth.com/plugin/worldedit
];
in
''
nix-minecraft-plugin-upgrade --loader paper --game-version 1.21.1 --project ${builtins.concatStringsSep " --project " plugins} > games/minecraft/paper-vanilla-plugins.nix
git add games/minecraft/paper-vanilla-plugins.nix
git commit games/minecraft/paper-vanilla-plugins.nix -m "Updated games/minecraft/paper-vanilla-plugins.nix"
'';
};
nix = {
gc = {
automatic = true;
dates = "weekly";
};
optimise = {
automatic = true;
dates = [ "06:00" ];
};
settings = {
sandbox = false; # Caddy cannot be built in a sandbox because it retrieves external dependencies (i.e. cloudflare-dns module)
experimental-features = [ "nix-command" "flakes" ];
auto-optimise-store = true;
allowed-users = [
"@wheel"
"owo"
];
};
};
boot = {
supportedFilesystems = [ "btrfs" "mergerfs" ];
tmp.cleanOnBoot = true;
kernelPackages = pkgs.linuxPackages_latest;
loader = {
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
systemd.services = {
tailscaled.environment = {
TS_NO_LOGS_NO_SUPPORT = "true";
};
};
networking = {
hostName = "server";
networkmanager.enable = true;
resolvconf = {
enable = true;
useLocalResolver = true; # prefers tailscale dns otherwise
};
nameservers = [
"127.0.0.1"
# cloudflare
"1.1.1.1"
"1.0.0.1"
];
interfaces.enp0s31f6q = {
ipv6.addresses = [{
address = "2001:7d0:84a6:5900:263a:6e9b:63e4:3b82";
prefixLength = 64;
}];
ipv4.addresses = [{
address = "192.168.1.131";
prefixLength = 24;
}];
};
firewall = {
enable = true;
allowedTCPPorts = [
# HTTP/HTTPS
80
443
];
};
};
time.timeZone = "Europe/Tallinn";
i18n = {
defaultLocale = "en_GB.UTF-8";
extraLocaleSettings = {
LC_ADDRESS = "et_EE.UTF-8";
LC_IDENTIFICATION = "et_EE.UTF-8";
LC_MEASUREMENT = "et_EE.UTF-8";
LC_MONETARY = "et_EE.UTF-8";
LC_NAME = "et_EE.UTF-8";
LC_NUMERIC = "et_EE.UTF-8";
LC_PAPER = "et_EE.UTF-8";
LC_TELEPHONE = "et_EE.UTF-8";
LC_TIME = "et_EE.UTF-8";
};
};
hardware = {
nvidia = {
package = config.boot.kernelPackages.nvidiaPackages.stable;
modesetting.enable = true;
open = false;
};
nvidia-container-toolkit.enable = true;
};
virtualisation.docker = {
enable = true;
autoPrune.enable = true;
};
environment.systemPackages = with pkgs; [
mergerfs
mergerfs-tools
ffmpeg # nextcloud
];
programs = {
mosh.enable = true;
git.enable = true;
fish.enable = true;
ssh.startAgent = true;
};
security = {
sudo.wheelNeedsPassword = false;
acme = {
acceptTerms = true;
defaults.email = "ssl@catnip.ee";
};
};
services = {
pds = {
enable = true;
pdsadmin.enable = true;
environmentFiles = [
"/etc/secrets/bluesky.env"
];
settings = {
PDS_PORT = "3001";
PDS_HOSTNAME = "bsky.ee";
#PDS_EMAIL_SMTP_URL = "smtps://bluesky@bsky.ee:password@mx1.sly.ee:465";
PDS_EMAIL_FROM_ADDRESS = "bluesky@bsky.ee";
};
};
borgbackup.jobs."borgbase" = {
paths = [
# maybe only include /var/lib?
"/var/lib/lidarr"
"/var/lib/sonarr"
"/var/lib/radarr"
"/var/lib/bazarr"
"/var/lib/private/prowlarr"
"/var/lib/mysql"
"/var/lib/postgresql"
"/var/lib/nextcloud"
"/var/lib/private/drasl"
"/var/lib/acme"
"/var/lib/tailscale"
"/var/lib/private/scrutiny"
"/var/lib/caddy"
"/var/lib/redis-nextcloud"
"/var/lib/syncthing"
"/var/lib/matrix-synapse"
"/var/lib/plex"
"/var/lib/confess-web"
"/var/lib/influxdb2"
"/etc/secrets"
"/etc/nixos"
"/srv/minecraft"
"/home/owo/.config/qBittorrent"
"/home/owo/.local/share/qBittorrent"
"/home/owo/Documents/server_configs/archivebox"
"/home/owo/Documents/server_configs/epicgames-freegames-node"
"/home/owo/Documents/server_configs/palworld"
"/home/owo/Documents/server_configs/plextraktsync"
"/home/owo/Documents/server_configs/sonic"
];
exclude = [
"/var/lib/lidarr/.config/Lidarr/MediaCover"
"/var/lib/sonarr/.config/NzbDrone/MediaCover"
"/var/lib/radarr/.config/Radarr/MediaCover"
"/var/lib/plex/transcode"
"/var/lib/plex/Plex Media Server/Media"
"/var/lib/matrix-synapse/media_store/remote_content"
"/var/lib/matrix-synapse/media_store/remote_thumbnail"
];
repo = "ssh://uq9l5635@uq9l5635.repo.borgbase.com/./repo";
encryption = {
mode = "repokey-blake2";
passCommand = "cat /etc/secrets/borgpass";
};
environment.BORG_RSH = "ssh -i /home/owo/.ssh/id_rsa";
compression = "auto,lzma";
startAt = "daily";
};
syncthing = {
enable = true;
guiAddress = "0.0.0.0:8384";
openDefaultPorts = true;
};
confess-web = {
enable = true;
port = 8011;
reverseProxy = true;
trustedProxy = "127.0.0.1";
environmentFile = "/etc/secrets/confess.env";
};
lastfm-status = {
enable = true;
port = 4014;
};
unpackerr = {
enable = true;
# Stores UN_SONARR_0_API_KEY, UN_RADARR_0_API_KEY
environmentFile = "/etc/secrets/unpackerr.env";
user = "owo";
group = "users";
settings = {
debug = false;
quiet = false;
# How often to poll sonarr and radarr.
# Recommend 1m-5m. Uses Go Duration.
interval = "2m";
start_delay = "1m";
retry_delay = "5m";
parallel = 1;
# Use these configurations to control the file modes used for newly extracted
# files and folders. Recommend 0644/0755 or 0666/0777.
file_mode = "0644";
dir_mode = "0755";
sonarr = [
{
url = "http://localhost:8989";
paths = [ "/mnt/drive1/torrents/downloads" "/mnt/drive2/torrents" "/mnt/seagate-8tb-1/torrents" "/mnt/seagate-8tb-2/torrents" ];
protocols = "torrent";
timeout = "100s";
delete_delay = "10m";
}
];
radarr = [
{
url = "http://localhost:7878";
paths = [ "/mnt/drive1/torrents/downloads" "/mnt/drive2/torrents" "/mnt/seagate-8tb-1/torrents" "/mnt/seagate-8tb-2/torrents" ];
protocols = "torrent";
timeout = "100s";
delete_delay = "10m";
}
];
};
};
qbittorrent-nox = {
enable = true;
openFirewall = true;
user = "owo";
group = "users";
webuiPort = settings.ports.qbittorrent;
torrentingPort = settings.ports.qbittorrent-torrent;
};
scrutiny = {
enable = true;
collector.enable = true;
settings.web.listen.port = 4012;
};
# /var/lib/nextcloud
nextcloud = {
enable = true;
package = pkgs.nextcloud30;
hostName = "cloud.catnip.ee";
https = true;
configureRedis = true; # /var/lib/redis-nextcloud
config = {
adminuser = "admin";
adminpassFile = "/etc/secrets/nextcloud";
dbtype = "mysql";
};
autoUpdateApps.enable = true;
database.createLocally = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit contacts calendar tasks mail;
integration_github = pkgs.fetchNextcloudApp {
url = "https://github.com/nextcloud-releases/integration_github/releases/download/v3.0.0/integration_github-v3.0.0.tar.gz";
sha256 = "sha256-ruLN4lw3Vy8OavTYm1g2L9q1wusRP0a+BpvfXkrZI3A=";
license = "agpl3Only";
};
};
extraAppsEnable = true;
settings = {
enable_previews = true;
enabledPreviewProviders = [
"OC\\Preview\\OpenDocument"
"OC\\Preview\\PDF"
"OC\\Preview\\MSOffice2003"
"OC\\Preview\\MSOfficeDoc"
"OC\\Preview\\Image"
"OC\\Preview\\Photoshop"
"OC\\Preview\\TIFF"
"OC\\Preview\\SVG"
"OC\\Preview\\Font"
"OC\\Preview\\MP3"
"OC\\Preview\\Movie"
"OC\\Preview\\MKV"
"OC\\Preview\\MP4"
"OC\\Preview\\AVI"
];
};
};
# /var/lib/mysql
mysql = {
enable = true;
ensureDatabases = [
"nextcloud"
];
ensureUsers = [
{
name = "nextcloud";
ensurePermissions = {
"nextcloud.*" = "ALL PRIVILEGES";
};
}
];
};
nginx.virtualHosts.${config.services.nextcloud.hostName} = {
listen = [
{
addr = "127.0.0.1";
port = settings.ports.nextcloud;
}
];
};
tailscale = {
enable = true;
useRoutingFeatures = "server";
extraSetFlags = [
"--advertise-exit-node"
];
permitCertUid = "caddy";
port = 0;
};
lidarr.enable = true; # port 8686, /var/lib/lidarr
prowlarr.enable = true; # port 9696, /var/lib/prowlarr
radarr.enable = true; # port 7878, /var/lib/radarr
sonarr.enable = true; # port 8989, /var/lib/sonarr
bazarr.enable = true; # port 6767, /var/lib/bazarr
# /var/lib/plex
plex = {
enable = true;
openFirewall = true; # 32400
};
# /var/lib/postgresql
postgresql = {
enable = true;
package = pkgs.postgresql_16;
enableTCPIP = true;
initialScript = pkgs.writeText "backend-initScript" ''
CREATE USER "matrix-synapse";
CREATE DATABASE "matrix-synapse" WITH OWNER "matrix-synapse"
LOCALE 'C'
ENCODING 'UTF8'
TEMPLATE template0;
'';
identMap = ''
superuser_map root mastodon
superuser_map mastodon mastodon
superuser_map root matrix-synapse
superuser_map matrix-synapse matrix-synapse
superuser_map root forgejo
superuser_map forgejo forgejo
superuser_map root postgres
superuser_map postgres postgres
superuser_map root wakapi
superuser_map wakapi wakapi
superuser_map root nextcloud
superuser_map nextcloud nextcloud
'';
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method optional_ident_map
local sameuser all peer map=superuser_map
'';
};
# /var/lib/matrix-synapse
matrix-synapse = {
enable = true;
extraConfigFiles = [
"/etc/secrets/synapse.yaml"
];
settings = {
enable_registration = true;
registration_requires_token = true;
max_upload_size = "250M";
server_name = "catnip.ee";
public_baseurl = "https://matrix.catnip.ee/";
# Note: email submodule is defined in /etc/secrets/synapse.yaml as matrix doesnt merge the fields and it will fail to run
# email = {
# smtp_host = "mx1.sly.ee";
# smtp_user = "matrix@catnip.ee";
# smtp_pass = "";
# force_tls = true;
# notif_from = "Matrix <matrix@catnip.ee>";
# app_name = "Catnip.ee matrix";
# };
server_notices = {
system_mxid_localpart = "server";
system_mxid_display_name = "Server Notices";
system_mxid_avatar_url = "mxc://catnip.ee/LhehrbXOjfnhaJvFEWsXPtnm";
room_name = "Server Notices";
auto_join = true;
};
database = {
name = "psycopg2";
args = {
database = "matrix-synapse";
user = "matrix-synapse";
};
};
listeners = [
{
bind_addresses = [ "127.0.0.1" ];
port = 8008;
resources = [
{
compress = true;
names = [ "client" "federation" ];
}
];
tls = false;
type = "http";
x_forwarded = true;
}
];
turn_uris = [
"turn:${config.services.coturn.realm}:3478?transport=udp"
"turn:${config.services.coturn.realm}:3478?transport=tcp"
];
turn_user_lifetime = "1h";
};
};
openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
cloudflare-dyndns = {
enable = true;
apiTokenFile = "/etc/secrets/cloudflare-dyndns.env";
ipv4 = true;
ipv6 = true;
domains = [
"catnip.ee"
];
};
};
users = {
defaultUserShell = pkgs.fish;
users = {
owo = {
isNormalUser = true;
extraGroups = [ "networkmanager" "wheel" "docker" ];
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDhXnulnINZ/hBBwHhzl35UsFcFUwxwaaFVFwCgIgOHmlJhknhpq5UQDbV6JoouFMgN48uBDD5/vcYjvS0UYFMBTox0MmJK+Yt4AnNusHkf8j1XCiXxHsicQilxJgu7yZJJRd2TAIqWlautW+VjuXOssN08x0pvtiupefDz6Li7A4SnS1iGsNTgypJaemquEYRge3hC043kaubuSgqNKknK65zA9aLp9h31r9W5K6N+k+ll+TPyyWZdsJMnaqWmoIS1+fpAdG5wMPZbR503dLPFzdprwy8FSoTzkD8aKyEdtzzQboS3b7s2DfFvOy3uoKy5bcMOl6Fm1dos90TFiOjCQmF9+WKG8qteeAtizd04Fmi8JRipODCgkvDFj8YAHaB2w5+xNpCYwJTOdHQZflOo25725aIDXZ2afg3evSdVZgJ0PPiWs6fnJMqbJCrzLsBxfN7vAbWzHHTBIuXrtidwY/x/XTs5n4mm4OukyOQF5YjYXy39WIlzjk3uMR0m8ec= lain@navi" # desktop
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDTbuZLmu2F2EWMl1cXwZqYQwuFDyMyPf+d6MospDs+UaFzKFJdtDlb5+uFkkz9gHf8rCBOnXi6bLGgZNxUhTgEBka0RQVCIqRDjOJAWtwG0zLg/mQ9c1Ug2/9kH/PRjy+GGGzz3GVw7HNZNUjAkNr/kIX4t0L8uBqqkgcM/woBH8S/rV3Xs30XWi9mNkx1J4Z5fqtBBeF2GAd02i2PsUMnGfZSwwJy3mhBhI+Vw5mtsS1QJWd9LrsRfLbtzVHWm4MGr3O0F34ij8BV1uzaHfopn0vKilI/dq8HfjuYjKr33CB5f3C1OdcuFfwqE3ZDxZcaOshqXimt9MrYLXaMv0i7I7a3r33ij2hl9d9oh3Z72yt+wAAdgTJ23Xrwzr4P9Iu4BsayG5bQC6IVLv3Eef5TcPKSXmmtCr2hFLYUMQmlPptrUOf1tmB/7oYo3vJe2cz07PxuxZZ20F3MXugoUTfsnuwAH2chT4xL/TnS4Kbs12QoPFjdG1v/0Z8fVD1ysoU= mina@navi" # laptop
];
packages = with pkgs; [
firefox
helix
mpv
croc
ffmpeg
speedtest-cli
htop
progress
duperemove
tmux
du-dust # du alternative
dogedns # dig alternative
nix-minecraft-plugin-upgrade
];
};
};
};
system.stateVersion = "23.05";
}
Reference in a new issue View git blame Copy permalink