From dd76463953e729df2ab7b7b3415392ac04a88570 Mon Sep 17 00:00:00 2001 From: baritone Date: Wed, 5 Mar 2025 14:57:17 +0100 Subject: [PATCH] aughr --- configuration.nix | 9 ++- flake.nix | 4 - modules/age.nix | 3 + modules/microvm.nix | 0 modules/networking-metal.nix | 0 packages/shoko/package.nix | 0 packages/shoko/service.nix | 0 secrets/secrets.nix | 4 + services/fail2ban.nix | 0 services/forgejo.nix | 2 +- services/jellyfin.nix | 14 +++- services/mailserver.nix | 0 services/nginx.nix | 0 services/sonarr.nix | 148 ++++++++++++++++++++++++++++++++--- services/vaultwarden.nix | 0 services/website.nix | 0 16 files changed, 163 insertions(+), 21 deletions(-) create mode 100644 modules/age.nix mode change 100644 => 100755 modules/microvm.nix mode change 100644 => 100755 modules/networking-metal.nix mode change 100644 => 100755 packages/shoko/package.nix mode change 100644 => 100755 packages/shoko/service.nix create mode 100644 secrets/secrets.nix mode change 100644 => 100755 services/fail2ban.nix mode change 100644 => 100755 services/jellyfin.nix mode change 100644 => 100755 services/mailserver.nix mode change 100644 => 100755 services/nginx.nix mode change 100644 => 100755 services/sonarr.nix mode change 100644 => 100755 services/vaultwarden.nix mode change 100644 => 100755 services/website.nix diff --git a/configuration.nix b/configuration.nix index d719c9e..7a659d3 100755 --- a/configuration.nix +++ b/configuration.nix @@ -1,4 +1,8 @@ -{pkgs, ...}: { +{ + pkgs, + inputs, + ... +}: { imports = [ ./services/nginx.nix ./services/openssh.nix @@ -11,6 +15,7 @@ ./services/sonarr.nix ./services/misc.nix + ./modules/age.nix ./modules/microvm.nix ./modules/git.nix ./modules/nix-settings.nix @@ -45,6 +50,8 @@ curl git vim + + inputs.agenix.packages."${system}".default ]; environment.variables = { diff --git a/flake.nix b/flake.nix index c50de0a..ef0b83f 100755 --- a/flake.nix +++ b/flake.nix @@ -35,10 +35,6 @@ nixpkgs, ... } @ inputs: let - # lib = import ./lib { - # inherit nixpkgs; - # inherit self; - # }; system = "x86_64-linux"; pkgs = import nixpkgs {inherit system;}; in { diff --git a/modules/age.nix b/modules/age.nix new file mode 100644 index 0000000..6cbc0dc --- /dev/null +++ b/modules/age.nix @@ -0,0 +1,3 @@ +{config, ...}: { + # This is where the age files go +} diff --git a/modules/microvm.nix b/modules/microvm.nix old mode 100644 new mode 100755 diff --git a/modules/networking-metal.nix b/modules/networking-metal.nix old mode 100644 new mode 100755 diff --git a/packages/shoko/package.nix b/packages/shoko/package.nix old mode 100644 new mode 100755 diff --git a/packages/shoko/service.nix b/packages/shoko/service.nix old mode 100644 new mode 100755 diff --git a/secrets/secrets.nix b/secrets/secrets.nix new file mode 100644 index 0000000..a763b3a --- /dev/null +++ b/secrets/secrets.nix @@ -0,0 +1,4 @@ +let + public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"; +in { +} diff --git a/services/fail2ban.nix b/services/fail2ban.nix old mode 100644 new mode 100755 diff --git a/services/forgejo.nix b/services/forgejo.nix index 9de7f0c..1d91904 100755 --- a/services/forgejo.nix +++ b/services/forgejo.nix @@ -29,7 +29,7 @@ in { }; services.nginx.virtualHosts."git.spoodythe.one" = { - addSSL = true; + forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://${host}:${toString port}"; diff --git a/services/jellyfin.nix b/services/jellyfin.nix old mode 100644 new mode 100755 index 6323e74..db4b6ff --- a/services/jellyfin.nix +++ b/services/jellyfin.nix @@ -45,14 +45,22 @@ in { config.services.nginx. virtualHosts."media.spoodythe.one" = { - addSSL = true; + forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://${host}:${toString port}"; + extraConfig = '' + # Websocket support + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $http_connection; + + # Disable buffering when the nginx proxy gets very resource heavy upon streaming + proxy_buffering off; + ''; }; }; # Open port 80 and 443 for reverse proxy - config.networking.firewall.allowedTCPPorts = [80 443]; - config.networking.firewall.allowedUDPPorts = [80 443]; + config.networking.firewall.allowedTCPPorts = [port 80 443]; + config.networking.firewall.allowedUDPPorts = [port 80 443]; } diff --git a/services/mailserver.nix b/services/mailserver.nix old mode 100644 new mode 100755 diff --git a/services/nginx.nix b/services/nginx.nix old mode 100644 new mode 100755 diff --git a/services/sonarr.nix b/services/sonarr.nix old mode 100644 new mode 100755 index 2fe2863..2fabb73 --- a/services/sonarr.nix +++ b/services/sonarr.nix @@ -1,24 +1,56 @@ { pkgs, lib, + config, ... }: let host = "127.0.0.1"; port = 8989; vm-index = 1; vm-mac = "00:00:00:00:00:01"; - vm-name = "sonarr"; + vm-name = "necoarc"; in { config.microvm.autostart = [vm-name]; + config.users.extraUsers.microvm.extraGroups = [ + "jellyfin" # access to media folder + ]; + config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] '' mkdir -p /var/lib/${vm-name} chmod -R 777 /var/lib/${vm-name} chown -R microvm /var/lib/${vm-name} + chmod -R 777 /media ''; + # config.networking.wireguard.enable = true; + # # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard]; + + # config.networking.wireguard.interfaces.wg0 = { + # ips = ["10.75.60.108/32"]; + # listenPort = 51820; + # privateKeyFile = "${./wireguard-secret}"; + # peers = [ + # { + # publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc="; + # endpoint = "185.254.75.4:51820"; + # allowedIPs = ["0.0.0.0/0"]; + # persistentKeepalive = 25; + # } + # ]; + # }; + + # config.systemd.network.networks.wg0 = { + # matchConfig.Name = "wg0"; + # address = ["10.0.1.${toString vm-index}/24"]; + # networkConfig = { + # IPMasquerade = "ipv4"; + # IPv4Forwarding = true; + # }; + # }; + config.microvm.vms.${vm-name} = { - config = { + config = {config, ...}: { system.stateVersion = "24.11"; # Storage share configuration microvm.shares = [ @@ -30,19 +62,25 @@ in { { tag = "data-dir"; source = "/var/lib/${vm-name}"; - mountPoint = "/var/lib/sonarr"; + mountPoint = "/mnt"; + proto = "virtiofs"; + } + { + tag = "media-dir"; + source = "/media/shows"; + mountPoint = "/media/shows"; proto = "virtiofs"; } ]; # Allow the service to use the share system.activationScripts."chownDataDir" = lib.stringAfter ["var"] '' - mkdir -p /var/lib/sonarr - chmod -R 770 /var/lib/sonarr - chown -R sonarr:sonarr /var/lib/sonarr + mkdir -p /mnt + chmod -R 770 /mnt + chown -R sonarr:sonarr /mnt ''; - - systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; + systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; + systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5"; microvm.hypervisor = "qemu"; @@ -75,9 +113,12 @@ in { ]; networkConfig = { DNS = [ - "9.9.9.9" - "8.8.8.8" - "8.8.4.4" + # "9.9.9.9" + # "8.8.8.8" + # "8.8.4.4" + + # Only allow mullvad DNS server + "10.64.0.1" ]; }; }; @@ -89,12 +130,72 @@ in { "8.8.4.4" ]; - # Service + # Services services.sonarr = { enable = true; openFirewall = true; + dataDir = "/mnt/sonarr"; }; + services.rtorrent = { + enable = true; + dataDir = "/mnt/rtorrent"; + user = "rtorrent"; + group = "rtorrent"; + port = 9999; + }; + + # networking.wireguard.enable = true; + # boot.extraModulePackages = [config.boot.kernelPackages.wireguard]; + + # networking.wireguard.interfaces.wg0 = { + # ips = ["10.75.60.108/32"]; + # listenPort = 51820; + # privateKeyFile = "${./wireguard-secret}"; + # peers = [ + # { + # publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc="; + # endpoint = "185.254.75.4:51820"; + # allowedIPs = ["0.0.0.0/0"]; + # persistentKeepalive = 25; + # } + # ]; + # }; + + # networking.firewall.extraCommands = '' + # ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT + # ''; + + # services.openvpn.servers.mullvad = { + # config = '' + # client + # dev tun + # resolv-retry infinite + # nobind + # persist-key + # persist-tun + # verb 3 + # remote-cert-tls server + # ping 10 + # ping-restart 60 + # sndbuf 524288 + # rcvbuf 524288 + # cipher AES-256-GCM + # tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384 + # proto udp + # auth-user-pass mullvad_userpass.txt + # ca mullvad_ca.crt + # script-security 2 + # up /etc/openvpn/update-resolv-conf + # down /etc/openvpn/update-resolv-conf + # fast-io + # remote 193.32.248.72 1301 # de-ber-ovpn-001 + # ''; + # authUserPass.username = "9898431198930064"; + # authUserPass.password = "m"; + # updateResolvConf = true; + # }; + # Debug user users.users."root" = { password = "1234"; @@ -113,4 +214,27 @@ in { }; }; }; + + config.networking.firewall.allowedTCPPorts = [port 80 433]; + config.networking.firewall.allowedUDPPorts = [port 80 433]; + + config.services.nginx.virtualHosts."sonarr.spoodythe.one" = { + addSSL = true; + enableACME = true; + listen = [ + { + port = 8989; + addr = "0.0.0.0"; + ssl = false; + } + { + port = 443; + addr = "0.0.0.0"; + ssl = true; + } + ]; + locations."/" = { + proxyPass = "http://10.0.0.${toString vm-index}:${toString port}"; + }; + }; } diff --git a/services/vaultwarden.nix b/services/vaultwarden.nix old mode 100644 new mode 100755 diff --git a/services/website.nix b/services/website.nix old mode 100644 new mode 100755