spoody/server-configuration
spoody/server-configuration
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: spoody:40ebed60befe86a82bb9931c71d7dc3bee970400
Branches Tags
spoody:master
spoody:v0.1
..
compare: spoody:dd76463953e729df2ab7b7b3415392ac04a88570
Branches Tags
spoody:master
spoody:v0.1

No commits in common. "40ebed60befe86a82bb9931c71d7dc3bee970400" and "dd76463953e729df2ab7b7b3415392ac04a88570" have entirely different histories.
40ebed60be ... dd76463953

23 changed files with 270 additions and 799 deletions
Show stats Expand all files Collapse all files

32
configuration.nix
View file

@ -7,26 +7,20 @@
./services/nginx.nix ./services/nginx.nix
./services/openssh.nix ./services/openssh.nix
./services/forgejo.nix ./services/forgejo.nix
# ./services/nextcloud.nix
# ./services/seafile.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/jellyfin.nix ./services/jellyfin.nix
./services/website.nix ./services/website.nix
./services/mailserver.nix ./services/mailserver.nix
./services/fail2ban.nix ./services/fail2ban.nix
./services/sonarr.nix
./services/zed.nix # IMPORTANTE
./services/auto-torrent.nix
./services/misc.nix ./services/misc.nix
./modules/age.nix ./modules/age.nix
./modules/microvm.nix
./modules/git.nix ./modules/git.nix
./modules/nix-settings.nix ./modules/nix-settings.nix
./modules/zfs.nix ./modules/zfs.nix
(import ./modules/microvm.nix {routed = true;})
(import ./modules/networking-shared.nix {hostname = "server";}) (import ./modules/networking-shared.nix {hostname = "server";})
(import ./modules/users.nix {main-user = "baritone";}) (import ./modules/users.nix {main-user = "baritone";})
]; ];
@ -36,18 +30,20 @@
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
timeout = 0; timeout = 0;
}; };
boot.kernel.sysctl = {"vm.swappiness" = 85;};
# Enable microcode updates # Enable microcode updates
hardware.enableRedistributableFirmware = true; hardware.enableRedistributableFirmware = true;
# programs.zsh = { programs.zsh = {
# enable = true; enable = true;
# enableGlobalCompInit = true; enableGlobalCompInit = true;
# shellAliases = { shellAliases = {
# "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos"; "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
# }; };
# }; };
programs.ssh.startAgent = true;
programs.nano.enable = false;
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
wget wget
@ -58,7 +54,6 @@
inputs.agenix.packages."${system}".default inputs.agenix.packages."${system}".default
]; ];
programs.nano.enable = false;
environment.variables = { environment.variables = {
EDITOR = "vim"; # FUCK NANO EDITOR = "vim"; # FUCK NANO
}; };
@ -73,5 +68,8 @@
''; '';
}; };
programs.mtr.enable = true;
programs.gnupg.agent.enable = true;
system.stateVersion = "24.11"; system.stateVersion = "24.11";
} }

2
disko.nix
View file

@ -104,7 +104,7 @@
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/home"; mountpoint = "/home";
}; };
srv = { src = {
type = "zfs_fs"; type = "zfs_fs";
mountpoint = "/srv"; mountpoint = "/srv";
}; };

8
flake.nix
View file

@ -79,10 +79,10 @@
swap-size = "128G"; swap-size = "128G";
root-disk = "/dev/nvme0n1"; root-disk = "/dev/nvme0n1";
raid-disks = [ raid-disks = [
"sda" # "sda"
"sdb" # "sdb"
"sdc" # "sdc"
"sdd" # "sdd"
]; ];
}) })

1
modules/age.nix
View file

@ -1,4 +1,3 @@
{config, ...}: { {config, ...}: {
# This is where the age files go # This is where the age files go
# age.secrets.nextcloud.file = ../secrets/nextcloud.age;
} }

21
modules/microvm.nix
View file

@ -1,14 +1,14 @@
{routed ? false}: { {
pkgs,
config, config,
lib,
... ...
}: let }: let
attrSet = pkgs.lib.lists.imap1 (i: v: { attrSet = lib.lists.imap1 (i: v: {
name = v; name = v;
index = i; index = i;
}) (builtins.attrNames config.microvm.vms); }) (builtins.attrNames config.microvm.vms);
in { in {
systemd.network.networks = builtins.listToAttrs (builtins.map ({ config.systemd.network.networks = builtins.listToAttrs (builtins.map ({
name, name,
index, index,
}: { }: {
@ -16,25 +16,22 @@ in {
value = { value = {
matchConfig.Name = "vm${toString index}"; matchConfig.Name = "vm${toString index}";
address = [ address = [
"10.0.${toString index}.254/24" # Host gateway "10.0.0.0/32"
]; ];
routes = [ routes = [
{ {
Destination = "10.0.${toString index}.1/24"; Destination = "10.0.0.${toString index}/32";
} }
]; ];
networkConfig = { networkConfig = {IPv4Forwarding = true;};
IPv4Forwarding = true;
};
}; };
}) })
attrSet); attrSet);
# NAT (make vms accessible in host) # NAT (make vms accessible in host)
networking.nat = { config.networking.nat = {
enable = true; enable = true;
internalIPs = ["10.0.0.0/24"];
externalInterface = "enp2s0"; externalInterface = "enp2s0";
internalIPs = ["10.0.1.0/24"];
internalInterfaces = ["vm1"];
}; };
} }

14
modules/users.nix
View file

@ -25,14 +25,14 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ3uc8UB9m6NPkXHETTJrzxB6M+SfUiBx6YeWUSADU sxsgamer@gmail.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ3uc8UB9m6NPkXHETTJrzxB6M+SfUiBx6YeWUSADU sxsgamer@gmail.com"
]; ];
shell = pkgs.fish; shell = pkgs.zsh;
}; };
programs.fish = { users.users."nixos" = {
enable = true; isNormalUser = true;
shellAbbrs = { extraGroups = ["wheel"];
"nrb" = "sudo nixos-rebuild switch --flake /etc/nixos"; openssh.authorizedKeys.keys = [
"vmr" = "rm ~/.ssh/known_hosts; ssh root@10.0.0.1"; "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFhTExbc9m4dCK6676wGiA8zPjE0l/9Fz2yf0IKvUvg snorre@archlinux"
}; ];
}; };
} }

5
secrets/nextcloud.age
View file

@ -1,5 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 rgw77A FBgTHsvCbpuhDFHCOQ4MtkSu3b9WmlSDboN4x3J/p1M
Mwts15GY7TwmWhB/wZPQ7EfBJ61aV+1QbjwZL8xRcgM
--- PI2311X1EC/csuMWV1Nx5Wnu4ajhh6e42NkDYW/fNgE
Sód†AIdä*}<7D>éw”À;Î]¥û7êÍÛ] <@¢ž)^Ô˜³ü÷

3
secrets/secrets.nix
View file

@ -1,5 +1,4 @@
let let
public-keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"]; public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server";
in { in {
"nextcloud.age".publicKeys = public-keys;
} }

241
services/auto-torrent.nix
View file

@ -1,241 +0,0 @@
{
config,
pkgs,
...
}: let
lib = pkgs.lib;
host = "10.0.${toString vm-index}.1";
port = 8989;
vm-index = 1;
vm-mac = "02:00:00:00:00:02";
vm-name = "auto-torrent";
vpn-endpoint = "193.32.248.70";
enable-services = true;
in {
microvm.autostart = [vm-name];
users.extraUsers.microvm.extraGroups = [
"jellyfin" # access to media folder
];
system.activationScripts."make-${vm-name}-data-dir" = lib.stringAfter ["var"] ''
mkdir -p /var/lib/${vm-name}
chmod -R 777 /var/lib/${vm-name}
chown -R microvm /var/lib/${vm-name}
chmod -R 777 /media
'';
microvm.vms.${vm-name} = {
config = {...}: {
system.stateVersion = "25.05";
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
# 1gb of memory
microvm.mem = 1024;
microvm.shares = let
proto = "virtiofs";
in [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
inherit proto;
}
{
tag = "media-dir";
source = "/media";
mountPoint = "/media";
inherit proto;
}
];
networking.useNetworkd = true;
networking.usePredictableInterfaceNames = false;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.${toString vm-index}.1/24"
];
routes = [
# Default route
{
Destination = "${toString vpn-endpoint}/32";
Gateway = "10.0.${toString vm-index}.254";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
systemd.services."start-wireguard" = {
description = "Start wireguard mullvad";
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
type = "oneshot";
ExecStart = pkgs.writeShellScript "wgconf.sh" ''
${pkgs.wireguard-tools}/bin/wg-quick up /mnt/wg.conf
'';
RemainAfterExit = "yes";
};
};
networking.wireguard.enable = true;
# Sleep them for a while to make sure everything is set up
systemd.services.sonarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.radarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.jackett.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.rutorrent.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
# fuck nano
programs.nano.enable = lib.mkForce false;
programs.vim.enable = true;
# Services
services.sonarr = pkgs.lib.mkIf enable-services {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.radarr = pkgs.lib.mkIf enable-services {
enable = true;
openFirewall = true;
dataDir = "/mnt/radarr";
};
services.jackett = pkgs.lib.mkIf enable-services {
enable = true;
dataDir = "/mnt/jackett";
openFirewall = true;
};
services.transmission = pkgs.lib.mkIf enable-services {
enable = true;
openFirewall = true;
home = "/mnt/transmission";
settings.download-dir = "/mnt/transmission";
settings.incomplete-dir = "/mnt/transmission/.incomplete";
downloadDirPermissions = "775";
};
# debugging
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"
];
};
environment.systemPackages = with pkgs; [
wireguard-tools
tcpdump
];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
# Sonarr
services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true;
enableACME = true;
listen = [
{
inherit port;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Radarr
services.nginx.virtualHosts."radarr.spoodythe.one" = let
port = 7878;
in {
addSSL = true;
enableACME = true;
listen = [
{
inherit port;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Jackett
services.nginx.virtualHosts."jackett.spoodythe.one" = let
port = 9117;
in {
addSSL = true;
enableACME = true;
listen = [
{
inherit port;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
networking.firewall.allowedTCPPorts = [port 9117 7878 9696 80 433];
networking.firewall.allowedUDPPorts = [port 9117 7878 9696 80 433];
}

3
services/forgejo.nix
View file

@ -33,9 +33,6 @@ in {
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://${host}:${toString port}"; proxyPass = "http://${host}:${toString port}";
extraConfig = ''
client_max_body_size 100M;
'';
}; };
}; };

44
services/homepage.nix
View file

@ -1,44 +0,0 @@
{...}: let
host = "127.0.0.1";
port = 8082;
in {
services.homepage-dashboard = {
enable = true;
listenPort = port;
openFirewall = false;
widgets = [
{
resources = {
cpu = true;
disk = "/";
memory = true;
};
}
];
services = [
{
"WebUI" = [
{
"Jellyfin" = {
description = "Jellyfin";
href = "https://media.spoodythe.one";
};
}
];
}
];
};
services.nginx.virtualHosts."dashboard.spoodythe.one" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Open port 80 and 443 for reverse proxy
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
}

29
services/jellyfin.nix
View file

@ -6,34 +6,6 @@
}: let }: let
host = "127.0.0.1"; host = "127.0.0.1";
port = 8096; port = 8096;
jellyfin =
if config.services.mullvad-vpn.enable == true
then
pkgs.callPackage ({...}:
pkgs.stdenv.mkDerivation {
pname = "jellyfin-excluded";
version = "1.0.0";
phases = ["installPhase"];
buildInputs = [pkgs.jellyfin];
# Define the install phase
installPhase = ''
mkdir -p $out/bin
# Create a wrapper script
echo "${pkgs.mullvad-vpn}/bin/mullvad-exclude ${pkgs.jellyfin}/bin/jellyfin \"$@\"" > $out/bin/jellyfin-excluded
chmod +x $out/bin/jellyfin-excluded
'';
# Specify the output
meta = with pkgs.lib; {
description = "A wrapper for the hello command";
mainProgram = "jellyfin-excluded";
license = licenses.mit;
};
}) {}
else pkgs.jellyfin;
in { in {
# Enable VAAPI # Enable VAAPI
config.nixpkgs.config.packageOverrides = pkgs: { config.nixpkgs.config.packageOverrides = pkgs: {
@ -60,7 +32,6 @@ in {
# Enable Jellyfin # Enable Jellyfin
config.services.jellyfin = { config.services.jellyfin = {
enable = true; enable = true;
package = jellyfin;
openFirewall = false; # We want jellyfin behind a reverse proxy openFirewall = false; # We want jellyfin behind a reverse proxy
}; };

17
services/nextcloud.nix
View file

@ -1,24 +1,13 @@
{ {pkgs, ...}: let
config,
pkgs,
...
}: let
nextcloud-pkg = pkgs.nextcloud30; nextcloud-pkg = pkgs.nextcloud30;
host = "127.0.0.1"; host = "127.0.0.1";
port = 8008; port = 8008;
lib = pkgs.lib;
in { in {
# system.activationScripts."make-nextcloud-dir" = lib.stringAfter ["var"] ''
# mkdir -p /var/lib/nextcloud
# chmod -R 770 /var/lib/nextcloud
# chown -R nextcloud:nextcloud /var/lib/nextcloud
# '';
services.nextcloud = { services.nextcloud = {
enable = true; enable = true;
package = nextcloud-pkg; package = nextcloud-pkg;
hostName = "localhost"; hostName = "localhost";
config.adminpassFile = "/etc/nextcloud-admin-password"; config.adminpassFile = "/var/lib/db/nextcloud/admin-password";
config.dbtype = "sqlite"; config.dbtype = "sqlite";
}; };
@ -30,7 +19,7 @@ in {
} }
]; ];
services.nginx.virtualHosts."nextcloud.spoodythe.one" = { services.nginx.virtualHosts."nextcloud.spoodythe.one" = {
forceSSL = true; addSSL = true;
enableACME = true; enableACME = true;
locations."/" = { locations."/" = {
proxyPass = "http://${host}:${toString port}"; proxyPass = "http://${host}:${toString port}";

4
services/nginx.nix
View file

@ -6,9 +6,7 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts."spoodythe.one" = { virtualHosts."_" = {
forceSSL = true;
enableACME = true;
default = true; default = true;
locations."/" = { locations."/" = {
return = 404; return = 404;

4
services/openssh.nix
View file

@ -24,8 +24,4 @@
} }
]; ];
}; };
programs.ssh.startAgent = true;
programs.mtr.enable = true;
programs.gnupg.agent.enable = true;
} }

18
services/rtorrent.nix
View file

@ -1,18 +0,0 @@
{pkgs, ...}: let
port = 9091;
in {
# services.rtorrent = {
# enable = true;
# dataDir = "/mnt/rtorrent";
# user = "rtorrent";
# group = "rtorrent";
# package = pkgs.jesec-rtorrent;
# inherit port;
# };
services.transmission = {
enable = true;
openFirewall = false;
settings.rpc-port = port;
};
}

28
services/seafile.nix
View file

@ -1,28 +0,0 @@
{
config,
pkgs,
...
}: let
host = "127.0.0.1";
port = 8008;
in {
services.seafile = {
enable = true;
adminEmail = "snorre@altschul.dk";
seahubAddress = "http://${host}:${toString port}";
# seafileSettings.fileserver = {
# inherit host port;
# };
};
services.nginx.virtualHosts."files.spoodythe.one" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Open port 80 and 443 for reverse proxy
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
}

189
services/sonarr-old.nix
View file

@ -1,189 +0,0 @@
{
pkgs,
lib,
config,
...
}: let
host = "127.0.0.1";
port = 8989;
vm-index = 1;
vm-mac = "00:00:00:00:00:01";
vm-name = "necoarc";
in {
config.microvm.autostart = [vm-name];
config.users.extraUsers.microvm.extraGroups = [
"jellyfin" # access to media folder
];
config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
mkdir -p /var/lib/${vm-name}
chmod -R 777 /var/lib/${vm-name}
chown -R microvm /var/lib/${vm-name}
chmod -R 777 /media
'';
# config.networking.wireguard.enable = true;
# # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# config.networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# config.systemd.network.networks.wg0 = {
# matchConfig.Name = "wg0";
# address = ["10.0.1.${toString vm-index}/24"];
# networkConfig = {
# IPMasquerade = "ipv4";
# IPv4Forwarding = true;
# };
# };
config.microvm.vms.${vm-name} = {
config = {config, ...}: {
system.stateVersion = "24.11";
# Storage share configuration
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
proto = "virtiofs";
}
{
tag = "media-dir";
source = "/media/shows";
mountPoint = "/media/shows";
proto = "virtiofs";
}
];
# Allow the service to use the share
system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
mkdir -p /mnt
chmod -R 770 /mnt
chown -R sonarr:sonarr /mnt
'';
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
microvm.hypervisor = "qemu";
# VM Networking
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
networking.useNetworkd = true;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
programs.nano.enable = lib.mkForce false;
programs.vim.enable = true;
# Services
services.sonarr = {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.rtorrent = {
enable = true;
dataDir = "/mnt/rtorrent";
user = "rtorrent";
group = "rtorrent";
port = 9999;
};
# Debug user
users.users."root" = {
password = "1234";
};
environment.systemPackages = [pkgs.dig];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
config.networking.firewall.allowedTCPPorts = [port 80 433];
config.networking.firewall.allowedUDPPorts = [port 80 433];
config.services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true;
enableACME = true;
listen = [
{
port = 8989;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://10.0.0.${toString vm-index}:${toString port}";
};
};
}

243
services/sonarr.nix Normal file → Executable file
View file

@ -1,25 +1,240 @@
{...}: let {
pkgs,
lib,
config,
...
}: let
host = "127.0.0.1"; host = "127.0.0.1";
port = 8989; port = 8989;
vm-index = 1;
vm-mac = "00:00:00:00:00:01";
vm-name = "necoarc";
in { in {
users.extraUsers.sonarr.extraGroups = ["jellyfin"]; # Access to the media folder config.microvm.autostart = [vm-name];
services.sonarr = {
enable = true; config.users.extraUsers.microvm.extraGroups = [
openFirewall = true; "jellyfin" # access to media folder
}; ];
services.rtorrent = {
enable = true; config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
dataDir = "/mnt/rtorrent"; mkdir -p /var/lib/${vm-name}
user = "rtorrent"; chmod -R 777 /var/lib/${vm-name}
group = "rtorrent"; chown -R microvm /var/lib/${vm-name}
port = 9999; chmod -R 777 /media
'';
# config.networking.wireguard.enable = true;
# # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# config.networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# config.systemd.network.networks.wg0 = {
# matchConfig.Name = "wg0";
# address = ["10.0.1.${toString vm-index}/24"];
# networkConfig = {
# IPMasquerade = "ipv4";
# IPv4Forwarding = true;
# };
# };
config.microvm.vms.${vm-name} = {
config = {config, ...}: {
system.stateVersion = "24.11";
# Storage share configuration
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
proto = "virtiofs";
}
{
tag = "media-dir";
source = "/media/shows";
mountPoint = "/media/shows";
proto = "virtiofs";
}
];
# Allow the service to use the share
system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
mkdir -p /mnt
chmod -R 770 /mnt
chown -R sonarr:sonarr /mnt
'';
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
microvm.hypervisor = "qemu";
# VM Networking
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
networking.useNetworkd = true;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
# "9.9.9.9"
# "8.8.8.8"
# "8.8.4.4"
# Only allow mullvad DNS server
"10.64.0.1"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
# Services
services.sonarr = {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.rtorrent = {
enable = true;
dataDir = "/mnt/rtorrent";
user = "rtorrent";
group = "rtorrent";
port = 9999;
};
# networking.wireguard.enable = true;
# boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# networking.firewall.extraCommands = ''
# ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
# '';
# services.openvpn.servers.mullvad = {
# config = ''
# client
# dev tun
# resolv-retry infinite
# nobind
# persist-key
# persist-tun
# verb 3
# remote-cert-tls server
# ping 10
# ping-restart 60
# sndbuf 524288
# rcvbuf 524288
# cipher AES-256-GCM
# tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
# proto udp
# auth-user-pass mullvad_userpass.txt
# ca mullvad_ca.crt
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
# fast-io
# remote 193.32.248.72 1301 # de-ber-ovpn-001
# '';
# authUserPass.username = "9898431198930064";
# authUserPass.password = "m";
# updateResolvConf = true;
# };
# Debug user
users.users."root" = {
password = "1234";
};
environment.systemPackages = [pkgs.dig];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
}; };
services.nginx.virtualHosts."sonarr.spoodythe.one" = { config.networking.firewall.allowedTCPPorts = [port 80 433];
config.networking.firewall.allowedUDPPorts = [port 80 433];
config.services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true; addSSL = true;
enableACME = true; enableACME = true;
listen = [
{
port = 8989;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = { locations."/" = {
proxyPass = "http://${host}:${toString port}"; proxyPass = "http://10.0.0.${toString vm-index}:${toString port}";
}; };
}; };
} }

6
services/vaultwarden.nix
View file

@ -32,12 +32,6 @@ in {
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://${host}:${toString port}"; proxyPass = "http://${host}:${toString port}";
extraConfig = ''
# Websocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
'';
}; };
}; };
} }

133
services/vm-test.nix
View file

@ -1,133 +0,0 @@
{
config,
pkgs,
...
}: let
vm-index = 1;
vm-mac = "02:00:00:00:00:02";
in {
config.microvm.vms."vm-test" = {
config = {...}: {
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
];
networking.useNetworkd = true;
networking.usePredictableInterfaceNames = false;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
systemd.services."wireguard-kill-switch" = {
description = "Wireguard Kill Switch";
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
type = "oneshot";
ExecStart = pkgs.writeShellScript "wgconf.sh" ''
# Stay a while and listen
# ${pkgs.toybox}/bin/sleep 5
# Route local traffic through wg0 except local traffic
${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \
${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
# Block all traffic that isnt local or through the vpn
${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
'';
RemainAfterExit = "yes";
};
};
networking.wireguard.enable = true;
systemd.network = {
netdevs."10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "${./wireguard-secret}";
FirewallMark = 42;
ListenPort = 51820;
};
wireguardPeers = [
{
PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
AllowedIPs = ["0.0.0.0/0"];
Endpoint = "193.32.248.66:51820";
# PersistentKeepalive = 25;
}
];
};
networks."wg0" = {
matchConfig.Name = "wg0";
address = [
" 10.65.241.123/32"
];
DHCP = "no";
dns = ["10.64.0.1"];
gateway = [
"10.0.0.0"
];
};
};
users.users.root = {
password = "1234";
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
}

4
services/vpn.nix
View file

@ -1,4 +0,0 @@
{pkgs, ...}: {
services.mullvad-vpn.enable = true;
environment.systemPackages = [pkgs.wireguard-tools];
}

20
services/zed.nix
View file

@ -1,20 +0,0 @@
{...}: {
services.zfs.zed = {
enableMail = true;
settings = {
ZED_DEBUG_LOG = "/tmp/zed.debug.log";
ZED_EMAIL_ADDR = "snorre@altschul.dk";
ZED_EMAIL_PROG = "sendmail";
ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@";
ZED_LOCKDIR = "/var/lock";
ZED_NOTIFY_INTERVAL_SECS = 3600;
ZED_NOTIFY_VERBOSE = 0;
ZED_USE_ENCLOSURE_LEDS = 1;
ZED_SYSLOG_PRIORITY = "daemon.notice";
ZED_SYSLOG_TAG = "zed";
};
};
}