spoody/server-configuration
spoody/server-configuration
1
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: spoody:dd76463953e729df2ab7b7b3415392ac04a88570
Branches Tags
spoody:master
spoody:v0.1
...
compare: spoody:40ebed60befe86a82bb9931c71d7dc3bee970400
Branches Tags
spoody:master
spoody:v0.1

10 commits
dd76463953 ... 40ebed60be

Author SHA1 Message Date
baritone 40ebed60be g 2025-03-18 11:23:07 +01:00
baritone 79ffd2d2a2 g 2025-03-18 11:19:36 +01:00
baritone 86c314c301 deleted secret 2025-03-18 10:44:29 +01:00
baritone 1cc062bba4 thing 2025-03-18 10:36:12 +01:00
baritone dd2cff4fb1 pp 2025-03-13 16:52:21 +01:00
baritone 4c7e8d8576 added zed 2025-03-13 12:04:41 +01:00
baritone d0b886ea3d it actually fucking works this time 2025-03-11 10:29:40 +01:00
baritone 4f71dadd01 stuff 2025-03-07 21:52:23 +01:00
baritone 914b545af1 auto torrenting 2025-03-06 14:49:59 +01:00
baritone 470ab2074d the fucking shitty fuck vpn in the vm is finally fucking working 2025-03-06 11:36:02 +01:00
23 changed files with 799 additions and 270 deletions
Show stats Expand all files Collapse all files

32
configuration.nix
View file

@ -7,20 +7,26 @@
./services/nginx.nix
./services/openssh.nix
./services/forgejo.nix
# ./services/nextcloud.nix
# ./services/seafile.nix
./services/vaultwarden.nix
./services/jellyfin.nix
./services/website.nix
./services/mailserver.nix
./services/fail2ban.nix
./services/sonarr.nix
./services/zed.nix # IMPORTANTE
./services/auto-torrent.nix
./services/misc.nix
./modules/age.nix
./modules/microvm.nix
./modules/git.nix
./modules/nix-settings.nix
./modules/zfs.nix
(import ./modules/microvm.nix {routed = true;})
(import ./modules/networking-shared.nix {hostname = "server";})
(import ./modules/users.nix {main-user = "baritone";})
];
@ -30,20 +36,18 @@
efi.canTouchEfiVariables = true;
timeout = 0;
};
boot.kernel.sysctl = {"vm.swappiness" = 85;};
# Enable microcode updates
hardware.enableRedistributableFirmware = true;
programs.zsh = {
enable = true;
enableGlobalCompInit = true;
shellAliases = {
"nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
};
};
programs.ssh.startAgent = true;
programs.nano.enable = false;
# programs.zsh = {
# enable = true;
# enableGlobalCompInit = true;
# shellAliases = {
# "nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
# };
# };
environment.systemPackages = with pkgs; [
wget
@ -54,6 +58,7 @@
inputs.agenix.packages."${system}".default
];
programs.nano.enable = false;
environment.variables = {
EDITOR = "vim"; # FUCK NANO
};
@ -68,8 +73,5 @@
'';
};
programs.mtr.enable = true;
programs.gnupg.agent.enable = true;
system.stateVersion = "24.11";
}

2
disko.nix
View file

@ -104,7 +104,7 @@
type = "zfs_fs";
mountpoint = "/home";
};
src = {
srv = {
type = "zfs_fs";
mountpoint = "/srv";
};

8
flake.nix
View file

@ -79,10 +79,10 @@
swap-size = "128G";
root-disk = "/dev/nvme0n1";
raid-disks = [
# "sda"
# "sdb"
# "sdc"
# "sdd"
"sda"
"sdb"
"sdc"
"sdd"
];
})

1
modules/age.nix
View file

@ -1,3 +1,4 @@
{config, ...}: {
# This is where the age files go
# age.secrets.nextcloud.file = ../secrets/nextcloud.age;
}

21
modules/microvm.nix
View file

@ -1,14 +1,14 @@
{
{routed ? false}: {
pkgs,
config,
lib,
...
}: let
attrSet = lib.lists.imap1 (i: v: {
attrSet = pkgs.lib.lists.imap1 (i: v: {
name = v;
index = i;
}) (builtins.attrNames config.microvm.vms);
in {
config.systemd.network.networks = builtins.listToAttrs (builtins.map ({
systemd.network.networks = builtins.listToAttrs (builtins.map ({
name,
index,
}: {
@ -16,22 +16,25 @@ in {
value = {
matchConfig.Name = "vm${toString index}";
address = [
"10.0.0.0/32"
"10.0.${toString index}.254/24" # Host gateway
];
routes = [
{
Destination = "10.0.0.${toString index}/32";
Destination = "10.0.${toString index}.1/24";
}
];
networkConfig = {IPv4Forwarding = true;};
networkConfig = {
IPv4Forwarding = true;
};
};
})
attrSet);
# NAT (make vms accessible in host)
config.networking.nat = {
networking.nat = {
enable = true;
internalIPs = ["10.0.0.0/24"];
externalInterface = "enp2s0";
internalIPs = ["10.0.1.0/24"];
internalInterfaces = ["vm1"];
};
}

14
modules/users.nix
View file

@ -25,14 +25,14 @@
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICPQ3uc8UB9m6NPkXHETTJrzxB6M+SfUiBx6YeWUSADU sxsgamer@gmail.com"
];
shell = pkgs.zsh;
shell = pkgs.fish;
};
users.users."nixos" = {
isNormalUser = true;
extraGroups = ["wheel"];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFhTExbc9m4dCK6676wGiA8zPjE0l/9Fz2yf0IKvUvg snorre@archlinux"
];
programs.fish = {
enable = true;
shellAbbrs = {
"nrb" = "sudo nixos-rebuild switch --flake /etc/nixos";
"vmr" = "rm ~/.ssh/known_hosts; ssh root@10.0.0.1";
};
};
}

5
secrets/nextcloud.age Normal file
View file

@ -0,0 +1,5 @@
age-encryption.org/v1
-> ssh-ed25519 rgw77A FBgTHsvCbpuhDFHCOQ4MtkSu3b9WmlSDboN4x3J/p1M
Mwts15GY7TwmWhB/wZPQ7EfBJ61aV+1QbjwZL8xRcgM
--- PI2311X1EC/csuMWV1Nx5Wnu4ajhh6e42NkDYW/fNgE
Sód†AIdä*}<7D>éw”À;Î]¥û7êÍÛ] <@¢ž)^Ô˜³ü÷

3
secrets/secrets.nix
View file

@ -1,4 +1,5 @@
let
public-key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server";
public-keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"];
in {
"nextcloud.age".publicKeys = public-keys;
}

241
services/auto-torrent.nix Normal file
View file

@ -0,0 +1,241 @@
{
config,
pkgs,
...
}: let
lib = pkgs.lib;
host = "10.0.${toString vm-index}.1";
port = 8989;
vm-index = 1;
vm-mac = "02:00:00:00:00:02";
vm-name = "auto-torrent";
vpn-endpoint = "193.32.248.70";
enable-services = true;
in {
microvm.autostart = [vm-name];
users.extraUsers.microvm.extraGroups = [
"jellyfin" # access to media folder
];
system.activationScripts."make-${vm-name}-data-dir" = lib.stringAfter ["var"] ''
mkdir -p /var/lib/${vm-name}
chmod -R 777 /var/lib/${vm-name}
chown -R microvm /var/lib/${vm-name}
chmod -R 777 /media
'';
microvm.vms.${vm-name} = {
config = {...}: {
system.stateVersion = "25.05";
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
# 1gb of memory
microvm.mem = 1024;
microvm.shares = let
proto = "virtiofs";
in [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
inherit proto;
}
{
tag = "media-dir";
source = "/media";
mountPoint = "/media";
inherit proto;
}
];
networking.useNetworkd = true;
networking.usePredictableInterfaceNames = false;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.${toString vm-index}.1/24"
];
routes = [
# Default route
{
Destination = "${toString vpn-endpoint}/32";
Gateway = "10.0.${toString vm-index}.254";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
systemd.services."start-wireguard" = {
description = "Start wireguard mullvad";
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
type = "oneshot";
ExecStart = pkgs.writeShellScript "wgconf.sh" ''
${pkgs.wireguard-tools}/bin/wg-quick up /mnt/wg.conf
'';
RemainAfterExit = "yes";
};
};
networking.wireguard.enable = true;
# Sleep them for a while to make sure everything is set up
systemd.services.sonarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.radarr.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.jackett.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
systemd.services.rutorrent.serviceConfig.ExecStartPre = pkgs.lib.mkIf enable-services "/run/current-system/sw/bin/sleep 1";
# fuck nano
programs.nano.enable = lib.mkForce false;
programs.vim.enable = true;
# Services
services.sonarr = pkgs.lib.mkIf enable-services {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.radarr = pkgs.lib.mkIf enable-services {
enable = true;
openFirewall = true;
dataDir = "/mnt/radarr";
};
services.jackett = pkgs.lib.mkIf enable-services {
enable = true;
dataDir = "/mnt/jackett";
openFirewall = true;
};
services.transmission = pkgs.lib.mkIf enable-services {
enable = true;
openFirewall = true;
home = "/mnt/transmission";
settings.download-dir = "/mnt/transmission";
settings.incomplete-dir = "/mnt/transmission/.incomplete";
downloadDirPermissions = "775";
};
# debugging
users.users.root = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC562Woe/yT/3dNVceN9rKPJQcvgTFzIhJVdVGv7sqn1 baritone@server"
];
};
environment.systemPackages = with pkgs; [
wireguard-tools
tcpdump
];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
# Sonarr
services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true;
enableACME = true;
listen = [
{
inherit port;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Radarr
services.nginx.virtualHosts."radarr.spoodythe.one" = let
port = 7878;
in {
addSSL = true;
enableACME = true;
listen = [
{
inherit port;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Jackett
services.nginx.virtualHosts."jackett.spoodythe.one" = let
port = 9117;
in {
addSSL = true;
enableACME = true;
listen = [
{
inherit port;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
networking.firewall.allowedTCPPorts = [port 9117 7878 9696 80 433];
networking.firewall.allowedUDPPorts = [port 9117 7878 9696 80 433];
}

3
services/forgejo.nix
View file

@ -33,6 +33,9 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
extraConfig = ''
client_max_body_size 100M;
'';
};
};

44
services/homepage.nix Normal file
View file

@ -0,0 +1,44 @@
{...}: let
host = "127.0.0.1";
port = 8082;
in {
services.homepage-dashboard = {
enable = true;
listenPort = port;
openFirewall = false;
widgets = [
{
resources = {
cpu = true;
disk = "/";
memory = true;
};
}
];
services = [
{
"WebUI" = [
{
"Jellyfin" = {
description = "Jellyfin";
href = "https://media.spoodythe.one";
};
}
];
}
];
};
services.nginx.virtualHosts."dashboard.spoodythe.one" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Open port 80 and 443 for reverse proxy
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
}

29
services/jellyfin.nix
View file

@ -6,6 +6,34 @@
}: let
host = "127.0.0.1";
port = 8096;
jellyfin =
if config.services.mullvad-vpn.enable == true
then
pkgs.callPackage ({...}:
pkgs.stdenv.mkDerivation {
pname = "jellyfin-excluded";
version = "1.0.0";
phases = ["installPhase"];
buildInputs = [pkgs.jellyfin];
# Define the install phase
installPhase = ''
mkdir -p $out/bin
# Create a wrapper script
echo "${pkgs.mullvad-vpn}/bin/mullvad-exclude ${pkgs.jellyfin}/bin/jellyfin \"$@\"" > $out/bin/jellyfin-excluded
chmod +x $out/bin/jellyfin-excluded
'';
# Specify the output
meta = with pkgs.lib; {
description = "A wrapper for the hello command";
mainProgram = "jellyfin-excluded";
license = licenses.mit;
};
}) {}
else pkgs.jellyfin;
in {
# Enable VAAPI
config.nixpkgs.config.packageOverrides = pkgs: {
@ -32,6 +60,7 @@ in {
# Enable Jellyfin
config.services.jellyfin = {
enable = true;
package = jellyfin;
openFirewall = false; # We want jellyfin behind a reverse proxy
};

17
services/nextcloud.nix
View file

@ -1,13 +1,24 @@
{pkgs, ...}: let
{
config,
pkgs,
...
}: let
nextcloud-pkg = pkgs.nextcloud30;
host = "127.0.0.1";
port = 8008;
lib = pkgs.lib;
in {
# system.activationScripts."make-nextcloud-dir" = lib.stringAfter ["var"] ''
# mkdir -p /var/lib/nextcloud
# chmod -R 770 /var/lib/nextcloud
# chown -R nextcloud:nextcloud /var/lib/nextcloud
# '';
services.nextcloud = {
enable = true;
package = nextcloud-pkg;
hostName = "localhost";
config.adminpassFile = "/var/lib/db/nextcloud/admin-password";
config.adminpassFile = "/etc/nextcloud-admin-password";
config.dbtype = "sqlite";
};
@ -19,7 +30,7 @@ in {
}
];
services.nginx.virtualHosts."nextcloud.spoodythe.one" = {
addSSL = true;
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";

4
services/nginx.nix
View file

@ -6,7 +6,9 @@
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts."_" = {
virtualHosts."spoodythe.one" = {
forceSSL = true;
enableACME = true;
default = true;
locations."/" = {
return = 404;

4
services/openssh.nix
View file

@ -24,4 +24,8 @@
}
];
};
programs.ssh.startAgent = true;
programs.mtr.enable = true;
programs.gnupg.agent.enable = true;
}

18
services/rtorrent.nix Normal file
View file

@ -0,0 +1,18 @@
{pkgs, ...}: let
port = 9091;
in {
# services.rtorrent = {
# enable = true;
# dataDir = "/mnt/rtorrent";
# user = "rtorrent";
# group = "rtorrent";
# package = pkgs.jesec-rtorrent;
# inherit port;
# };
services.transmission = {
enable = true;
openFirewall = false;
settings.rpc-port = port;
};
}

28
services/seafile.nix Normal file
View file

@ -0,0 +1,28 @@
{
config,
pkgs,
...
}: let
host = "127.0.0.1";
port = 8008;
in {
services.seafile = {
enable = true;
adminEmail = "snorre@altschul.dk";
seahubAddress = "http://${host}:${toString port}";
# seafileSettings.fileserver = {
# inherit host port;
# };
};
services.nginx.virtualHosts."files.spoodythe.one" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
};
};
# Open port 80 and 443 for reverse proxy
networking.firewall.allowedTCPPorts = [80 443];
networking.firewall.allowedUDPPorts = [80 443];
}

189
services/sonarr-old.nix Executable file
View file

@ -0,0 +1,189 @@
{
pkgs,
lib,
config,
...
}: let
host = "127.0.0.1";
port = 8989;
vm-index = 1;
vm-mac = "00:00:00:00:00:01";
vm-name = "necoarc";
in {
config.microvm.autostart = [vm-name];
config.users.extraUsers.microvm.extraGroups = [
"jellyfin" # access to media folder
];
config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
mkdir -p /var/lib/${vm-name}
chmod -R 777 /var/lib/${vm-name}
chown -R microvm /var/lib/${vm-name}
chmod -R 777 /media
'';
# config.networking.wireguard.enable = true;
# # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# config.networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# config.systemd.network.networks.wg0 = {
# matchConfig.Name = "wg0";
# address = ["10.0.1.${toString vm-index}/24"];
# networkConfig = {
# IPMasquerade = "ipv4";
# IPv4Forwarding = true;
# };
# };
config.microvm.vms.${vm-name} = {
config = {config, ...}: {
system.stateVersion = "24.11";
# Storage share configuration
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
proto = "virtiofs";
}
{
tag = "media-dir";
source = "/media/shows";
mountPoint = "/media/shows";
proto = "virtiofs";
}
];
# Allow the service to use the share
system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
mkdir -p /mnt
chmod -R 770 /mnt
chown -R sonarr:sonarr /mnt
'';
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
microvm.hypervisor = "qemu";
# VM Networking
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
networking.useNetworkd = true;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
programs.nano.enable = lib.mkForce false;
programs.vim.enable = true;
# Services
services.sonarr = {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.rtorrent = {
enable = true;
dataDir = "/mnt/rtorrent";
user = "rtorrent";
group = "rtorrent";
port = 9999;
};
# Debug user
users.users."root" = {
password = "1234";
};
environment.systemPackages = [pkgs.dig];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
config.networking.firewall.allowedTCPPorts = [port 80 433];
config.networking.firewall.allowedUDPPorts = [port 80 433];
config.services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true;
enableACME = true;
listen = [
{
port = 8989;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://10.0.0.${toString vm-index}:${toString port}";
};
};
}

223
services/sonarr.nix Executable file → Normal file
View file

@ -1,142 +1,12 @@
{
pkgs,
lib,
config,
...
}: let
{...}: let
host = "127.0.0.1";
port = 8989;
vm-index = 1;
vm-mac = "00:00:00:00:00:01";
vm-name = "necoarc";
in {
config.microvm.autostart = [vm-name];
config.users.extraUsers.microvm.extraGroups = [
"jellyfin" # access to media folder
];
config.system.activationScripts."make${vm-name}DataDir" = lib.stringAfter ["var"] ''
mkdir -p /var/lib/${vm-name}
chmod -R 777 /var/lib/${vm-name}
chown -R microvm /var/lib/${vm-name}
chmod -R 777 /media
'';
# config.networking.wireguard.enable = true;
# # config.boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# config.networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# config.systemd.network.networks.wg0 = {
# matchConfig.Name = "wg0";
# address = ["10.0.1.${toString vm-index}/24"];
# networkConfig = {
# IPMasquerade = "ipv4";
# IPv4Forwarding = true;
# };
# };
config.microvm.vms.${vm-name} = {
config = {config, ...}: {
system.stateVersion = "24.11";
# Storage share configuration
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
{
tag = "data-dir";
source = "/var/lib/${vm-name}";
mountPoint = "/mnt";
proto = "virtiofs";
}
{
tag = "media-dir";
source = "/media/shows";
mountPoint = "/media/shows";
proto = "virtiofs";
}
];
# Allow the service to use the share
system.activationScripts."chownDataDir" = lib.stringAfter ["var"] ''
mkdir -p /mnt
chmod -R 770 /mnt
chown -R sonarr:sonarr /mnt
'';
systemd.services.sonarr.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
systemd.services.rutorrent.serviceConfig.ExecStartPre = "/run/current-system/sw/bin/sleep 5";
microvm.hypervisor = "qemu";
# VM Networking
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
networking.useNetworkd = true;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
# "9.9.9.9"
# "8.8.8.8"
# "8.8.4.4"
# Only allow mullvad DNS server
"10.64.0.1"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
# Services
users.extraUsers.sonarr.extraGroups = ["jellyfin"]; # Access to the media folder
services.sonarr = {
enable = true;
openFirewall = true;
dataDir = "/mnt/sonarr";
};
services.rtorrent = {
enable = true;
dataDir = "/mnt/rtorrent";
@ -145,96 +15,11 @@ in {
port = 9999;
};
# networking.wireguard.enable = true;
# boot.extraModulePackages = [config.boot.kernelPackages.wireguard];
# networking.wireguard.interfaces.wg0 = {
# ips = ["10.75.60.108/32"];
# listenPort = 51820;
# privateKeyFile = "${./wireguard-secret}";
# peers = [
# {
# publicKey = "TPAIPTgu9jIitgX1Bz5xMCZJ9pRRZTdtZEOIxArO0Hc=";
# endpoint = "185.254.75.4:51820";
# allowedIPs = ["0.0.0.0/0"];
# persistentKeepalive = 25;
# }
# ];
# };
# networking.firewall.extraCommands = ''
# ${pkgs.iptables}/bin/iptables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/8 -j REJECT && ${pkgs.iptables}/bin/ip6tables -I OUTPUT ! -o %i -m mark ! --mark $(wg show %i fwmark) -m addrtype ! --dst-type LOCAL -j REJECT
# '';
# services.openvpn.servers.mullvad = {
# config = ''
# client
# dev tun
# resolv-retry infinite
# nobind
# persist-key
# persist-tun
# verb 3
# remote-cert-tls server
# ping 10
# ping-restart 60
# sndbuf 524288
# rcvbuf 524288
# cipher AES-256-GCM
# tls-cipher TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
# proto udp
# auth-user-pass mullvad_userpass.txt
# ca mullvad_ca.crt
# script-security 2
# up /etc/openvpn/update-resolv-conf
# down /etc/openvpn/update-resolv-conf
# fast-io
# remote 193.32.248.72 1301 # de-ber-ovpn-001
# '';
# authUserPass.username = "9898431198930064";
# authUserPass.password = "m";
# updateResolvConf = true;
# };
# Debug user
users.users."root" = {
password = "1234";
};
environment.systemPackages = [pkgs.dig];
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
config.networking.firewall.allowedTCPPorts = [port 80 433];
config.networking.firewall.allowedUDPPorts = [port 80 433];
config.services.nginx.virtualHosts."sonarr.spoodythe.one" = {
services.nginx.virtualHosts."sonarr.spoodythe.one" = {
addSSL = true;
enableACME = true;
listen = [
{
port = 8989;
addr = "0.0.0.0";
ssl = false;
}
{
port = 443;
addr = "0.0.0.0";
ssl = true;
}
];
locations."/" = {
proxyPass = "http://10.0.0.${toString vm-index}:${toString port}";
proxyPass = "http://${host}:${toString port}";
};
};
}

6
services/vaultwarden.nix
View file

@ -32,6 +32,12 @@ in {
forceSSL = true;
locations."/" = {
proxyPass = "http://${host}:${toString port}";
extraConfig = ''
# Websocket support
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
'';
};
};
}

133
services/vm-test.nix Normal file
View file

@ -0,0 +1,133 @@
{
config,
pkgs,
...
}: let
vm-index = 1;
vm-mac = "02:00:00:00:00:02";
in {
config.microvm.vms."vm-test" = {
config = {...}: {
microvm.interfaces = [
{
id = "vm${toString vm-index}";
type = "tap";
mac = vm-mac;
}
];
microvm.shares = [
{
tag = "ro-store";
source = "/nix/store";
mountPoint = "/nix/.ro-store";
}
];
networking.useNetworkd = true;
networking.usePredictableInterfaceNames = false;
systemd.network.networks."10-eth" = {
matchConfig.MACAddress = vm-mac;
address = [
"10.0.0.${toString vm-index}/32"
];
routes = [
# Host Route
{
Destination = "10.0.0.0/32";
GatewayOnLink = true;
}
# Default route
{
Destination = "0.0.0.0/0";
Gateway = "10.0.0.0";
GatewayOnLink = true;
}
];
networkConfig = {
DNS = [
"9.9.9.9"
"8.8.8.8"
"8.8.4.4"
];
};
};
networking.useDHCP = false;
networking.nameservers = [
"10.0.101.1"
"8.8.8.8"
"8.8.4.4"
];
systemd.services."wireguard-kill-switch" = {
description = "Wireguard Kill Switch";
after = ["network-online.target"];
wants = ["network-online.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
type = "oneshot";
ExecStart = pkgs.writeShellScript "wgconf.sh" ''
# Stay a while and listen
# ${pkgs.toybox}/bin/sleep 5
# Route local traffic through wg0 except local traffic
${pkgs.iproute2}/bin/ip route add 10.0.0.0/32 dev eth0 && \
${pkgs.iproute2}/bin/ip route add 0.0.0.0/1 dev wg0
# Block all traffic that isnt local or through the vpn
${pkgs.iptables}/bin/iptables -I OUTPUT ! -o wg0 -m mark ! --mark 42 -m addrtype ! --dst-type LOCAL ! -d 10.0.0.0/32 -j REJECT
'';
RemainAfterExit = "yes";
};
};
networking.wireguard.enable = true;
systemd.network = {
netdevs."10-wg0" = {
netdevConfig = {
Kind = "wireguard";
Name = "wg0";
MTUBytes = "1300";
};
wireguardConfig = {
PrivateKeyFile = "${./wireguard-secret}";
FirewallMark = 42;
ListenPort = 51820;
};
wireguardPeers = [
{
PublicKey = "0qSP0VxoIhEhRK+fAHVvmfRdjPs2DmmpOCNLFP/7cGw=";
AllowedIPs = ["0.0.0.0/0"];
Endpoint = "193.32.248.66:51820";
# PersistentKeepalive = 25;
}
];
};
networks."wg0" = {
matchConfig.Name = "wg0";
address = [
" 10.65.241.123/32"
];
DHCP = "no";
dns = ["10.64.0.1"];
gateway = [
"10.0.0.0"
];
};
};
users.users.root = {
password = "1234";
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "yes";
AllowUsers = null;
PasswordAuthentication = true;
KbdInteractiveAuthentication = true;
};
};
};
};
}

4
services/vpn.nix Normal file
View file

@ -0,0 +1,4 @@
{pkgs, ...}: {
services.mullvad-vpn.enable = true;
environment.systemPackages = [pkgs.wireguard-tools];
}

20
services/zed.nix Normal file
View file

@ -0,0 +1,20 @@
{...}: {
services.zfs.zed = {
enableMail = true;
settings = {
ZED_DEBUG_LOG = "/tmp/zed.debug.log";
ZED_EMAIL_ADDR = "snorre@altschul.dk";
ZED_EMAIL_PROG = "sendmail";
ZED_EMAIL_OPTS = "-s '@SUBJECT@' @ADDRESS@";
ZED_LOCKDIR = "/var/lock";
ZED_NOTIFY_INTERVAL_SECS = 3600;
ZED_NOTIFY_VERBOSE = 0;
ZED_USE_ENCLOSURE_LEDS = 1;
ZED_SYSLOG_PRIORITY = "daemon.notice";
ZED_SYSLOG_TAG = "zed";
};
};
}