From e96523d7c2c8e368a6b8434124693d0b40877b93 Mon Sep 17 00:00:00 2001
From: sajenim <its.jassy@pm.me>
Date: Sun, 5 Nov 2023 14:14:06 +0000
Subject: [PATCH] setup services, firewall, secrets etc

---
 nixos/viridian/configuration.nix              | 153 +++++++++++++++---
 .../viridian/services/media-stack/default.nix |  41 +++++
 2 files changed, 168 insertions(+), 26 deletions(-)
 create mode 100644 nixos/viridian/services/media-stack/default.nix

diff --git a/nixos/viridian/configuration.nix b/nixos/viridian/configuration.nix
index 60e130c..d363cc3 100644
--- a/nixos/viridian/configuration.nix
+++ b/nixos/viridian/configuration.nix
@@ -12,10 +12,10 @@
   imports = [
     # If you want to use modules your own flake exports (from modules/nixos):
     # outputs.nixosModules.example
+    outputs.nixosModules.qbittorrent
 
     # Or modules from other flakes (such as nixos-hardware):
-    # inputs.hardware.nixosModules.common-cpu-amd
-    # inputs.hardware.nixosModules.common-ssd
+    inputs.agenix.nixosModules.default
 
     # You can also split up your configuration and import pieces of it here:
     # ./users.nix
@@ -23,8 +23,9 @@
     # Import common configurations
     ../common/system-tools.nix
 
-    # Import our docker containers
-    ./containers
+    # Import services
+    ./services/traefik
+    ./services/media-stack
 
     # Import your generated (nixos-generate-config) hardware configuration
     ./hardware-configuration.nix
@@ -86,49 +87,149 @@
     firewall = {
       enable = true;
       allowedTCPPorts = [
-        53    # pihole-FTL  (DNS)
+        53    # adguardhome (DNS)
         80    # traefik     (HTTP)
         443   # traefik     (HTTPS)
-        8096  # jellyfin
         32372 # qbittorrent
+
       ];
       allowedUDPPorts = [
-        53    # pihole-FTL  (DNS)
+        53    # adguardhome (DNS)
         80    # traefik     (HTTP)
         443   # traefik     (HTTPS)
-        8096  # jellyfin
         32372 # qbittorrent
       ];
     };
   };
 
-  boot.loader = {
-    systemd-boot.enable = true;
-    efi = {
+  boot = {
+    loader = {
+      systemd-boot.enable = true;
+      efi = {
         canTouchEfiVariables = true;
         efiSysMountPoint = "/boot/efi";
+      };
+    };
+    kernel.sysctl = {
+      # Allow listening on TCP & UDP ports below 1024
+      "net.ipv4.ip_unprivileged_port_start" = 0;
     };
   };
 
-  programs.zsh.enable = true;
+  # Setup environment
+  environment = {
+    # Symlink /bin/sh to POSIX-Complient shell
+    binsh = "${pkgs.bash}/bin/bash";
+    shells = with pkgs; [ zsh ];
 
-  users.users = {
-    admin = {
-      isNormalUser = true;
-      extraGroups = [ "networkmanager" "wheel" "docker" ];
-      shell = pkgs.zsh;
-      openssh.authorizedKeys.keyFiles = [ ../fuchsia/id_ed25519_sk.pub ];
+    # Install packages, prefix with 'unstable.' to use overlay
+    systemPackages = with pkgs; [
+      inputs.agenix.packages."${system}".default
+    ];
+  };
+
+  programs = {
+    zsh.enable = true;
+  };
+
+  services = {
+    # This setups a SSH server. Very important if you're setting up a headless system.
+    # Feel free to remove if you don't need it.
+    openssh = {
+      enable = true;
+      # Forbid root login through SSH.
+      settings.PermitRootLogin = "no";
+      # Use keys only. Remove if you want to SSH using password (not recommended)
+      settings.PasswordAuthentication = false;
+    };
+
+    # Privacy protection center
+    adguardhome = {
+      enable = true;
+      openFirewall = true;
+      settings = {
+        # Web interface IP address to listen on.
+        bind_port = 3000;
+        # Web interface IP port to listen on.
+        bind_host = "0.0.0.0";
+        # Custom DNS responses
+        dns.rewrites = [
+          { domain = "kanto.dev";
+            answer = "192.168.1.102";
+          }
+          { domain = "*.kanto.dev";
+            answer = "kanto.dev";
+          }
+        ];
+      };
+    };
+
+    # Home automation that puts local control and privacy first.
+    home-assistant = {
+      enable = true;
+      openFirewall = true;
+      extraComponents = [
+        # Components required to complete the onboarding
+        "esphome"
+        "met"
+        "radio_browser"
+
+        "adguard"
+        "jellyfin"
+      ];
+      config = {
+        # Includes dependencies for a basic setup
+        # https://www.home-assistant.io/integrations/defaultoconfig/
+        default_config = {};
+        http = {
+          use_x_forwarded_for = true;
+          trusted_proxies = [
+            "192.168.1.102"
+          ];
+        };
+      };
+      configDir = "/var/lib/home-assistant";
+    };
+
+    # Sandbox game developed by Mojang Studios
+    minecraft-server = {
+      enable = true;
+      openFirewall = true;
+      dataDir = "/var/lib/minecraft";
+      declarative = true;
+      serverProperties = {
+        gamemode = "survival";
+        level-name = "kanto";
+        difficulty = "easy";
+        server-port = 43000;
+        motd = "A Caterpie May Change Into A Butterfree, But The Heart That Beats Inside Remains The Same.";
+      };
+      eula = true;
     };
   };
 
-  # This setups a SSH server. Very important if you're setting up a headless system.
-  # Feel free to remove if you don't need it.
-  services.openssh = {
-    enable = true;
-    # Forbid root login through SSH.
-    settings.PermitRootLogin = "no";
-    # Use keys only. Remove if you want to SSH using password (not recommended)
-    settings.PasswordAuthentication = false;
+  # Configure your system-wide user settings (groups, etc), add more users as needed.
+  users = {
+    users = {
+      # System administator
+      sabrina = {
+        isNormalUser = true;
+        extraGroups = [ "networkmanager" "wheel" "media" ];
+        openssh.authorizedKeys.keyFiles = [ ../fuchsia/id_ed25519_sk.pub ];
+        shell = pkgs.zsh;
+      };
+    };
+
+    # Additional groups to create.
+    groups = {
+      media.members = [
+        "jellyfin"
+        "sonarr"
+        "radarr"
+        "lidarr"
+        "qbittorrent"
+      ];
+    };
   };
 
   # https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
diff --git a/nixos/viridian/services/media-stack/default.nix b/nixos/viridian/services/media-stack/default.nix
new file mode 100644
index 0000000..7db127e
--- /dev/null
+++ b/nixos/viridian/services/media-stack/default.nix
@@ -0,0 +1,41 @@
+{ ... }:
+
+{
+  services = {
+    # Volunteer-built media solution that puts you in control of your media
+    jellyfin = {
+      enable = true;
+      openFirewall = true;
+    };
+    # PVR for Usenet and BitTorrent users
+    sonarr = {
+      enable = true;
+      openFirewall = true;
+      dataDir = "/var/lib/sonarr";
+    };
+    # Movie collection manager for Usenet and BitTorrent users
+    radarr = {
+      enable = true;
+      openFirewall = true;
+      dataDir = "/var/lib/radarr";
+    };
+    # Music collection manager for Usenet and BitTorrent users
+    lidarr = {
+      enable = true;
+      openFirewall = true;
+      dataDir = "/var/lib/lidarr";
+    };
+    # Indexer manager/proxy built on the popular arr .net/reactjs base stack to integrate with your various PVR apps.
+    prowlarr = {
+      enable = true;
+      openFirewall = true;
+    };
+    # Open-source software alternative to µTorrent
+    qbittorrent = {
+      enable = true;
+      openFirewall = true;
+      port = 8080;
+    };
+  };
+}
+