jasmine/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

fmt: alejandra

Browse source
This commit is contained in:
♥ Minnie ♥ 2024-08-08 09:02:42 +08:00
parent 53378cdfc9
commit 3350d19a45
Signed by: jasmine
GPG key ID: 8563E358D4E8040E
79 changed files with 432 additions and 511 deletions
Download patch file Download diff file Expand all files Collapse all files

23
nixos/viridian/configuration.nix
View file

@ -1,6 +1,4 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
imports = [
../common/global
../common/users/sajenim
@ -33,24 +31,24 @@
enable = true;
allowPing = true;
allowedTCPPorts = [
53 # adguardhome (DNS)
80 # traefik (HTTP)
443 # traefik (HTTPS)
53 # adguardhome (DNS)
80 # traefik (HTTP)
443 # traefik (HTTPS)
32372 # qbittorrent
6600 # mpd
6600 # mpd
];
allowedUDPPorts = [
53 # adguardhome (DNS)
80 # traefik (HTTP)
443 # traefik (HTTPS)
53 # adguardhome (DNS)
80 # traefik (HTTP)
443 # traefik (HTTPS)
32372 # qbittorrent
51820 # Wireguard
6600 # mpd
6600 # mpd
];
};
};
programs = {
programs = {
zsh.enable = true;
};
@ -65,4 +63,3 @@
# https://nixos.wiki/wiki/FAQ/When_do_I_update_stateVersion
system.stateVersion = "24.05";
}

4
nixos/viridian/containers/default.nix
View file

@ -1,6 +1,4 @@
{ ... }:
{
{...}: {
imports = [
./jellyfin.nix
./jellyseerr.nix

11
nixos/viridian/containers/jellyfin.nix
View file

@ -1,8 +1,6 @@
{ ... }:
let
{...}: let
port = "8096";
in
{
in {
virtualisation.oci-containers.containers = {
# Volunteer-built media solution that puts you in control of your media
jellyfin = {
@ -35,7 +33,7 @@ in
services.traefik.dynamicConfigOptions.http.routers = {
jellyfin = {
rule = "Host(`jellyfin.kanto.dev`)";
rule = "Host(`jellyfin.kanto.dev`)";
entryPoints = [
"websecure"
];
@ -48,8 +46,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
jellyfin.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

9
nixos/viridian/containers/jellyseerr.nix
View file

@ -1,8 +1,6 @@
{ ... }:
let
{...}: let
port = "5055";
in
{
in {
virtualisation.oci-containers.containers = {
# Request management
jellyseerr = {
@ -39,8 +37,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
jellyseerr.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

9
nixos/viridian/containers/lidarr.nix
View file

@ -1,8 +1,6 @@
{ ... }:
let
{...}: let
port = "8686";
in
{
in {
virtualisation.oci-containers.containers = {
# # Music collection manager for Usenet and BitTorrent users
lidarr = {
@ -42,8 +40,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
lidarr.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

12
nixos/viridian/containers/mealie.nix
View file

@ -1,8 +1,6 @@
{ ... }:
let
{...}: let
port = "9925";
in
{
in {
virtualisation.oci-containers.containers = {
mealie = {
autoStart = true;
@ -29,7 +27,7 @@ in
services.traefik.dynamicConfigOptions.http.routers = {
mealie = {
rule = "Host(`mealie.kanto.dev`)";
rule = "Host(`mealie.kanto.dev`)";
entryPoints = [
"websecure"
];
@ -43,9 +41,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
mealie.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

17
nixos/viridian/containers/microbin/default.nix
View file

@ -1,13 +1,11 @@
{ config, ... }:
let
{config, ...}: let
port = "8181";
in
{
in {
age.secrets.microbin = {
# Environment variables for microbin
rekeyFile = ./environment.age;
owner = "sajenim";
group = "users";
# Environment variables for microbin
rekeyFile = ./environment.age;
owner = "sajenim";
group = "users";
};
virtualisation.oci-containers.containers = {
@ -43,8 +41,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
microbin.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

11
nixos/viridian/containers/prowlarr.nix
View file

@ -1,8 +1,6 @@
{ ... }:
let
{...}: let
port = "9696";
in
{
in {
virtualisation.oci-containers.containers = {
# Indexer manager/proxy built on the popular arr .net/reactjs base stack to integrate with your various PVR apps.
prowlarr = {
@ -36,11 +34,10 @@ in
service = "prowlarr";
};
};
services.traefik.dynamicConfigOptions.http.services = {
prowlarr.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

13
nixos/viridian/containers/qbittorrent.nix
View file

@ -1,16 +1,14 @@
{ ... }:
let
{...}: let
port = "8487";
in
{
in {
virtualisation.oci-containers.containers = {
# # Open-source software alternative to µTorrent
qbittorrent = {
autoStart = true;
image = "ghcr.io/hotio/qbittorrent:release-4.6.5";
ports = [
"${port}:8080/tcp" # WebUI
"32372:32372/tcp" # Transport protocol
"${port}:8080/tcp" # WebUI
"32372:32372/tcp" # Transport protocol
];
volumes = [
# Seedbox
@ -42,8 +40,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
qbittorrent.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

9
nixos/viridian/containers/radarr.nix
View file

@ -1,8 +1,6 @@
{ ... }:
let
{...}: let
port = "7878";
in
{
in {
virtualisation.oci-containers.containers = {
# Movie collection manager for Usenet and BitTorrent users
radarr = {
@ -41,8 +39,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
radarr.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

4
nixos/viridian/containers/recyclarr.nix
View file

@ -1,6 +1,4 @@
{ ... }:
{
{...}: {
virtualisation.oci-containers.containers = {
# Automatically synchronize recommended settings from the TRaSH guides to your Sonarr/Radarr instances
recyclarr = {

9
nixos/viridian/containers/sonarr.nix
View file

@ -1,8 +1,6 @@
{ ... }:
let
{...}: let
port = "8989";
in
{
in {
virtualisation.oci-containers.containers = {
# PVR for Usenet and BitTorrent users
sonarr = {
@ -42,8 +40,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
sonarr.loadBalancer.servers = [
{ url = "http://127.0.0.1:${port}"; }
{url = "http://127.0.0.1:${port}";}
];
};
}

33
nixos/viridian/hardware-configuration.nix
View file

@ -1,16 +1,18 @@
{ config, lib, ... }:
let
hostname = config.networking.hostName;
in
{
config,
lib,
...
}: let
hostname = config.networking.hostName;
in {
imports = [
../common/optional/ephemeral-btrfs.nix
];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod" ];
kernelModules = [ "kvm-intel" ];
availableKernelModules = ["xhci_pci" "ahci" "nvme" "usbhid" "usb_storage" "sd_mod"];
kernelModules = ["kvm-intel"];
};
loader = {
systemd-boot.enable = true;
@ -21,12 +23,12 @@ in
};
};
fileSystems."/boot" = {
fileSystems."/boot" = {
device = "/dev/disk/by-label/ESP";
fsType = "vfat";
};
fileSystems."/srv/multimedia" = {
fileSystems."/srv/multimedia" = {
device = "/dev/disk/by-label/multimedia";
fsType = "ext4";
};
@ -34,30 +36,31 @@ in
fileSystems."/srv/containers" = {
device = "/dev/disk/by-label/${hostname}";
fsType = "btrfs";
options = [ "subvol=containers" "compress=zstd" ];
options = ["subvol=containers" "compress=zstd"];
};
fileSystems."/srv/services" = {
device = "/dev/disk/by-label/${hostname}";
fsType = "btrfs";
options = [ "subvol=services" "compress=zstd" ];
options = ["subvol=services" "compress=zstd"];
};
fileSystems."/srv/shares" = {
device = "/dev/disk/by-label/data";
fsType = "btrfs";
options = [ "subvol=shares" "compress=zstd" ];
options = ["subvol=shares" "compress=zstd"];
};
fileSystems."/srv/backup" = {
device = "/dev/disk/by-label/data";
fsType = "btrfs";
options = [ "subvol=backup" "compress=zstd" ];
options = ["subvol=backup" "compress=zstd"];
};
swapDevices = [
{ device = "/swap/swapfile";
size = 16*1024;
swapDevices = [
{
device = "/swap/swapfile";
size = 16 * 1024;
}
];

5
nixos/viridian/services/borgbackup.nix
View file

@ -1,6 +1,4 @@
{ ... }:
{
{...}: {
services.borgbackup.jobs = {
containers = {
paths = [
@ -33,4 +31,3 @@
};
};
}

18
nixos/viridian/services/crowdsec/default.nix
View file

@ -1,8 +1,11 @@
{ config, inputs, pkgs, ... }:
let
port = "8080";
in
{
config,
inputs,
pkgs,
...
}: let
port = "8080";
in {
imports = [
inputs.crowdsec.nixosModules.crowdsec
inputs.crowdsec.nixosModules.crowdsec-firewall-bouncer
@ -86,9 +89,12 @@ in
environment.persistence."/persist" = {
directories = [
{ directory = "/var/lib/crowdsec"; user = "crowdsec"; group = "crowdsec"; }
{
directory = "/var/lib/crowdsec";
user = "crowdsec";
group = "crowdsec";
}
];
hideMounts = true;
};
}

4
nixos/viridian/services/default.nix
View file

@ -1,6 +1,4 @@
{ ... }:
{
{...}: {
imports = [
./traefik
./crowdsec

7
nixos/viridian/services/forgejo.nix
View file

@ -1,6 +1,4 @@
{ config, ... }:
{
{config, ...}: {
services.forgejo = {
enable = true;
stateDir = "/srv/services/forgejo";
@ -34,8 +32,7 @@
services.traefik.dynamicConfigOptions.http.services = {
forgejo.loadBalancer.servers = [
{ url = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"; }
{url = "http://127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}";}
];
};
}

22
nixos/viridian/services/grafana.nix
View file

@ -1,6 +1,4 @@
{ config, ... }:
{
{config, ...}: {
# Setup grafana our grafana instance.
services.grafana = {
enable = true;
@ -24,13 +22,15 @@
# Setup our database for grafana.
services.mysql = {
ensureUsers = [{
name = "grafana";
ensurePermissions = {
"grafana.*" = "ALL PRIVILEGES";
};
}];
ensureDatabases = [ "grafana" ];
ensureUsers = [
{
name = "grafana";
ensurePermissions = {
"grafana.*" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = ["grafana"];
};
# Setup our traefik router.
@ -50,7 +50,7 @@
# Setup our traefik service.
services.traefik.dynamicConfigOptions.http.services = {
grafana.loadBalancer.servers = [
{ url = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; }
{url = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";}
];
};
}

7
nixos/viridian/services/lighttpd.nix
View file

@ -1,6 +1,4 @@
{ config, ... }:
{
{config, ...}: {
services.lighttpd = {
enable = true;
port = 5624;
@ -23,8 +21,7 @@
services.traefik.dynamicConfigOptions.http.services = {
lighttpd.loadBalancer.servers = [
{ url = "http://127.0.0.1:${toString config.services.lighttpd.port}"; }
{url = "http://127.0.0.1:${toString config.services.lighttpd.port}";}
];
};
}

23
nixos/viridian/services/minecraft/default.nix
View file

@ -1,5 +1,10 @@
{ inputs, pkgs, lib, config, ... }:
let
{
inputs,
pkgs,
lib,
config,
...
}: let
modpack = pkgs.fetchPackwizModpack rec {
version = "7091175a49";
url = "https://git.sajenim.dev/jasmine/minecraft-modpack/raw/commit/${version}/pack.toml";
@ -7,9 +12,8 @@ let
};
mcVersion = modpack.manifest.versions.minecraft;
fabricVersion = modpack.manifest.versions.fabric;
serverVersion = lib.replaceStrings [ "." ] [ "_" ] "fabric-${mcVersion}";
in
{
serverVersion = lib.replaceStrings ["."] ["_"] "fabric-${mcVersion}";
in {
imports = [
inputs.nix-minecraft.nixosModules.minecraft-servers
];
@ -27,7 +31,7 @@ in
kanto = {
enable = true;
# The minecraft server package to use.
package = pkgs.fabricServers.${serverVersion}.override { loaderVersion = fabricVersion; }; # Specific fabric loader version.
package = pkgs.fabricServers.${serverVersion}.override {loaderVersion = fabricVersion;}; # Specific fabric loader version.
# Allowed players
whitelist = {
@ -46,10 +50,10 @@ in
server-port = 25565;
white-list = true;
};
# Things to symlink into this server's data directory.
symlinks = {
"mods" = "${modpack}/mods";
"mods" = "${modpack}/mods";
};
# Things to copy into this server's data directory.
@ -90,8 +94,7 @@ in
services.traefik.dynamicConfigOptions.http.services = {
minecraft.loadBalancer.servers = [
{ url = "http://127.0.0.1:${toString config.services.minecraft-servers.servers.kanto.serverProperties.server-port}"; }
{url = "http://127.0.0.1:${toString config.services.minecraft-servers.servers.kanto.serverProperties.server-port}";}
];
};
}

8
nixos/viridian/services/mpd.nix
View file

@ -1,6 +1,4 @@
{ ... }:
{
{...}: {
services.mpd = {
enable = true;
musicDirectory = "/srv/multimedia/library/music";
@ -28,7 +26,7 @@
};
networking.firewall = {
# # for NFSv3; view with `rpcinfo -p`
allowedTCPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedUDPPorts = [ 111 2049 4000 4001 4002 20048 ];
allowedTCPPorts = [111 2049 4000 4001 4002 20048];
allowedUDPPorts = [111 2049 4000 4001 4002 20048];
};
}

5
nixos/viridian/services/mysql.nix
View file

@ -1,10 +1,7 @@
{ pkgs, ... }:
{
{pkgs, ...}: {
services.mysql = {
enable = true;
package = pkgs.mariadb;
dataDir = "/srv/services/mysql";
};
}

17
nixos/viridian/services/prometheus.nix
View file

@ -1,9 +1,7 @@
{ config, ... }:
{
{config, ...}: {
services.prometheus = {
enable = true;
port = 9001; # Port to listen on.
port = 9001; # Port to listen on.
# Valid in all configuration contexts, defaults for other configuration sections.
globalConfig = {
@ -14,7 +12,7 @@
exporters = {
node = {
enable = true;
enabledCollectors = [ "systemd" "processes" ];
enabledCollectors = ["systemd" "processes"];
port = 9100;
};
};
@ -23,11 +21,12 @@
scrapeConfigs = [
{
job_name = "node";
static_configs = [{
targets = [ "127.0.0.1:${toString config.services.prometheus.exporters.node.port}" ];
}];
static_configs = [
{
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
}
];
}
];
};
}

8
nixos/viridian/services/samba.nix
View file

@ -1,6 +1,4 @@
{ ... }:
{
{...}: {
services.samba = {
enable = true;
securityType = "user";
@ -9,7 +7,7 @@
workgroup = WORKGROUP
server string = smbnix
netbios name = smbnix
security = user
security = user
#use sendfile = yes
#max protocol = smb2
# note: localhost is the ipv6 localhost ::1
@ -47,5 +45,5 @@
openFirewall = true;
};
environment.persistence."/persist".directories = [ "/var/lib/samba" ];
environment.persistence."/persist".directories = ["/var/lib/samba"];
}

48
nixos/viridian/services/traefik/default.nix
View file

@ -1,7 +1,10 @@
{ inputs, config, pkgs, ... }:
{
disabledModules = [ "services/web-servers/traefik.nix" ];
inputs,
config,
pkgs,
...
}: {
disabledModules = ["services/web-servers/traefik.nix"];
imports = [
"${inputs.nixpkgs-unstable}/nixos/modules/services/web-servers/traefik.nix"
@ -86,12 +89,14 @@
# List of domains in our network
domains = [
# Internal services
{ main = "kanto.dev";
sans = [ "*.kanto.dev" ];
{
main = "kanto.dev";
sans = ["*.kanto.dev"];
}
# Public services
{ main = "sajenim.dev";
sans = [ "*.sajenim.dev" ];
{
main = "sajenim.dev";
sans = ["*.sajenim.dev"];
}
];
};
@ -106,7 +111,7 @@
metrics = {
prometheus = {
entryPoint = "metrics";
buckets = [ "0.1" "0.3" "1.2" "5.0" ];
buckets = ["0.1" "0.3" "1.2" "5.0"];
addEntryPointsLabels = true;
addRoutersLabels = true;
addServicesLabels = true;
@ -144,20 +149,33 @@
services.prometheus.scrapeConfigs = [
{
job_name = "traefik";
static_configs = [{
targets = [ "127.0.0.1:8082" ];
}];
static_configs = [
{
targets = ["127.0.0.1:8082"];
}
];
}
];
# Persist our traefik data & logs
environment.persistence."/persist" = {
directories = [
{ directory = "/var/lib/traefik"; user = "traefik"; group = "traefik"; }
{ directory = "/var/log/traefik"; user = "traefik"; group = "traefik"; }
{ directory = "/plugins-storage"; user = "traefik"; group = "traefik"; }
{
directory = "/var/lib/traefik";
user = "traefik";
group = "traefik";
}
{
directory = "/var/log/traefik";
user = "traefik";
group = "traefik";
}
{
directory = "/plugins-storage";
user = "traefik";
group = "traefik";
}
];
hideMounts = true;
};
}

9
nixos/viridian/services/traefik/middlewares.nix
View file

@ -1,6 +1,4 @@
{ config, ... }:
{
{config, ...}: {
# Crowdsec Local API key for the bouncer.
age.secrets.traefik-bouncer-key = {
rekeyFile = ../crowdsec/traefik-bouncer-key.age;
@ -12,7 +10,7 @@
services.traefik.dynamicConfigOptions.http.middlewares = {
# Restrict access to internal networks
internal.ipwhitelist.sourcerange = [
"127.0.0.1/32" # localhost
"127.0.0.1/32" # localhost
"192.168.20.1/24" # lan
];
@ -49,7 +47,7 @@
crowdsec.plugin.bouncer = {
enabled = "true";
crowdsecMode = "appsec";
crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path;
crowdsecLapiKeyFile = config.age.secrets.traefik-bouncer-key.path;
crowdsecLapiScheme = "http";
crowdsecLapiHost = "127.0.0.1:8080";
crowdsecAppsecEnabled = "true";
@ -57,4 +55,3 @@
};
};
}

5
nixos/viridian/services/traefik/routers.nix
View file

@ -1,6 +1,4 @@
{ ... }:
{
{...}: {
services.traefik.dynamicConfigOptions.http.routers = {
traefik-dashboard = {
rule = "Host(`traefik.kanto.dev`)";
@ -25,4 +23,3 @@
};
};
}

7
nixos/viridian/services/traefik/services.nix
View file

@ -1,10 +1,7 @@
{ ... }:
{
{...}: {
services.traefik.dynamicConfigOptions.http.services = {
ender1.loadBalancer.servers = [
{ url = "http://192.168.1.103:80"; }
{url = "http://192.168.1.103:80";}
];
};
}