nixcfg/hosts/mauville/default.nix

339 lines
8 KiB
Nix
Raw Normal View History

2024-03-12 22:14:08 -04:00
# Custom desktop with AMD Ryzen 5 2600, 16GB RAM, AMD Rx 6700, and 1TB SSD + 2TB HDD.
{
2024-04-07 22:16:33 -04:00
config,
input,
2024-04-07 22:16:33 -04:00
lib,
pkgs,
self,
2024-04-07 22:16:33 -04:00
...
}: let
acmeEmail = "alyraffauf@gmail.com";
hostName = "mauville";
domain = "raffauflabs.com";
mediaDirectory = "/mnt/Media";
archiveDirectory = "/mnt/Archive";
in {
imports = [
./filesystems.nix
2024-05-27 21:39:30 -04:00
./hardware.nix
./home.nix
];
age.secrets = {
cloudflare.file = ../../secrets/cloudflare.age;
nixCache.file = ../../secrets/nixCache/privKey.age;
};
2024-06-25 21:47:48 -04:00
boot.loader = {
efi.canTouchEfiVariables = true;
systemd-boot.enable = true;
};
system.stateVersion = "23.11";
networking = {
firewall = {
allowedTCPPorts = [
80
443
config.ar.containers.oci.transmission.port
config.ar.containers.oci.transmission.bitTorrentPort
];
allowedUDPPorts = [config.ar.containers.oci.transmission.bitTorrentPort];
};
# My router doesn't expose settings for NAT loopback
# So we have to use this workaround.
extraHosts = ''
127.0.0.1 git.${domain}
127.0.0.1 music.${domain}
2024-06-07 13:14:34 -04:00
127.0.0.1 news.${domain}
127.0.0.1 nixcache.${domain}
127.0.0.1 plex.${domain}
127.0.0.1 podcasts.${domain}
'';
hostName = hostName;
};
security.acme = {
acceptTerms = true;
defaults.email = acmeEmail;
};
services = {
2024-06-25 21:47:48 -04:00
ddclient = {
enable = true;
domains = [
"git.raffauflabs.com"
2024-06-25 21:47:48 -04:00
"music.raffauflabs.com"
"plex.raffauflabs.com"
"podcasts.raffauflabs.com"
"raffauflabs.com"
];
interval = "10min";
passwordFile = config.age.secrets.cloudflare.path;
protocol = "cloudflare";
ssl = true;
use = "web, web=dynamicdns.park-your-domain.com/getip, web-skip='Current IP Address: '";
username = "token";
zone = "raffauflabs.com";
};
2024-05-24 19:28:13 -04:00
fail2ban.enable = true;
2024-07-04 21:03:49 -04:00
forgejo = {
enable = true;
lfs.enable = true;
settings = {
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "https://github.com";
};
cron = {
ENABLED = true;
RUN_AT_START = false;
};
DEFAULT.APP_NAME = "Git @ RaffaufLabs.com";
repository = {
DEFAULT_BRANCH = "master";
ENABLE_PUSH_CREATE_ORG = true;
ENABLE_PUSH_CREATE_USER = true;
PREFERRED_LICENSES = "GPL-3.0";
};
federation.ENABLED = true;
picture.ENABLE_FEDERATED_AVATAR = true;
security.PASSWORD_CHECK_PWN = true;
server = {
LANDING_PAGE = "explore";
ROOT_URL = "https://git.${domain}/";
};
service = {
ALLOW_ONLY_INTERNAL_REGISTRATION = true;
DISABLE_REGISTRATION = false;
ENABLE_NOTIFY_MAIL = true;
};
session.COOKIE_SECURE = true;
ui.DEFAULT_THEME = "forgejo-auto";
"ui.meta" = {
AUTHOR = "Git @ RaffaufLabs.com";
DESCRIPTION = "Self-hosted git projects + toys.";
KEYWORDS = "git,forge,forgejo,aly raffauf";
};
};
};
nginx = {
enable = true;
2024-06-07 13:14:34 -04:00
recommendedGzipSettings = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
2024-06-07 13:14:34 -04:00
virtualHosts = {
2024-07-04 21:03:49 -04:00
"git.${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://${config.services.forgejo.settings.server.HTTP_ADDR}:${toString config.services.forgejo.settings.server.HTTP_PORT}";
extraConfig = ''
client_max_body_size 512M;
'';
};
};
2024-06-07 13:14:34 -04:00
"music.${domain}" = {
enableACME = true;
forceSSL = true;
2024-06-07 13:14:34 -04:00
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.ar.containers.nixos.navidrome.port}";
2024-06-07 13:14:34 -04:00
proxyWebsockets = true;
2024-06-07 13:14:34 -04:00
extraConfig = ''
proxy_buffering off;
'';
};
};
2024-06-07 13:14:34 -04:00
"news.${domain}" = {
enableACME = true;
forceSSL = true;
2024-06-07 13:14:34 -04:00
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.freshRSS.port}";
2024-06-07 13:14:34 -04:00
proxyWebsockets = true; # needed if you need to use WebSocket
2024-06-07 13:14:34 -04:00
extraConfig = ''
proxy_buffering off;
proxy_redirect off;
# Forward the Authorization header for the Google Reader API.
proxy_pass_header Authorization;
proxy_set_header Authorization $http_authorization;
'';
};
};
2024-06-07 13:14:34 -04:00
"nixcache.${domain}" = {
enableACME = true;
forceSSL = true;
2024-06-07 13:14:34 -04:00
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${
toString config.services.nix-serve.port
}";
};
2024-06-07 13:14:34 -04:00
"plex.${domain}" = {
enableACME = true;
forceSSL = true;
2024-06-07 13:14:34 -04:00
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.plexMediaServer.port}";
2024-06-07 13:14:34 -04:00
proxyWebsockets = true;
2024-06-07 13:14:34 -04:00
extraConfig = ''
proxy_buffering off;
'';
};
};
2024-06-07 13:14:34 -04:00
"podcasts.${domain}" = {
enableACME = true;
forceSSL = true;
2024-06-07 13:14:34 -04:00
locations."/" = {
proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.audiobookshelf.port}";
2024-06-07 13:14:34 -04:00
extraConfig = ''
client_max_body_size 500M;
proxy_buffering off;
proxy_redirect http:// https://;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Connection "upgrade";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
'';
};
};
};
};
2024-06-28 21:07:20 -04:00
nix-serve = {
enable = true;
secretKeyFile = config.age.secrets.nixCache.path;
2024-06-28 21:07:20 -04:00
};
2024-06-30 23:01:57 -04:00
ollama = {
enable = true;
acceleration = "rocm";
};
samba = {
enable = true;
openFirewall = true;
securityType = "user";
shares = {
Media = {
2024-06-07 13:14:34 -04:00
browseable = "yes";
comment = "Media @ ${hostName}";
path = mediaDirectory;
"read only" = "no";
"guest ok" = "yes";
"create mask" = "0755";
"directory mask" = "0755";
};
Archive = {
2024-06-07 13:14:34 -04:00
browseable = "yes";
comment = "Archive @ ${hostName}";
path = archiveDirectory;
"create mask" = "0755";
"directory mask" = "0755";
2024-06-07 13:14:34 -04:00
"guest ok" = "yes";
"read only" = "no";
};
};
};
samba-wsdd = {
enable = true;
openFirewall = true;
};
};
ar = {
apps = {
2024-06-28 21:07:20 -04:00
firefox.enable = true;
nicotine-plus.enable = true;
podman.enable = true;
steam.enable = true;
virt-manager.enable = true;
};
base = {
enable = true;
zramSwap.size = 100;
};
containers = {
nixos.navidrome.enable = true;
oci = {
audiobookshelf.enable = true;
freshRSS.enable = true;
plexMediaServer.enable = true;
transmission.enable = true;
};
};
desktop = {
greetd = {
enable = true;
autologin = {
enable = true;
user = "aly";
};
};
hyprland.enable = true;
steam.enable = true;
};
users = {
aly = {
enable = true;
password = "$y$j9T$SHPShqI2IpRE101Ey2ry/0$0mhW1f9LbVY02ifhJlP9XVImge9HOpf23s9i1JFLIt9";
};
dustin = {
enable = true;
password = "$y$j9T$3mMCBnUQ.xjuPIbSof7w0.$fPtRGblPRSwRLj7TFqk1nzuNQk2oVlgvb/bE47sghl.";
};
};
services = {
syncthing = {
enable = true;
syncMusic = true;
musicPath = "${mediaDirectory}/Music";
};
tailscale.enable = true;
};
};
}