diff --git a/flake.lock b/flake.lock index 12e35c82..58bb4806 100644 --- a/flake.lock +++ b/flake.lock @@ -568,26 +568,6 @@ "type": "github" } }, - "raffauflabs": { - "inputs": { - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1724047987, - "narHash": "sha256-2be2gK4DRyPwLbddSQ5A9I9UjLM/tGrgdltrosE2AsU=", - "owner": "alyraffauf", - "repo": "raffauflabs", - "rev": "fd6bb8de83bb23f0724cf464fe6ac4a3f07ed831", - "type": "github" - }, - "original": { - "owner": "alyraffauf", - "repo": "raffauflabs", - "type": "github" - } - }, "root": { "inputs": { "agenix": "agenix", @@ -599,7 +579,6 @@ "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "nur": "nur", - "raffauflabs": "raffauflabs", "stylix": "stylix" } }, diff --git a/flake.nix b/flake.nix index 274a9b92..687ca011 100644 --- a/flake.nix +++ b/flake.nix @@ -26,8 +26,8 @@ }; lanzaboote = { - url = "github:nix-community/lanzaboote/v0.4.1"; inputs.nixpkgs.follows = "nixpkgs"; + url = "github:nix-community/lanzaboote/v0.4.1"; }; nixhw = { @@ -37,11 +37,6 @@ nur.url = "github:nix-community/NUR"; - raffauflabs = { - inputs.nixpkgs.follows = "nixpkgs"; - url = "github:alyraffauf/raffauflabs"; - }; - stylix = { inputs.nixpkgs.follows = "nixpkgs"; url = "github:danth/stylix"; diff --git a/hosts/mauville/default.nix b/hosts/mauville/default.nix index 3043229e..dcc84d0d 100644 --- a/hosts/mauville/default.nix +++ b/hosts/mauville/default.nix @@ -6,19 +6,18 @@ ... }: let archiveDirectory = "/mnt/Archive"; - domain = "raffauflabs.com"; mediaDirectory = "/mnt/Media"; in { imports = [ ./disko.nix ./home.nix + ./raffauflabs.nix ./secrets.nix ./stylix.nix self.inputs.nixhw.nixosModules.common-amd-cpu self.inputs.nixhw.nixosModules.common-amd-gpu self.inputs.nixhw.nixosModules.common-bluetooth self.inputs.nixhw.nixosModules.common-ssd - self.inputs.raffauflabs.nixosModules.raffauflabs self.nixosModules.common-auto-upgrade self.nixosModules.common-base self.nixosModules.common-locale @@ -50,8 +49,6 @@ in { networking.hostName = "mauville"; services = { - forgejo.settings.service.DISABLE_REGISTRATION = lib.mkForce true; - samba = { enable = true; openFirewall = true; @@ -94,20 +91,6 @@ in { enable = true; openFirewall = true; }; - - transmission = { - enable = true; - credentialsFile = config.age.secrets.transmission.path; - openFirewall = true; - openRPCPort = true; - - settings = { - download-dir = mediaDirectory; - peer-port = 51413; - rpc-bind-address = "0.0.0.0"; - rpc-port = 9091; - }; - }; }; environment.variables.GDK_SCALE = "1.25"; @@ -153,39 +136,4 @@ in { }; }; }; - - raffauflabs = { - inherit domain; - enable = true; - - containers.oci.freshRSS.enable = true; - - services = { - audiobookshelf.enable = true; - - ddclient = { - enable = true; - passwordFile = config.age.secrets.cloudflare.path; - protocol = "cloudflare"; - }; - - forgejo.enable = true; - - navidrome = { - enable = true; - - lastfm = { - idFile = config.age.secrets.lastfmId.path; - secretFile = config.age.secrets.lastfmSecret.path; - }; - - spotify = { - idFile = config.age.secrets.spotifyId.path; - secretFile = config.age.secrets.spotifySecret.path; - }; - }; - - plexMediaServer.enable = true; - }; - }; } diff --git a/hosts/mauville/raffauflabs.nix b/hosts/mauville/raffauflabs.nix new file mode 100644 index 00000000..e16bd9d6 --- /dev/null +++ b/hosts/mauville/raffauflabs.nix @@ -0,0 +1,147 @@ +{ + config, + lib, + pkgs, + ... +}: let + audiobookshelf.port = 13378; + domain = "raffauflabs.com"; + mediaDirectory = "/mnt/Media"; + musicDirectory = "${mediaDirectory}/Music"; + + navidrome = { + port = 4533; + + lastfm = { + idFile = config.age.secrets.lastfmId.path; + secretFile = config.age.secrets.lastfmSecret.path; + }; + + spotify = { + idFile = config.age.secrets.spotifyId.path; + secretFile = config.age.secrets.spotifySecret.path; + }; + }; + + transmission = { + port = 9091; + bitTorrentPort = 5143; + }; +in { + services = { + audiobookshelf = { + enable = true; + port = audiobookshelf.port; + }; + + forgejo = { + enable = true; + lfs.enable = true; + + settings = { + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "https://github.com"; + }; + + cron = { + ENABLED = true; + RUN_AT_START = false; + }; + + DEFAULT.APP_NAME = "Forĝejo"; + + repository = { + DEFAULT_BRANCH = "master"; + ENABLE_PUSH_CREATE_ORG = true; + ENABLE_PUSH_CREATE_USER = true; + PREFERRED_LICENSES = "GPL-3.0"; + }; + + federation.ENABLED = true; + picture.ENABLE_FEDERATED_AVATAR = true; + security.PASSWORD_CHECK_PWN = true; + + server = { + LANDING_PAGE = "explore"; + ROOT_URL = "https://git.${domain}/"; + }; + + service = { + ALLOW_ONLY_INTERNAL_REGISTRATION = true; + DISABLE_REGISTRATION = true; + ENABLE_NOTIFY_MAIL = true; + }; + + session.COOKIE_SECURE = true; + + ui.DEFAULT_THEME = "forgejo-auto"; + "ui.meta" = { + AUTHOR = "Forĝejo @ ${domain}"; + DESCRIPTION = "Self-hosted git forge for projects + toys."; + KEYWORDS = "git,source code,forge,forĝejo,aly raffauf"; + }; + }; + }; + + plex = { + enable = true; + openFirewall = true; + }; + + transmission = { + enable = true; + credentialsFile = config.age.secrets.transmission.path; + openFirewall = true; + openRPCPort = true; + + settings = { + download-dir = mediaDirectory; + peer-port = transmission.bitTorrentPort; + rpc-bind-address = "0.0.0.0"; + rpc-port = transmission.port; + }; + }; + }; + + systemd.services.navidrome.serviceConfig = let + navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} { + Address = "0.0.0.0"; + DefaultTheme = "Auto"; + MusicFolder = musicDirectory; + Port = navidrome.port; + SubsonicArtistParticipations = true; + UIWelcomeMessage = "Welcome to Navidrome @ ${domain}"; + "Spotify.ID" = "@spotifyClientId@"; + "Spotify.Secret" = "@spotifyClientSecret@"; + "LastFM.Enabled" = true; + "LastFM.ApiKey" = "@lastFMApiKey@"; + "LastFM.Secret" = "@lastFMSecret@"; + "LastFM.Language" = "en"; + }); + + navidrome-secrets = pkgs.writeShellScript "navidrome-secrets" '' + lastFMApiKey=$(cat "${navidrome.lastfm.idFile}") + lastFMSecret=$(cat "${navidrome.lastfm.secretFile}") + spotifyClientId=$(cat "${navidrome.spotify.idFile}") + spotifyClientSecret=$(cat "${navidrome.spotify.secretFile}") + ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \ + -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \ + ${navidromeConfig} > /var/lib/navidrome/navidrome.json + ''; + in { + BindReadOnlyPaths = [ + navidrome.lastfm.idFile + navidrome.lastfm.secretFile + navidrome.spotify.idFile + navidrome.spotify.secretFile + musicDirectory + ]; + + ExecStartPre = navidrome-secrets; + ExecStart = lib.mkForce '' + ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \ + --datafolder /var/lib/navidrome/ + ''; + }; +} diff --git a/hosts/slateport/default.nix b/hosts/slateport/default.nix index 9daf3ca4..3e473425 100644 --- a/hosts/slateport/default.nix +++ b/hosts/slateport/default.nix @@ -2,18 +2,16 @@ config, self, ... -}: let - domain = "raffauflabs.com"; -in { +}: { imports = [ ./disko.nix ./home.nix + ./raffauflabs.nix ./secrets.nix self.inputs.nixhw.nixosModules.common-intel-cpu self.inputs.nixhw.nixosModules.common-intel-gpu self.inputs.nixhw.nixosModules.common-bluetooth self.inputs.nixhw.nixosModules.common-ssd - self.inputs.raffauflabs.nixosModules.raffauflabs self.nixosModules.common-auto-upgrade self.nixosModules.common-base self.nixosModules.common-locale @@ -36,14 +34,6 @@ in { hardware.enableAllFirmware = true; networking.hostName = "slateport"; - - services.k3s = { - enable = true; - clusterInit = true; - role = "server"; - tokenFile = config.age.secrets.k3s.path; - }; - system.stateVersion = "24.05"; zramSwap.memoryPercent = 100; @@ -62,15 +52,4 @@ in { }; }; }; - - raffauflabs = { - inherit domain; - enable = true; - - services.ddclient = { - enable = true; - passwordFile = config.age.secrets.cloudflare.path; - protocol = "cloudflare"; - }; - }; } diff --git a/hosts/slateport/raffauflabs.nix b/hosts/slateport/raffauflabs.nix new file mode 100644 index 00000000..ae66ed25 --- /dev/null +++ b/hosts/slateport/raffauflabs.nix @@ -0,0 +1,132 @@ +{config, ...}: let + ip = "192.168.0.103"; + domain = "raffauflabs.com"; +in { + networking = { + firewall.allowedTCPPorts = [80 443]; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "alyraffauf@fastmail.com"; + }; + + services = { + ddclient = { + enable = true; + + domains = [ + "bt.${domain}" + "git.${domain}" + "music.${domain}" + "plex.${domain}" + "podcasts.${domain}" + domain + ]; + + interval = "10min"; + passwordFile = config.age.secrets.cloudflare.path; + protocol = "cloudflare"; + ssl = true; + use = "web, web=dynamicdns.park-your-domain.com/getip, web-skip='Current IP Address: '"; + username = "token"; + zone = domain; + }; + + fail2ban = { + enable = true; + bantime = "1h"; + }; + + k3s = { + enable = true; + clusterInit = true; + role = "server"; + tokenFile = config.age.secrets.k3s.path; + }; + + nginx = { + enable = true; + recommendedGzipSettings = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "bt.${domain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "${ip}:${toString 9091}"; + proxyWebsockets = true; + + extraConfig = '' + proxy_buffering off; + ''; + }; + }; + + "git.${domain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://${ip}:${toString 3000}"; + + extraConfig = '' + client_max_body_size 512M; + ''; + }; + }; + + "music.${domain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "${ip}:${toString 4533}"; + proxyWebsockets = true; + + extraConfig = '' + proxy_buffering off; + ''; + }; + }; + + "plex.${domain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "${ip}:32400"; + proxyWebsockets = true; + + extraConfig = '' + proxy_buffering off; + ''; + }; + }; + + "podcasts.${domain}" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "${ip}:${toString 13378}"; + + extraConfig = '' + client_max_body_size 500M; + proxy_buffering off; + proxy_redirect http:// https://; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Connection "upgrade"; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + ''; + }; + }; + }; + }; + }; +}