diff --git a/hosts/mauville/default.nix b/hosts/mauville/default.nix index 9d19abc5..39adf09d 100644 --- a/hosts/mauville/default.nix +++ b/hosts/mauville/default.nix @@ -14,6 +14,34 @@ networking.hostName = "mauville"; # Define your hostname. alyraffauf = { + apps = { + steam.enable = true; + podman.enable = true; + virt-manager.enable = true; + }; + containers = { + nixos = { + navidrome.enable = true; + }; + oci = { + audiobookshelf.enable = true; + freshRSS.enable = true; + jellyfin.enable = true; + plexMediaServer.enable = true; + transmission.enable = true; + }; + }; + desktop = { + enable = true; + hyprland.enable = true; + }; + user = { + aly.enable = true; + dustin.enable = true; + }; + services = { + binaryCache.enable = true; + }; system = { plymouth.enable = true; zramSwap = { @@ -21,19 +49,131 @@ size = 100; }; }; - user = { - aly.enable = true; - dustin.enable = true; + }; + + networking = { + firewall = { + allowedTCPPorts = [80 443 51413 9091]; + allowedUDPPorts = [51413]; }; - desktop = { + # My router doesn't expose settings for NAT loopback + # So we have to use this workaround. + extraHosts = '' + 127.0.0.1 music.raffauflabs.com + 127.0.0.1 nixcache.raffauflabs.com + 127.0.0.1 plex.raffauflabs.com + 127.0.0.1 podcasts.raffauflabs.com + 127.0.0.1 news.raffauflabs.com + ''; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "alyraffauf@gmail.com"; + }; + + services = { + nginx = { enable = true; - hyprland.enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + recommendedGzipSettings = true; + + virtualHosts."music.raffauflabs.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:4533"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_buffering off; + ''; + }; + }; + + virtualHosts."news.raffauflabs.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8080"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_buffering off; + proxy_redirect off; + # Forward the Authorization header for the Google Reader API. + proxy_set_header Authorization $http_authorization; + proxy_pass_header Authorization; + ''; + }; + }; + + virtualHosts."nixcache.raffauflabs.com" = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${ + toString config.services.nix-serve.port + }"; + }; + + virtualHosts."plex.raffauflabs.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:32400"; + proxyWebsockets = true; # needed if you need to use WebSocket + extraConfig = '' + proxy_buffering off; + ''; + }; + }; + + virtualHosts."podcasts.raffauflabs.com" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:13378"; + # proxyWebsockets = true; # This breaks audiobookshelf. + extraConfig = '' + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header Host $host; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_redirect http:// https://; + proxy_buffering off; + client_max_body_size 500M; + ''; + }; + }; }; - homeLab.enable = true; - apps = { - steam.enable = true; - podman.enable = true; - virt-manager.enable = true; + samba = { + enable = true; + securityType = "user"; + openFirewall = true; + shares = { + Media = { + comment = "Media @ ${config.networking.hostName}"; + path = "/mnt/Media"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0755"; + "directory mask" = "0755"; + }; + Archive = { + comment = "Archive @ ${config.networking.hostName}"; + path = "/mnt/Archive"; + browseable = "yes"; + "read only" = "no"; + "guest ok" = "yes"; + "create mask" = "0755"; + "directory mask" = "0755"; + }; + }; + }; + samba-wsdd = { + enable = true; + openFirewall = true; }; }; diff --git a/nixosModules/containers/default.nix b/nixosModules/containers/default.nix new file mode 100644 index 00000000..93f5dfdb --- /dev/null +++ b/nixosModules/containers/default.nix @@ -0,0 +1,8 @@ +{ + pkgs, + lib, + config, + ... +}: { + imports = [./nixos ./oci]; +} diff --git a/nixosModules/containers/nixos/default.nix b/nixosModules/containers/nixos/default.nix new file mode 100644 index 00000000..7a32ccaa --- /dev/null +++ b/nixosModules/containers/nixos/default.nix @@ -0,0 +1,8 @@ +{ + pkgs, + lib, + config, + ... +}: { + imports = [./navidrome]; +} diff --git a/nixosModules/homeLab/nixContainers/default.nix b/nixosModules/containers/nixos/navidrome/default.nix similarity index 50% rename from nixosModules/homeLab/nixContainers/default.nix rename to nixosModules/containers/nixos/navidrome/default.nix index ae332bba..8600d1ce 100644 --- a/nixosModules/homeLab/nixContainers/default.nix +++ b/nixosModules/containers/nixos/navidrome/default.nix @@ -5,14 +5,19 @@ ... }: { options = { - alyraffauf.homeLab.nixContainers.enable = - lib.mkEnableOption "Enables select nix containers."; + alyraffauf.containers.nixos.navidrome.enable = + lib.mkEnableOption "Enable navidrome nixos container."; + alyraffauf.containers.nixos.navidrome.musicDirectory = lib.mkOption { + description = "Music directory for Navidrome."; + default = "/mnt/Media/Music"; + type = lib.types.str; + }; }; - config = lib.mkIf config.alyraffauf.homeLab.nixContainers.enable { + config = lib.mkIf config.alyraffauf.containers.nixos.navidrome.enable { containers.navidrome = { autoStart = true; - bindMounts."/Music".hostPath = "/mnt/Media/Music"; + bindMounts."/Music".hostPath = config.alyraffauf.containers.nixos.navidrome.musicDirectory; config = { config, pkgs, @@ -29,7 +34,7 @@ MusicFolder = "/Music"; DefaultTheme = "Auto"; SubsonicArtistParticipations = true; - UIWelcomeMessage = "Welcome to Navidrome @ raffauflabs.com."; + UIWelcomeMessage = "Welcome to Navidrome! Registrations are closed."; }; }; }; diff --git a/nixosModules/containers/oci/audiobookshelf/default.nix b/nixosModules/containers/oci/audiobookshelf/default.nix new file mode 100644 index 00000000..75b121dd --- /dev/null +++ b/nixosModules/containers/oci/audiobookshelf/default.nix @@ -0,0 +1,27 @@ +{ + pkgs, + lib, + config, + ... +}: { + options = { + alyraffauf.containers.oci.audiobookshelf.enable = + lib.mkEnableOption "Enable audiobookshelf podcast and audiobook server."; + alyraffauf.containers.oci.audiobookshelf.mediaDirectory = lib.mkOption { + description = "Media directory for audiobookshelf."; + default = "/mnt/Media"; + type = lib.types.str; + }; + }; + + config = lib.mkIf config.alyraffauf.containers.oci.audiobookshelf.enable { + virtualisation.oci-containers.containers = { + audiobookshelf = { + ports = ["0.0.0.0:13378:80"]; + image = "ghcr.io/advplyr/audiobookshelf:latest"; + environment = {TZ = "America/New_York";}; + volumes = ["abs_config:/config" "abs_metadata:/metadata" "${config.alyraffauf.containers.oci.audiobookshelf.mediaDirectory}:/Media"]; + }; + }; + }; +} diff --git a/nixosModules/containers/oci/default.nix b/nixosModules/containers/oci/default.nix new file mode 100644 index 00000000..4a788ff4 --- /dev/null +++ b/nixosModules/containers/oci/default.nix @@ -0,0 +1,14 @@ +{ + pkgs, + lib, + config, + ... +}: { + imports = [ + ./audiobookshelf + ./freshRSS + ./jellyfin + ./plexMediaServer + ./transmission + ]; +} diff --git a/nixosModules/containers/oci/freshRSS/default.nix b/nixosModules/containers/oci/freshRSS/default.nix new file mode 100644 index 00000000..719af35a --- /dev/null +++ b/nixosModules/containers/oci/freshRSS/default.nix @@ -0,0 +1,28 @@ +{ + pkgs, + lib, + config, + ... +}: { + options = { + alyraffauf.containers.oci.freshRSS.enable = + lib.mkEnableOption "Enable FreshRSS news client."; + }; + + config = lib.mkIf config.alyraffauf.containers.oci.freshRSS.enable { + virtualisation.oci-containers.containers = { + freshrss = { + ports = ["0.0.0.0:8080:80"]; + image = "freshrss/freshrss:latest"; + environment = { + TZ = "America/New_York"; + CRON_MIN = "1,31"; + }; + volumes = [ + "freshrss_data:/var/www/FreshRSS/data" + "freshrss_extensions:/var/www/FreshRSS/extensions" + ]; + }; + }; + }; +} diff --git a/nixosModules/containers/oci/jellyfin/default.nix b/nixosModules/containers/oci/jellyfin/default.nix new file mode 100644 index 00000000..ad912648 --- /dev/null +++ b/nixosModules/containers/oci/jellyfin/default.nix @@ -0,0 +1,37 @@ +{ + pkgs, + lib, + config, + ... +}: { + options = { + alyraffauf.containers.oci.jellyfin.enable = + lib.mkEnableOption "Enable Jellyfin media server."; + alyraffauf.containers.oci.jellyfin.mediaDirectory = lib.mkOption { + description = "Media directory for Jellyfin."; + default = "/mnt/Media"; + type = lib.types.str; + }; + alyraffauf.containers.oci.jellyfin.archiveDirectory = lib.mkOption { + description = "Archive directory for Jellyfin."; + default = "/mnt/Archive"; + type = lib.types.str; + }; + }; + + config = lib.mkIf config.alyraffauf.containers.oci.jellyfin.enable { + virtualisation.oci-containers.containers = { + jellyfin = { + ports = ["0.0.0.0:8096:8096"]; + image = "jellyfin/jellyfin"; + environment = {TZ = "America/New_York";}; + volumes = [ + "jellyfin_config:/config" + "jellyfin_cache:/cache" + "${config.alyraffauf.containers.oci.jellyfin.mediaDirectory}:/Media" + "${config.alyraffauf.containers.oci.jellyfin.archiveDirectory}:/Archive" + ]; + }; + }; + }; +} diff --git a/nixosModules/containers/oci/plexMediaServer/default.nix b/nixosModules/containers/oci/plexMediaServer/default.nix new file mode 100644 index 00000000..77b5e4c6 --- /dev/null +++ b/nixosModules/containers/oci/plexMediaServer/default.nix @@ -0,0 +1,37 @@ +{ + pkgs, + lib, + config, + ... +}: { + options = { + alyraffauf.containers.oci.plexMediaServer.enable = + lib.mkEnableOption "Enable Plex Media Server."; + alyraffauf.containers.oci.plexMediaServer.mediaDirectory = lib.mkOption { + description = "Media directory for Plex Media Server."; + default = "/mnt/Media"; + type = lib.types.str; + }; + alyraffauf.containers.oci.plexMediaServer.archiveDirectory = lib.mkOption { + description = "Archive directory for Plex Media Server."; + default = "/mnt/Archive"; + type = lib.types.str; + }; + }; + + config = lib.mkIf config.alyraffauf.containers.oci.plexMediaServer.enable { + virtualisation.oci-containers.containers = { + plexMediaServer = { + ports = ["0.0.0.0:32400:32400"]; + image = "plexinc/pms-docker:public"; + environment = {TZ = "America/New_York";}; + volumes = [ + "plex_config:/config" + "plex_transcode:/transcode" + "${config.alyraffauf.containers.oci.plexMediaServer.mediaDirectory}:/Media" + "${config.alyraffauf.containers.oci.plexMediaServer.archiveDirectory}:/Archive" + ]; + }; + }; + }; +} diff --git a/nixosModules/containers/oci/transmission/default.nix b/nixosModules/containers/oci/transmission/default.nix new file mode 100644 index 00000000..0c623ff7 --- /dev/null +++ b/nixosModules/containers/oci/transmission/default.nix @@ -0,0 +1,40 @@ +{ + pkgs, + lib, + config, + ... +}: { + options = { + alyraffauf.containers.oci.transmission.enable = + lib.mkEnableOption "Enable Transmission Bittorrent server."; + alyraffauf.containers.oci.transmission.mediaDirectory = lib.mkOption { + description = "Media directory for Transmission."; + default = "/mnt/Media"; + type = lib.types.str; + }; + alyraffauf.containers.oci.transmission.archiveDirectory = lib.mkOption { + description = "Archive directory for Transmission."; + default = "/mnt/Archive"; + type = lib.types.str; + }; + }; + + config = lib.mkIf config.alyraffauf.containers.oci.transmission.enable { + virtualisation.oci-containers.containers = { + transmission = { + ports = ["0.0.0.0:9091:9091" "0.0.0.0:51413:51413"]; + image = "linuxserver/transmission:latest"; + environment = { + PGID = "1000"; + PUID = "1000"; + TZ = "America/New_York"; + }; + volumes = [ + "transmission_config:/config" + "${config.alyraffauf.containers.oci.transmission.mediaDirectory}:/Media" + "${config.alyraffauf.containers.oci.transmission.archiveDirectory}:/Archive" + ]; + }; + }; + }; +} diff --git a/nixosModules/default.nix b/nixosModules/default.nix index 19007c8e..54a9fdc8 100644 --- a/nixosModules/default.nix +++ b/nixosModules/default.nix @@ -3,5 +3,5 @@ pkgs, ... }: { - imports = [./apps ./desktop ./homeLab ./services ./system ./user]; + imports = [./apps ./containers ./desktop ./services ./system ./user]; } diff --git a/nixosModules/homeLab/default.nix b/nixosModules/homeLab/default.nix deleted file mode 100644 index e2fc1563..00000000 --- a/nixosModules/homeLab/default.nix +++ /dev/null @@ -1,20 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - imports = [./binaryCache ./reverseProxy ./nixContainers ./ociContainers ./samba]; - - options = { - alyraffauf.homeLab.enable = lib.mkEnableOption "Enables fully functional Home Lab."; - }; - - config = lib.mkIf config.alyraffauf.homeLab.enable { - alyraffauf.homeLab.binaryCache.enable = lib.mkDefault true; - alyraffauf.homeLab.nixContainers.enable = lib.mkDefault true; - alyraffauf.homeLab.ociContainers.enable = lib.mkDefault true; - alyraffauf.homeLab.reverseProxy.enable = lib.mkDefault true; - alyraffauf.homeLab.samba.enable = lib.mkDefault true; - }; -} diff --git a/nixosModules/homeLab/ociContainers/default.nix b/nixosModules/homeLab/ociContainers/default.nix deleted file mode 100644 index 3de9afb6..00000000 --- a/nixosModules/homeLab/ociContainers/default.nix +++ /dev/null @@ -1,72 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - options = { - alyraffauf.homeLab.ociContainers.enable = - lib.mkEnableOption "Enables select OCI containers."; - }; - - config = lib.mkIf config.alyraffauf.homeLab.ociContainers.enable { - alyraffauf.apps.podman.enable = lib.mkDefault true; - - virtualisation.oci-containers.containers = { - audiobookshelf = { - ports = ["0.0.0.0:13378:80"]; - image = "ghcr.io/advplyr/audiobookshelf:latest"; - environment = {TZ = "America/New_York";}; - volumes = ["abs_config:/config" "abs_metadata:/metadata" "/mnt/Media:/Media"]; - }; - plex-server = { - ports = ["0.0.0.0:32400:32400"]; - image = "plexinc/pms-docker:public"; - environment = {TZ = "America/New_York";}; - volumes = [ - "plex_config:/config" - "plex_transcode:/transcode" - "/mnt/Media:/Media" - "/mnt/Archive:/Archive" - ]; - }; - transmission-server = { - ports = ["0.0.0.0:9091:9091" "0.0.0.0:51413:51413"]; - image = "linuxserver/transmission:latest"; - environment = { - PGID = "1000"; - PUID = "1000"; - TZ = "America/New_York"; - }; - volumes = [ - "transmission_config:/config" - "/mnt/Media:/Media" - "/mnt/Archive:/Archive" - ]; - }; - jellyfin = { - ports = ["0.0.0.0:8096:8096"]; - image = "jellyfin/jellyfin"; - environment = {TZ = "America/New_York";}; - volumes = [ - "jellyfin_config:/config" - "jellyfin_cache:/cache" - "/mnt/Media:/Media" - "/mnt/Archive:/Archive" - ]; - }; - freshrss = { - ports = ["0.0.0.0:8080:80"]; - image = "freshrss/freshrss:latest"; - environment = { - TZ = "America/New_York"; - CRON_MIN = "1,31"; - }; - volumes = [ - "freshrss_data:/var/www/FreshRSS/data" - "freshrss_extensions:/var/www/FreshRSS/extensions" - ]; - }; - }; - }; -} diff --git a/nixosModules/homeLab/reverseProxy/default.nix b/nixosModules/homeLab/reverseProxy/default.nix deleted file mode 100644 index dcb069d8..00000000 --- a/nixosModules/homeLab/reverseProxy/default.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - options = { - alyraffauf.homeLab.reverseProxy.enable = - lib.mkEnableOption "Enables nginx reverse proxy."; - }; - - config = lib.mkIf config.alyraffauf.homeLab.reverseProxy.enable { - # services.ddclient.enable = true; - # services.ddclient.configFile = "/etc/ddclient/ddclient.conf"; - - # Open TCP ports for audiobookshelf, plex-server, and transmission-server. - networking = { - firewall = { - allowedTCPPorts = [80 443 51413 9091]; - allowedUDPPorts = [51413]; - }; - # My router doesn't expose settings for NAT loopback - # So we have to use this workaround. - extraHosts = '' - 127.0.0.1 music.raffauflabs.com - 127.0.0.1 nixcache.raffauflabs.com - 127.0.0.1 plex.raffauflabs.com - 127.0.0.1 podcasts.raffauflabs.com - 127.0.0.1 news.raffauflabs.com - ''; - }; - - security.acme = { - acceptTerms = true; - defaults.email = "alyraffauf@gmail.com"; - }; - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - recommendedGzipSettings = true; - - virtualHosts."music.raffauflabs.com" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:4533"; - proxyWebsockets = true; # needed if you need to use WebSocket - extraConfig = '' - proxy_buffering off; - ''; - }; - }; - - virtualHosts."news.raffauflabs.com" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:8080"; - proxyWebsockets = true; # needed if you need to use WebSocket - extraConfig = '' - proxy_buffering off; - proxy_redirect off; - # Forward the Authorization header for the Google Reader API. - proxy_set_header Authorization $http_authorization; - proxy_pass_header Authorization; - ''; - }; - }; - - virtualHosts."nixcache.raffauflabs.com" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${ - toString config.services.nix-serve.port - }"; - }; - - virtualHosts."plex.raffauflabs.com" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:32400"; - proxyWebsockets = true; # needed if you need to use WebSocket - extraConfig = '' - proxy_buffering off; - ''; - }; - }; - - virtualHosts."podcasts.raffauflabs.com" = { - enableACME = true; - forceSSL = true; - locations."/" = { - proxyPass = "http://127.0.0.1:13378"; - # proxyWebsockets = true; # This breaks audiobookshelf. - extraConfig = '' - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - proxy_redirect http:// https://; - proxy_buffering off; - client_max_body_size 500M; - ''; - }; - }; - }; - }; -} diff --git a/nixosModules/homeLab/samba/default.nix b/nixosModules/homeLab/samba/default.nix deleted file mode 100644 index 19df73d3..00000000 --- a/nixosModules/homeLab/samba/default.nix +++ /dev/null @@ -1,45 +0,0 @@ -{ - pkgs, - lib, - config, - ... -}: { - options = { - alyraffauf.homeLab.samba.enable = - lib.mkEnableOption "Enables /Archive and /Media samba shares."; - }; - - config = lib.mkIf config.alyraffauf.homeLab.samba.enable { - services = { - samba = { - enable = true; - securityType = "user"; - openFirewall = true; - shares = { - Media = { - comment = "Media @Mauville"; - path = "/mnt/Media"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "yes"; - "create mask" = "0755"; - "directory mask" = "0755"; - }; - Archive = { - comment = "Archive @Mauville"; - path = "/mnt/Archive"; - browseable = "yes"; - "read only" = "no"; - "guest ok" = "yes"; - "create mask" = "0755"; - "directory mask" = "0755"; - }; - }; - }; - samba-wsdd = { - enable = true; - openFirewall = true; - }; - }; - }; -} diff --git a/nixosModules/homeLab/binaryCache/default.nix b/nixosModules/services/binaryCache/default.nix similarity index 50% rename from nixosModules/homeLab/binaryCache/default.nix rename to nixosModules/services/binaryCache/default.nix index 4d0eae28..6940be8c 100644 --- a/nixosModules/homeLab/binaryCache/default.nix +++ b/nixosModules/services/binaryCache/default.nix @@ -5,10 +5,10 @@ ... }: { options = { - alyraffauf.homeLab.binaryCache.enable = lib.mkEnableOption "Enables nixpkgs cache."; + alyraffauf.services.binaryCache.enable = lib.mkEnableOption "Enable nixpkgs cache server."; }; - config = lib.mkIf config.alyraffauf.homeLab.binaryCache.enable { + config = lib.mkIf config.alyraffauf.services.binaryCache.enable { services.nix-serve = { enable = true; secretKeyFile = "/var/cache-priv-key.pem"; diff --git a/nixosModules/services/default.nix b/nixosModules/services/default.nix index eb326b9a..d3502354 100644 --- a/nixosModules/services/default.nix +++ b/nixosModules/services/default.nix @@ -4,5 +4,5 @@ config, ... }: { - imports = [./flatpak]; + imports = [./binaryCache ./flatpak]; }