mirror of
https://github.com/alyraffauf/nixcfg.git
synced 2024-11-22 07:53:55 -05:00
338 lines
8 KiB
Nix
338 lines
8 KiB
Nix
# Custom desktop with AMD Ryzen 5 2600, 16GB RAM, AMD Rx 6700, and 1TB SSD + 2TB HDD.
|
|
{
|
|
config,
|
|
input,
|
|
lib,
|
|
pkgs,
|
|
self,
|
|
...
|
|
}: let
|
|
acmeEmail = "alyraffauf@gmail.com";
|
|
hostName = "mauville";
|
|
domain = "raffauflabs.com";
|
|
mediaDirectory = "/mnt/Media";
|
|
archiveDirectory = "/mnt/Archive";
|
|
in {
|
|
imports = [
|
|
./filesystems.nix
|
|
./hardware.nix
|
|
./home.nix
|
|
];
|
|
|
|
age.secrets = {
|
|
cloudflare.file = ../../secrets/cloudflare.age;
|
|
nixCache.file = ../../secrets/nixCache/privKey.age;
|
|
};
|
|
|
|
boot.loader = {
|
|
efi.canTouchEfiVariables = true;
|
|
systemd-boot.enable = true;
|
|
};
|
|
|
|
system.stateVersion = "23.11";
|
|
|
|
networking = {
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
80
|
|
443
|
|
config.ar.containers.oci.transmission.port
|
|
config.ar.containers.oci.transmission.bitTorrentPort
|
|
];
|
|
|
|
allowedUDPPorts = [config.ar.containers.oci.transmission.bitTorrentPort];
|
|
};
|
|
|
|
# My router doesn't expose settings for NAT loopback
|
|
# So we have to use this workaround.
|
|
extraHosts = ''
|
|
127.0.0.1 git.${domain}
|
|
127.0.0.1 music.${domain}
|
|
127.0.0.1 news.${domain}
|
|
127.0.0.1 nixcache.${domain}
|
|
127.0.0.1 plex.${domain}
|
|
127.0.0.1 podcasts.${domain}
|
|
'';
|
|
|
|
hostName = hostName;
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
defaults.email = acmeEmail;
|
|
};
|
|
|
|
services = {
|
|
ddclient = {
|
|
enable = true;
|
|
domains = [
|
|
"git.raffauflabs.com"
|
|
"music.raffauflabs.com"
|
|
"plex.raffauflabs.com"
|
|
"podcasts.raffauflabs.com"
|
|
"raffauflabs.com"
|
|
];
|
|
interval = "10min";
|
|
passwordFile = config.age.secrets.cloudflare.path;
|
|
protocol = "cloudflare";
|
|
ssl = true;
|
|
use = "web, web=dynamicdns.park-your-domain.com/getip, web-skip='Current IP Address: '";
|
|
username = "token";
|
|
zone = "raffauflabs.com";
|
|
};
|
|
|
|
fail2ban.enable = true;
|
|
|
|
forgejo = {
|
|
enable = true;
|
|
lfs.enable = true;
|
|
|
|
settings = {
|
|
actions = {
|
|
ENABLED = true;
|
|
DEFAULT_ACTIONS_URL = "https://github.com";
|
|
};
|
|
|
|
cron = {
|
|
ENABLED = true;
|
|
RUN_AT_START = false;
|
|
};
|
|
|
|
DEFAULT.APP_NAME = "Git @ RaffaufLabs.com";
|
|
|
|
repository = {
|
|
DEFAULT_BRANCH = "master";
|
|
ENABLE_PUSH_CREATE_ORG = true;
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
PREFERRED_LICENSES = "GPL-3.0";
|
|
};
|
|
|
|
federation.ENABLED = true;
|
|
picture.ENABLE_FEDERATED_AVATAR = true;
|
|
security.PASSWORD_CHECK_PWN = true;
|
|
|
|
server = {
|
|
LANDING_PAGE = "explore";
|
|
ROOT_URL = "https://git.${domain}/";
|
|
};
|
|
|
|
service = {
|
|
ALLOW_ONLY_INTERNAL_REGISTRATION = true;
|
|
DISABLE_REGISTRATION = false;
|
|
ENABLE_NOTIFY_MAIL = true;
|
|
};
|
|
|
|
session.COOKIE_SECURE = true;
|
|
|
|
ui.DEFAULT_THEME = "forgejo-auto";
|
|
"ui.meta" = {
|
|
AUTHOR = "Git @ RaffaufLabs.com";
|
|
DESCRIPTION = "Self-hosted git projects + toys.";
|
|
KEYWORDS = "git,forge,forgejo,aly raffauf";
|
|
};
|
|
};
|
|
};
|
|
|
|
nginx = {
|
|
enable = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
recommendedTlsSettings = true;
|
|
|
|
virtualHosts = {
|
|
"git.${domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://${config.services.forgejo.settings.server.HTTP_ADDR}:${toString config.services.forgejo.settings.server.HTTP_PORT}";
|
|
|
|
extraConfig = ''
|
|
client_max_body_size 512M;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"music.${domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.ar.services.navidrome.port}";
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
proxy_buffering off;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"news.${domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.freshRSS.port}";
|
|
proxyWebsockets = true; # needed if you need to use WebSocket
|
|
|
|
extraConfig = ''
|
|
proxy_buffering off;
|
|
proxy_redirect off;
|
|
# Forward the Authorization header for the Google Reader API.
|
|
proxy_pass_header Authorization;
|
|
proxy_set_header Authorization $http_authorization;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"nixcache.${domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/".proxyPass = "http://${config.services.nix-serve.bindAddress}:${
|
|
toString config.services.nix-serve.port
|
|
}";
|
|
};
|
|
|
|
"plex.${domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.plexMediaServer.port}";
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
proxy_buffering off;
|
|
'';
|
|
};
|
|
};
|
|
|
|
"podcasts.${domain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:${toString config.ar.containers.oci.audiobookshelf.port}";
|
|
|
|
extraConfig = ''
|
|
client_max_body_size 500M;
|
|
proxy_buffering off;
|
|
proxy_redirect http:// https://;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header Connection "upgrade";
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
nix-serve = {
|
|
enable = true;
|
|
secretKeyFile = config.age.secrets.nixCache.path;
|
|
};
|
|
|
|
ollama = {
|
|
enable = true;
|
|
acceleration = "rocm";
|
|
};
|
|
|
|
samba = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
securityType = "user";
|
|
|
|
shares = {
|
|
Media = {
|
|
browseable = "yes";
|
|
comment = "Media @ ${hostName}";
|
|
path = mediaDirectory;
|
|
"read only" = "no";
|
|
"guest ok" = "yes";
|
|
"create mask" = "0755";
|
|
"directory mask" = "0755";
|
|
};
|
|
|
|
Archive = {
|
|
browseable = "yes";
|
|
comment = "Archive @ ${hostName}";
|
|
path = archiveDirectory;
|
|
"create mask" = "0755";
|
|
"directory mask" = "0755";
|
|
"guest ok" = "yes";
|
|
"read only" = "no";
|
|
};
|
|
};
|
|
};
|
|
|
|
samba-wsdd = {
|
|
enable = true;
|
|
openFirewall = true;
|
|
};
|
|
};
|
|
|
|
ar = {
|
|
apps = {
|
|
firefox.enable = true;
|
|
nicotine-plus.enable = true;
|
|
podman.enable = true;
|
|
steam.enable = true;
|
|
virt-manager.enable = true;
|
|
};
|
|
|
|
base = {
|
|
enable = true;
|
|
zramSwap.size = 100;
|
|
};
|
|
|
|
containers = {
|
|
oci = {
|
|
audiobookshelf.enable = true;
|
|
freshRSS.enable = true;
|
|
plexMediaServer.enable = true;
|
|
transmission.enable = true;
|
|
};
|
|
};
|
|
|
|
desktop = {
|
|
greetd = {
|
|
enable = true;
|
|
|
|
autologin = {
|
|
enable = true;
|
|
user = "aly";
|
|
};
|
|
};
|
|
|
|
hyprland.enable = true;
|
|
steam.enable = true;
|
|
};
|
|
|
|
users = {
|
|
aly = {
|
|
enable = true;
|
|
password = "$y$j9T$SHPShqI2IpRE101Ey2ry/0$0mhW1f9LbVY02ifhJlP9XVImge9HOpf23s9i1JFLIt9";
|
|
};
|
|
|
|
dustin = {
|
|
enable = true;
|
|
password = "$y$j9T$3mMCBnUQ.xjuPIbSof7w0.$fPtRGblPRSwRLj7TFqk1nzuNQk2oVlgvb/bE47sghl.";
|
|
};
|
|
};
|
|
|
|
services = {
|
|
syncthing = {
|
|
enable = true;
|
|
syncMusic = true;
|
|
musicPath = "${mediaDirectory}/Music";
|
|
};
|
|
|
|
navidrome.enable = true;
|
|
tailscale.enable = true;
|
|
};
|
|
};
|
|
}
|