2023-10-12 22:54:05 -05:00
/*
2025-02-14 13:31:18 -06:00
if ur fans get loud :
2023-10-12 22:54:05 -05:00
2025-02-14 13:31:18 -06:00
# enable manual fan control
sudo nix run nixpkgs #ipmitool -- raw 0x30 0x30 0x01 0x00
2023-10-12 22:54:05 -05:00
2025-02-14 13:31:18 -06:00
# set fan speed to last byte as decimal
sudo nix run nixpkgs #ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
2023-10-12 22:54:05 -05:00
* /
2023-10-03 11:52:44 -05:00
{
2024-09-12 11:58:24 -05:00
/*
2025-02-14 13:31:18 -06:00
inputs ,
outputs ,
2024-09-12 11:58:24 -05:00
* /
2024-02-21 22:15:41 -06:00
lib ,
2024-02-21 20:39:10 -06:00
config ,
2023-10-03 11:52:44 -05:00
pkgs ,
2025-02-16 23:53:40 -06:00
hardware ,
2023-10-03 11:52:44 -05:00
. . .
2025-02-14 13:31:18 -06:00
} :
{
2024-09-04 10:31:06 -05:00
system . stateVersion = " 2 4 . 0 5 " ;
2024-03-13 21:12:14 -05:00
networking . hostName = " b e e f c a k e " ;
2023-11-02 13:14:43 -05:00
2025-02-16 23:53:40 -06:00
boot = {
zfs = {
extraPools = [ " z s t o r a g e " ] ;
} ;
supportedFilesystems = {
zfs = true ;
} ;
initrd . supportedFilesystems = {
zfs = true ;
} ;
# kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
initrd . availableKernelModules = [
" e h c i _ p c i "
" m p t 3 s a s "
" u s b h i d "
" s d _ m o d "
] ;
kernelModules = [ " k v m - i n t e l " ] ;
kernelParams = [ " n o h i b e r n a t e " ] ;
loader . systemd-boot . enable = true ;
loader . efi . canTouchEfiVariables = true ;
} ;
fileSystems = {
" / " = {
device = " / d e v / d i s k / b y - u u i d / 9 9 2 c e 5 5 c - 7 5 0 7 - 4 d 6 b - 9 3 8 c - 4 5 b 7 e 8 9 1 f 3 9 5 " ;
fsType = " e x t 4 " ;
} ;
" / b o o t " = {
device = " / d e v / d i s k / b y - u u i d / B 6 C 4 - 7 C F 4 " ;
fsType = " v f a t " ;
options = [
" f m a s k = 0 0 2 2 "
" d m a s k = 0 0 2 2 "
] ;
} ;
" / n i x " = {
device = " z s t o r a g e / n i x " ;
fsType = " z f s " ;
} ;
} ;
2023-09-05 21:46:55 -05:00
2025-02-16 23:53:40 -06:00
networking = {
hostId = " 5 4 1 e d e 5 5 " ;
} ;
2023-09-05 21:46:55 -05:00
2025-02-16 23:53:40 -06:00
services = {
zfs = {
autoScrub . enable = true ;
autoSnapshot . enable = true ;
} ;
tailscale . useRoutingFeatures = " s e r v e r " ;
2023-09-05 21:46:55 -05:00
2025-02-16 23:53:40 -06:00
} ;
2024-09-06 08:39:30 -05:00
2025-02-16 23:53:40 -06:00
sops = {
defaultSopsFile = ../../secrets/beefcake/secrets.yml ;
secrets = {
netlify-ddns-password . mode = " 0 4 0 0 " ;
nix-cache-priv-key . mode = " 0 4 0 0 " ;
} ;
} ;
2024-09-06 08:39:30 -05:00
2025-02-16 23:53:40 -06:00
virtualisation . oci-containers . backend = " p o d m a n " ;
2024-09-06 08:39:30 -05:00
2025-02-16 23:53:40 -06:00
services . deno-netlify-ddns-client = {
enable = true ;
passwordFile = config . sops . secrets . netlify-ddns-password . path ;
username = " b e e f c a k e . h " ;
} ;
environment . systemPackages = with pkgs ; [
aria2
restic
btrfs-progs
zfs
smartmontools
htop
bottom
curl
xh
] ;
2025-02-17 00:01:57 -06:00
home-manager . users . daniel = {
lyte . shell . enable = true ;
} ;
2025-02-16 23:53:40 -06:00
imports = [
hardware . common-cpu-intel
2024-03-13 21:12:14 -05:00
{
services . nix-serve = {
2025-02-16 23:53:40 -06:00
enable = true ;
2024-09-06 15:34:18 -05:00
secretKeyFile = config . sops . secrets . nix-cache-priv-key . path ;
2024-03-13 21:12:14 -05:00
} ;
services . caddy . virtualHosts . " n i x . h . l y t e . d e v " = {
extraConfig = ''
reverse_proxy : $ { toString config . services . nix-serve . port }
'' ;
} ;
2024-03-28 13:10:51 -05:00
# regularly build this flake so we have stuff in the cache
2024-03-28 13:12:00 -05:00
# TODO: schedule this for nightly builds instead of intervals based on boot time
2024-09-06 16:32:10 -05:00
systemd . timers . " b u i l d - l y t e d e v - f l a k e " = {
2025-02-14 13:31:18 -06:00
wantedBy = [ " t i m e r s . t a r g e t " ] ;
2024-09-06 16:32:10 -05:00
timerConfig = {
OnBootSec = " 3 0 m " ; # 30 minutes after booting
OnUnitActiveSec = " 1 d " ; # every day afterwards
Unit = " b u i l d - l y t e d e v - f l a k e . s e r v i c e " ;
} ;
} ;
2024-03-28 13:10:51 -05:00
2024-09-12 10:36:29 -05:00
systemd . tmpfiles . settings = {
" 1 0 - d a n i e l - n i g h t l y - f l a k e - b u i l d " = {
" / h o m e / d a n i e l / . h o m e / . c a c h e / n i g h t l y - f l a k e - b u i l d s " = {
" d " = {
mode = " 0 7 5 0 " ;
user = " d a n i e l " ;
group = " d a n i e l " ;
} ;
} ;
} ;
} ;
2024-09-06 16:32:10 -05:00
systemd . services . " b u i l d - l y t e d e v - f l a k e " = {
2024-09-11 11:57:27 -05:00
# TODO: might want to add root for the most recent results?
2024-09-06 16:32:10 -05:00
script = ''
# build self (main server) configuration
nixos-rebuild build - - flake git+https://git.lyte.dev/lytedev/nix.git - - accept-flake-config
# build desktop configuration
nixos-rebuild build - - flake git+https://git.lyte.dev/lytedev/nix.git #dragon --accept-flake-config
# build main laptop configuration
nixos-rebuild build - - flake git+https://git.lyte.dev/lytedev/nix.git #foxtrot --accept-flake-config
'' ;
2025-02-14 13:31:18 -06:00
path = with pkgs ; [
openssh
git
nixos-rebuild
] ;
2024-09-06 16:32:10 -05:00
serviceConfig = {
# TODO: mkdir -p...?
2024-09-12 10:36:29 -05:00
WorkingDirectory = " / h o m e / d a n i e l / . h o m e / . c a c h e / n i g h t l y - f l a k e - b u i l d s " ;
2024-09-06 16:32:10 -05:00
Type = " o n e s h o t " ;
2024-09-11 11:57:27 -05:00
User = " d a n i e l " ;
2024-09-06 16:32:10 -05:00
} ;
} ;
2024-03-30 07:50:23 -05:00
networking = {
extraHosts = ''
: : 1 nix . h . lyte . dev
127 .0 .0 .1 nix . h . lyte . dev
2024-03-13 21:12:14 -05:00
'' ;
} ;
}
2024-09-06 16:36:53 -05:00
{
services . headscale = {
2024-09-11 11:57:27 -05:00
enable = false ; # TODO: setup headscale?
2024-09-06 16:36:53 -05:00
address = " 1 2 7 . 0 . 0 . 1 " ;
port = 7777 ;
settings = {
server_url = " h t t p s : / / t a i l s c a l e . v p n . h . l y t e . d e v " ;
db_type = " s q l i t e 3 " ;
db_path = " / v a r / l i b / h e a d s c a l e / d b . s q l i t e " ;
derp . server = {
enable = true ;
region_id = 999 ;
stun_listen_addr = " 0 . 0 . 0 . 0 : 3 4 7 8 " ;
} ;
2024-09-03 20:03:24 -05:00
2024-09-06 16:36:53 -05:00
dns_config = {
magic_dns = true ;
base_domain = " v p n . h . l y t e . d e v " ;
domains = [
" t s . v p n . h . l y t e . d e v "
] ;
nameservers = [
" 1 . 1 . 1 . 1 "
# "192.168.0.1"
] ;
override_local_dns = true ;
} ;
} ;
} ;
services . caddy . virtualHosts . " t a i l s c a l e . v p n . h . l y t e . d e v " = lib . mkIf config . services . headscale . enable {
extraConfig = ''
reverse_proxy http://localhost:$ { toString config . services . headscale . port }
'' ;
} ;
2025-02-14 13:31:18 -06:00
networking . firewall . allowedUDPPorts = lib . mkIf config . services . headscale . enable [ 3478 ] ;
2024-09-06 16:36:53 -05:00
}
2024-03-13 21:12:14 -05:00
{
2025-02-14 13:31:18 -06:00
services . restic . commonPaths = [
" / v a r / l i b / s o j u "
" / v a r / l i b / p r i v a t e / s o j u "
] ;
2024-03-13 21:12:14 -05:00
services . soju = {
enable = true ;
2025-02-16 23:53:40 -06:00
listen = [ " i r c + i n s e c u r e : / / : 6 6 6 7 " ] ; # tailscale only
2024-03-13 21:12:14 -05:00
} ;
}
{
2024-09-11 11:57:27 -05:00
# nextcloud
2024-09-12 22:37:20 -05:00
users . users . nextcloud = {
isSystemUser = true ;
createHome = false ;
group = " n e x t c l o u d " ;
} ;
2025-02-14 13:31:18 -06:00
users . groups . nextcloud = { } ;
2024-09-12 22:37:20 -05:00
sops . secrets = {
nextcloud-admin-password = {
owner = " n e x t c l o u d " ;
group = " n e x t c l o u d " ;
mode = " 4 0 0 " ;
} ;
} ;
systemd . tmpfiles . settings = {
" 1 0 - n e x t c l o u d " = {
" / s t o r a g e / n e x t c l o u d " = {
" d " = {
mode = " 0 7 5 0 " ;
user = " n e x t c l o u d " ;
group = " n e x t c l o u d " ;
} ;
} ;
} ;
} ;
services . restic . commonPaths = [
" / s t o r a g e / n e x t c l o u d "
] ;
2024-09-12 11:58:24 -05:00
services . postgresql = {
2025-02-14 13:31:18 -06:00
ensureDatabases = [ " n e x t c l o u d " ] ;
2024-09-12 11:58:24 -05:00
ensureUsers = [
{
name = " n e x t c l o u d " ;
ensureDBOwnership = true ;
}
] ;
} ;
2024-09-12 22:37:20 -05:00
services . nextcloud = {
2024-12-02 13:27:49 -06:00
enable = false ;
2024-09-12 22:37:20 -05:00
hostName = " n e x t c l o u d . h . l y t e . d e v " ;
maxUploadSize = " 1 0 0 G " ;
extraAppsEnable = true ;
autoUpdateApps . enable = true ;
extraApps = with config . services . nextcloud . package . packages . apps ; {
2025-02-14 13:31:18 -06:00
inherit
calendar
contacts
notes
onlyoffice
tasks
;
2024-09-12 22:37:20 -05:00
} ;
package = pkgs . nextcloud28 ;
home = " / s t o r a g e / n e x t c l o u d " ;
configureRedis = true ;
caching . redis = true ;
settings = {
# TODO: SMTP
maintenance_window_start = 1 ;
} ;
config = {
adminpassFile = config . sops . secrets . nextcloud-admin-password . path ;
adminuser = " d a n i e l " ;
dbtype = " p g s q l " ;
dbhost = " / r u n / p o s t g r e s q l " ;
} ;
phpOptions = {
" x d e b u g . m o d e " = " d e b u g " ;
" x d e b u g . c l i e n t _ h o s t " = " 1 0 . 0 . 2 . 2 " ;
" x d e b u g . c l i e n t _ p o r t " = " 9 0 0 0 " ;
" x d e b u g . s t a r t _ w i t h _ r e q u e s t " = " y e s " ;
" x d e b u g . i d e k e y " = " E C L I P S E " ;
} ;
2024-09-12 11:58:24 -05:00
} ;
2024-09-12 22:37:20 -05:00
services . nginx . enable = false ;
systemd . services . nextcloud = {
serviceConfig . User = " n e x t c l o u d " ;
serviceConfig . Group = " n e x t c l o u d " ;
} ;
2024-12-02 13:27:49 -06:00
services . phpfpm = lib . mkIf config . services . nextcloud . enable {
pools . nextcloud . settings = {
" l i s t e n . o w n e r " = " c a d d y " ;
" l i s t e n . g r o u p " = " c a d d y " ;
} ;
2024-09-12 22:37:20 -05:00
} ;
2025-02-14 13:31:18 -06:00
services . caddy . virtualHosts . " n e x t c l o u d . h . l y t e . d e v " =
let
fpm-nextcloud-pool = config . services . phpfpm . pools . nextcloud ;
root = config . services . nginx . virtualHosts . ${ config . services . nextcloud . hostName } . root ;
in
2024-09-12 22:37:20 -05:00
lib . mkIf config . services . nextcloud . enable {
extraConfig = ''
encode zstd gzip
root * $ { root }
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
redir /.well-known /* / i n d e x . p h p { u r i } 3 0 1
redir /remote /* / r e m o t e . p h p { u r i } 3 0 1
header {
Strict-Transport-Security max-age = 31536000
Permissions-Policy interest-cohort = ( )
X-Content-Type-Options nosniff
X-Frame-Options SAMEORIGIN
Referrer-Policy no-referrer
X-XSS-Protection " 1 ; m o d e = b l o c k "
X-Permitted-Cross-Domain-Policies none
X-Robots-Tag " n o i n d e x , n o f o l l o w "
X-Forwarded-Host nextcloud . h . lyte . dev
- X-Powered-By
}
php_fastcgi unix / $ { fpm-nextcloud-pool . socket } {
root $ { root }
env front_controller_active true
env modHeadersAvailable true
}
@ forbidden {
path /build /* / t e s t s / * / c o n f i g / * / l i b / * / 3 r d p a r t y / * / t e m p l a t e s / * / d a t a / *
path /. * /autotest * /occ * /issue * /indie * /db_ * /console *
not path /.well-known /*
}
error @ forbidden 404
@ immutable {
path * . css * . js * . mjs * . svg * . gif * . png * . jpg * . ico * . wasm * . tflite
query v = *
}
header @ immutable Cache-Control " m a x - a g e = 1 5 7 7 8 4 6 3 , i m m u t a b l e "
@ static {
path * . css * . js * . mjs * . svg * . gif * . png * . jpg * . ico * . wasm * . tflite
not query v = *
}
header @ static Cache-Control " m a x - a g e = 1 5 7 7 8 4 6 3 "
@ woff2 path * . woff2
header @ woff2 Cache-Control " m a x - a g e = 6 0 4 8 0 0 "
file_server
'' ;
} ;
2024-03-13 21:12:14 -05:00
}
2024-09-06 16:44:15 -05:00
{
# plausible
2024-09-11 11:57:27 -05:00
services . postgresql = {
2025-02-14 13:31:18 -06:00
ensureDatabases = [ " p l a u s i b l e " ] ;
2024-09-11 11:57:27 -05:00
ensureUsers = [
{
name = " p l a u s i b l e " ;
ensureDBOwnership = true ;
}
] ;
} ;
users . users . plausible = {
isSystemUser = true ;
createHome = false ;
group = " p l a u s i b l e " ;
} ;
users . extraGroups = {
2025-02-14 13:31:18 -06:00
" p l a u s i b l e " = { } ;
2024-09-11 11:57:27 -05:00
} ;
services . plausible = {
enable = true ;
database = {
clickhouse . setup = true ;
postgres = {
setup = false ;
dbname = " p l a u s i b l e " ;
} ;
} ;
server = {
baseUrl = " h t t p s : / / a . l y t e . d e v " ;
disableRegistration = true ;
port = 8899 ;
secretKeybaseFile = config . sops . secrets . plausible-secret-key-base . path ;
} ;
adminUser = {
activate = false ;
email = " d a n i e l @ l y t e . d e v " ;
passwordFile = config . sops . secrets . plausible-admin-password . path ;
} ;
} ;
sops . secrets = {
plausible-secret-key-base = {
owner = " p l a u s i b l e " ;
group = " p l a u s i b l e " ;
} ;
plausible-admin-password = {
owner = " p l a u s i b l e " ;
group = " p l a u s i b l e " ;
} ;
} ;
systemd . services . plausible = {
serviceConfig . User = " p l a u s i b l e " ;
serviceConfig . Group = " p l a u s i b l e " ;
} ;
services . caddy . virtualHosts . " a . l y t e . d e v " = {
extraConfig = ''
reverse_proxy : $ { toString config . services . plausible . server . port }
'' ;
} ;
}
{
# clickhouse
2025-02-16 23:53:40 -06:00
time . timeZone = lib . mkForce " A m e r i c a / C h i c a g o " ;
2024-09-11 11:57:27 -05:00
environment . etc = {
" c l i c k h o u s e - s e r v e r / u s e r s . d / d i s a b l e - l o g g i n g - q u e r y . x m l " = {
text = ''
<clickhouse>
<profiles>
<default>
<log_queries> 0 < /log_queries >
<log_query_threads> 0 < /log_query_threads >
< /default >
< /profiles >
< /clickhouse >
'' ;
} ;
" c l i c k h o u s e - s e r v e r / c o n f i g . d / r e d u c e - l o g g i n g . x m l " = {
text = ''
<clickhouse>
<logger>
<level> warning < /level >
<console> true < /console >
< /logger >
< query_thread_log remove = " r e m o v e " / >
< query_log remove = " r e m o v e " / >
< text_log remove = " r e m o v e " / >
< trace_log remove = " r e m o v e " / >
< metric_log remove = " r e m o v e " / >
< asynchronous_metric_log remove = " r e m o v e " / >
< session_log remove = " r e m o v e " / >
< part_log remove = " r e m o v e " / >
< /clickhouse >
'' ;
} ;
} ;
services . restic . commonPaths = [
# "/var/lib/clickhouse"
] ;
}
{
# family storage
2024-09-12 10:36:29 -05:00
users . extraGroups = {
2025-02-14 13:31:18 -06:00
" f a m i l y " = { } ;
2024-09-12 10:36:29 -05:00
} ;
2024-09-11 11:57:27 -05:00
systemd . tmpfiles . settings = {
2024-09-11 14:31:48 -05:00
" 1 0 - f a m i l y " = {
2024-09-11 11:57:27 -05:00
" / s t o r a g e / f a m i l y " = {
" d " = {
mode = " 0 7 7 0 " ;
user = " r o o t " ;
group = " f a m i l y " ;
} ;
} ;
2024-09-12 15:16:09 -05:00
" / s t o r a g e / v a l e r i e " = {
2024-09-11 11:57:27 -05:00
" d " = {
2024-09-12 15:16:09 -05:00
mode = " 0 7 0 0 " ;
2024-09-11 11:57:27 -05:00
user = " v a l e r i e " ;
group = " f a m i l y " ;
} ;
} ;
} ;
} ;
services . restic . commonPaths = [
" / s t o r a g e / f a m i l y "
2024-09-12 15:16:09 -05:00
" / s t o r a g e / v a l e r i e "
2024-09-11 11:57:27 -05:00
] ;
2024-09-06 16:44:15 -05:00
}
2024-03-13 21:12:14 -05:00
{
# daniel augments
2024-09-11 11:57:27 -05:00
systemd . tmpfiles . settings = {
2024-09-11 14:31:48 -05:00
" 1 0 - d a n i e l " = {
2024-09-11 11:57:27 -05:00
" / s t o r a g e / d a n i e l " = {
" d " = {
mode = " 0 7 0 0 " ;
user = " d a n i e l " ;
group = " n o g r o u p " ;
} ;
} ;
" / s t o r a g e / d a n i e l / c r i t i c a l " = {
" d " = {
mode = " 0 7 0 0 " ;
user = " d a n i e l " ;
group = " n o g r o u p " ;
} ;
} ;
} ;
} ;
2025-02-14 13:31:18 -06:00
users . groups . daniel . members = [ " d a n i e l " ] ;
2024-03-13 21:12:14 -05:00
users . users . daniel = {
extraGroups = [
" w h e e l " # sudo access
2024-09-03 20:03:24 -05:00
" c a d d y " # write access to public static files
2024-03-13 21:12:14 -05:00
" u s e r s " # general users group
2024-09-03 20:03:24 -05:00
" j e l l y f i n " # write access to jellyfin files
" a u d i o b o o k s h e l f " # write access to audiobookshelf files
" f l a n i l l a " # minecraft server manager
2024-09-06 16:15:58 -05:00
" f o r g e j o "
2024-03-13 21:12:14 -05:00
] ;
2024-08-13 14:35:09 -05:00
} ;
2024-09-11 11:57:27 -05:00
services . restic . commonPaths = [
" / s t o r a g e / d a n i e l "
] ;
2024-09-06 16:36:53 -05:00
services . postgresql = {
2025-02-14 13:31:18 -06:00
ensureDatabases = [ " d a n i e l " ] ;
2024-09-06 16:36:53 -05:00
ensureUsers = [
{
name = " d a n i e l " ;
2024-09-12 22:37:20 -05:00
ensureClauses = {
# superuser = true;
# createrole = true;
# createdb = true;
# bypassrls = true;
} ;
2024-09-06 16:36:53 -05:00
ensureDBOwnership = true ;
}
] ;
} ;
2024-08-13 14:35:09 -05:00
}
2024-09-06 16:36:53 -05:00
{
systemd . tmpfiles . settings = {
" 1 0 - j e l l y f i n " = {
" / s t o r a g e / j e l l y f i n " = {
" d " = {
mode = " 0 7 7 0 " ;
user = " j e l l y f i n " ;
group = " w h e e l " ;
} ;
} ;
" / s t o r a g e / j e l l y f i n / m o v i e s " = {
" d " = {
mode = " 0 7 7 0 " ;
user = " j e l l y f i n " ;
group = " w h e e l " ;
} ;
} ;
" / s t o r a g e / j e l l y f i n / t v " = {
" d " = {
mode = " 0 7 7 0 " ;
user = " j e l l y f i n " ;
group = " w h e e l " ;
} ;
} ;
" / s t o r a g e / j e l l y f i n / m u s i c " = {
" d " = {
mode = " 0 7 7 0 " ;
user = " j e l l y f i n " ;
group = " w h e e l " ;
} ;
} ;
} ;
} ;
services . jellyfin = {
enable = true ;
openFirewall = false ;
# uses port 8096 by default, configurable from admin UI
} ;
services . caddy . virtualHosts . " v i d e o . l y t e . d e v " = {
extraConfig = '' r e v e r s e _ p r o x y : 8 0 9 6 '' ;
} ;
2024-09-12 11:58:24 -05:00
/*
2025-02-14 13:31:18 -06:00
NOTE : this server's xeon chips DO NOT seem to support quicksync or graphics in general
but I can probably throw in a crappy GPU ( or a big , cheap ebay GPU for ML
stuff , too ? ) and get good transcoding performance
2024-09-12 11:58:24 -05:00
* /
2024-09-06 16:36:53 -05:00
# jellyfin hardware encoding
2024-09-12 11:58:24 -05:00
/*
2025-02-14 13:31:18 -06:00
hardware . graphics = {
enable = true ;
extraPackages = with pkgs ; [
intel-media-driver
vaapiIntel
vaapiVdpau
libvdpau-va-gl
intel-compute-runtime
] ;
} ;
nixpkgs . config . packageOverrides = pkgs : {
vaapiIntel = pkgs . vaapiIntel . override { enableHybridCodec = true ; } ;
} ;
2024-09-12 11:58:24 -05:00
* /
2024-09-06 16:36:53 -05:00
}
{
2024-09-06 16:44:15 -05:00
systemd . tmpfiles . settings = {
2024-09-11 14:31:48 -05:00
" 1 0 - p o s t g r e s " = {
2024-09-06 16:44:15 -05:00
" / s t o r a g e / p o s t g r e s " = {
" d " = {
2024-09-11 12:03:55 -05:00
mode = " 0 7 5 0 " ;
2024-09-06 16:44:15 -05:00
user = " p o s t g r e s " ;
group = " p o s t g r e s " ;
} ;
} ;
} ;
} ;
2024-09-06 16:36:53 -05:00
services . postgresql = {
enable = true ;
dataDir = " / s t o r a g e / p o s t g r e s " ;
enableTCPIP = true ;
2025-02-16 23:53:40 -06:00
package = lib . mkForce pkgs . postgresql_15 ;
2024-09-06 16:36:53 -05:00
# https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
2024-09-11 11:57:27 -05:00
# TODO: give the "daniel" user access to all databases
2024-09-12 22:37:20 -05:00
/*
2025-02-14 13:31:18 -06:00
authentication = pkgs . lib . mkOverride 10 ''
#type database user auth-method auth-options
local all postgres peer map = superuser_map
local all daniel peer map = superuser_map
local sameuser all peer map = superuser_map
# lan ipv4
host all daniel 192.168.0.0/16 trust
host all daniel 10.0.0.0/24 trust
# tailnet ipv4
host all daniel 100.64.0.0/10 trust
'' ;
2024-09-12 22:37:20 -05:00
* /
2024-09-03 20:03:24 -05:00
2024-09-12 22:37:20 -05:00
/*
2025-02-14 13:31:18 -06:00
identMap = ''
# map system_user db_user
superuser_map root postgres
superuser_map postgres postgres
superuser_map daniel postgres
# Let other names login as themselves
superuser_map / ^ ( . * ) $ \ 1
'' ;
2024-09-12 22:37:20 -05:00
* /
2024-09-06 16:36:53 -05:00
} ;
2024-09-03 20:03:24 -05:00
2024-09-06 16:36:53 -05:00
services . postgresqlBackup = {
enable = true ;
backupAll = true ;
2024-09-11 11:57:27 -05:00
compression = " n o n e " ; # hoping for restic deduplication here?
2024-09-06 16:36:53 -05:00
location = " / s t o r a g e / p o s t g r e s - b a c k u p s " ;
startAt = " * - * - * 0 3 : 0 0 : 0 0 " ;
} ;
2024-09-11 11:57:27 -05:00
services . restic . commonPaths = [
" / s t o r a g e / p o s t g r e s - b a c k u p s "
] ;
2024-09-06 16:36:53 -05:00
}
2024-09-11 11:57:27 -05:00
{
# friends
users . users . ben = {
isNormalUser = true ;
2025-02-14 13:31:18 -06:00
packages = [ pkgs . vim ] ;
2024-09-11 11:57:27 -05:00
openssh . authorizedKeys . keys = [
2025-02-16 23:53:40 -06:00
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I K U f L Z + I X 8 5 p 9 3 5 5 P o 2 z P 1 H 2 t A x i E 0 r E 6 I Y b 8 S f + e F 9 T "
2024-09-11 11:57:27 -05:00
] ;
} ;
2024-09-03 20:03:24 -05:00
2024-09-11 11:57:27 -05:00
users . users . alan = {
isNormalUser = true ;
2025-02-14 13:31:18 -06:00
packages = [ pkgs . vim ] ;
2024-09-11 11:57:27 -05:00
# openssh.authorizedKeys.keys = [];
} ;
}
2024-09-06 15:34:18 -05:00
{
2024-09-11 11:57:27 -05:00
# restic backups
sops . secrets = {
2025-02-14 13:31:18 -06:00
restic-ssh-priv-key-benland = {
mode = " 0 4 0 0 " ;
} ;
2024-09-11 11:57:27 -05:00
restic-rascal-passphrase = {
mode = " 0 4 0 0 " ;
} ;
restic-rascal-ssh-private-key = {
mode = " 0 4 0 0 " ;
2024-09-06 15:34:18 -05:00
} ;
} ;
2025-02-14 13:31:18 -06:00
users . groups . restic = { } ;
2024-09-06 15:34:18 -05:00
users . users . restic = {
# used for other machines to backup to
isSystemUser = true ;
2024-09-12 14:47:21 -05:00
createHome = true ;
home = " / s t o r a g e / b a c k u p s / r e s t i c " ;
2024-09-06 15:34:18 -05:00
group = " r e s t i c " ;
2025-02-14 13:31:18 -06:00
extraGroups = [ " s f t p o n l y " ] ;
openssh . authorizedKeys . keys = [ ] ++ config . users . users . daniel . openssh . authorizedKeys . keys ;
2024-09-06 15:34:18 -05:00
} ;
2024-09-12 14:47:21 -05:00
services . openssh . extraConfig = ''
Match Group sftponly
ChrootDirectory /storage/backups / % u
ForceCommand internal-sftp
AllowTcpForwarding no
'' ;
2024-09-11 12:03:55 -05:00
systemd . tmpfiles . settings = {
2024-09-11 14:31:48 -05:00
" 1 0 - b a c k u p s - l o c a l " = {
2024-09-11 12:03:55 -05:00
" / s t o r a g e / b a c k u p s / l o c a l " = {
" d " = {
mode = " 0 7 5 0 " ;
user = " r o o t " ;
group = " w h e e l " ;
} ;
} ;
} ;
} ;
2025-02-14 13:31:18 -06:00
services . restic . backups =
let
# TODO: How do I set things up so that a compromised server doesn't have access to my backups so that it can corrupt or ransomware them?
defaults = {
passwordFile = config . sops . secrets . restic-rascal-passphrase . path ;
paths = config . services . restic . commonPaths ++ [
2024-09-11 11:57:27 -05:00
] ;
2025-02-14 13:31:18 -06:00
initialize = true ;
exclude = [ ] ;
timerConfig = {
OnCalendar = [
" 0 4 : 4 5 "
" 1 7 : 4 5 "
] ;
} ;
2024-09-11 11:57:27 -05:00
} ;
2025-02-14 13:31:18 -06:00
in
{
local = defaults // {
2024-09-11 11:57:27 -05:00
repository = " / s t o r a g e / b a c k u p s / l o c a l " ;
} ;
2025-02-14 13:31:18 -06:00
rascal = defaults // {
2024-09-11 11:57:27 -05:00
extraOptions = [
2024-09-17 08:56:54 -05:00
'' s f t p . c o m m a n d = " s s h b e e f c a k e @ r a s c a l . h a r e - c o d . t s . n e t - i ${ config . sops . secrets . restic-rascal-ssh-private-key . path } - s s f t p " ''
2024-09-11 11:57:27 -05:00
] ;
2024-09-17 08:56:54 -05:00
repository = " s f t p : / / b e e f c a k e @ r a s c a l . h a r e - c o d . t s . n e t : / / s t o r a g e / b a c k u p s / b e e f c a k e " ;
2024-09-11 11:57:27 -05:00
} ;
2025-02-14 13:31:18 -06:00
# TODO: add ruby?
benland = defaults // {
2024-09-11 11:57:27 -05:00
extraOptions = [
2024-09-14 07:20:34 -05:00
'' s f t p . c o m m a n d = " s s h d a n i e l @ n . b e n h a n e y . c o m - p 1 0 0 2 2 - i ${ config . sops . secrets . restic-ssh-priv-key-benland . path } - s s f t p " ''
2024-09-11 11:57:27 -05:00
] ;
repository = " s f t p : / / d a n i e l @ n . b e n h a n e y . c o m : / / s t o r a g e / b a c k u p s / b e e f c a k e " ;
} ;
2025-02-14 13:31:18 -06:00
} ;
2024-09-06 15:34:18 -05:00
}
{
systemd . tmpfiles . settings = {
" 1 0 - c a d d y " = {
" / s t o r a g e / f i l e s . l y t e . d e v " = {
" d " = {
mode = " 2 7 7 5 " ;
user = " r o o t " ;
group = " w h e e l " ;
} ;
} ;
} ;
} ;
2024-09-11 11:57:27 -05:00
services . restic . commonPaths = [
" / s t o r a g e / f i l e s . l y t e . d e v "
] ;
2024-09-06 15:34:18 -05:00
services . caddy = {
# TODO: 502 and other error pages
enable = true ;
email = " d a n i e l @ l y t e . d e v " ;
adapter = " c a d d y f i l e " ;
virtualHosts = {
" f i l e s . l y t e . d e v " = {
# TODO: customize the files.lyte.dev template?
extraConfig = ''
header {
Access-Control-Allow-Origin " { h t t p . r e q u e s t . h e a d e r . O r i g i n } "
Access-Control-Allow-Credentials true
Access-Control-Allow-Methods *
Access-Control-Allow-Headers *
Vary Origin
defer
}
2024-09-12 11:58:24 -05:00
2024-09-06 15:34:18 -05:00
file_server browse {
2024-09-12 11:58:24 -05:00
## browse template
## hide .*
2024-09-06 15:34:18 -05:00
root /storage/files.lyte.dev
}
'' ;
} ;
} ;
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
} ;
2025-02-16 23:53:40 -06:00
networking . firewall . allowedTCPPorts = [
80
443
] ;
2024-09-06 15:34:18 -05:00
}
2025-02-14 13:31:18 -06:00
(
{ . . . }:
let
theme = pkgs . fetchzip {
url = " h t t p s : / / g i t h u b . c o m / c a t p p u c c i n / g i t e a / r e l e a s e s / d o w n l o a d / v 1 . 0 . 1 / c a t p p u c c i n - g i t e a . t a r . g z " ;
sha256 = " s h a 2 5 6 - e t 5 l u A 3 S I 7 i O c E I Q 3 C V I u 0 + e i L s 8 C / 8 m O i t Y l W Q a / u I = " ;
} ;
logos = {
png = pkgs . fetchurl {
url = " h t t p s : / / l y t e . d e v / i c o n . p n g " ;
sha256 = " s h a 2 5 6 - o / i Z D o h z X B G b p J 2 P R 1 z 2 3 I F 4 F Z i g n T A K 8 8 Q w r f g T w l k = " ;
} ;
svg = pkgs . fetchurl {
url = " h t t p s : / / l y t e . d e v / i m g / l o g o . s v g " ;
sha256 = " s h a 2 5 6 - G 9 l e V X N a n o a C i z X J a X n + + J z a V c Y O g R c 3 d J K h T Q s M h V s = " ;
} ;
svg-with-background = pkgs . fetchurl {
url = " h t t p s : / / l y t e . d e v / i m g / l o g o - w i t h - b a c k g r o u n d . s v g " ;
sha256 = " s h a 2 5 6 - C d M T R X o Q 3 A I 7 6 a H W / s T q v Z o 1 q / 0 X Q d n Q s 9 V 1 v G m i f f Y = " ;
} ;
2024-12-14 09:03:57 -06:00
} ;
2025-02-14 13:31:18 -06:00
forgejoCustomCss = pkgs . writeText " i o s e v k a l y t e . c s s " ''
2024-12-14 09:03:57 -06:00
@ font-face {
font-family : ldiosevka ;
font-style : normal ;
font-weight : 300 ;
src : local ( " I o s e v k a " ) , url ( " / / l y t e . d e v / f o n t / i o s e v k a l y t e w e b m i n / i o s e v k a l y t e w e b - r e g u l a r . s u b s e t . w o f f 2 " ) ;
font-display : swap
}
@ font-face {
font-family : ldiosevka ;
font-style : italic ;
font-weight : 300 ;
src : local ( " I o s e v k a " ) , url ( " / / l y t e . d e v / f o n t / i o s e v k a l y t e w e b m i n / i o s e v k a l y t e w e b - i t a l i c . s u b s e t . w o f f 2 " ) ;
font-display : swap
}
@ font-face {
font-family : ldiosevka ;
font-style : italic ;
font-weight : 500 ;
src : local ( " I o s e v k a " ) , url ( " / / l y t e . d e v / f o n t / i o s e v k a l y t e w e b m i n / i o s e v k a l y t e w e b - b o l d i t a l i c . w o f f 2 " ) ;
font-display : swap
}
: root {
- - fonts-monospace : ldiosevka , ui-monospace , SFMono-Regular , " S F M o n o " , Menlo , Monaco , Consolas , " L i b e r a t i o n M o n o " , " C o u r i e r N e w " , monospace , var ( - - fonts-emoji ) ;
}
'' ;
2025-02-14 13:31:18 -06:00
forgejoCustomHeaderTmpl = pkgs . writeText " h e a d e r . t m p l " ''
2024-12-14 09:03:57 -06:00
< link rel = " s t y l e s h e e t " href = " / a s s e t s / c s s / i o s e v k a l y t e . c s s " / >
2024-12-27 08:42:32 -06:00
< script async = " " defer = " " data-domain = " g i t . l y t e . d e v " src = " h t t p s : / / a . l y t e . d e v / j s / s c r i p t . j s " > < /script >
2024-12-14 09:03:57 -06:00
'' ;
2025-02-14 13:31:18 -06:00
forgejoCustomHomeTmpl = pkgs . writeText " h o m e . t m p l " ''
2024-12-14 09:03:57 -06:00
{ { template " b a s e / h e a d " . } }
< div role = " m a i n " aria-label = " { { i f . I s S i g n e d } } { { c t x . L o c a l e . T r " dashboard " } } { { e l s e } } { { c t x . L o c a l e . T r " home " } } { { e n d } } " class = " p a g e - c o n t e n t h o m e " >
< div class = " t w - m b - 8 t w - p x - 8 " >
< div class = " c e n t e r " >
< img class = " l o g o " width = " 2 2 0 " height = " 2 2 0 " src = " { { A s s e t U r l P r e f i x } } / i m g / l o g o . s v g " alt = " { { c t x . L o c a l e . T r " logo " } } " >
< div class = " h e r o " >
< h1 class = " u i i c o n h e a d e r t i t l e " >
{ { AppDisplayName } }
< /h1 >
<h2> { { ctx . Locale . Tr " s t a r t p a g e . a p p _ d e s c " } } < /h2 >
< /div >
< /div >
< /div >
< div class = " u i s t a c k a b l e m i d d l e v e r y r e l a x e d p a g e g r i d " >
< div class = " e i g h t w i d e c e n t e r c o l u m n " >
< h1 class = " h e r o u i i c o n h e a d e r " >
{ { svg " o c t i c o n - f l a m e " } } { { ctx . Locale . Tr " s t a r t p a g e . i n s t a l l " } }
< /h1 >
< p class = " l a r g e " >
{ { ctx . Locale . Tr " s t a r t p a g e . i n s t a l l _ d e s c " " h t t p s : / / f o r g e j o . o r g / d o w n l o a d / # i n s t a l l a t i o n - f r o m - b i n a r y " " h t t p s : / / f o r g e j o . o r g / d o w n l o a d / # c o n t a i n e r - i m a g e " " h t t p s : / / f o r g e j o . o r g / d o w n l o a d " } }
< /p >
< /div >
< div class = " e i g h t w i d e c e n t e r c o l u m n " >
< h1 class = " h e r o u i i c o n h e a d e r " >
{ { svg " o c t i c o n - d e v i c e - d e s k t o p " } } { { ctx . Locale . Tr " s t a r t p a g e . p l a t f o r m " } }
< /h1 >
< p class = " l a r g e " >
{ { ctx . Locale . Tr " s t a r t p a g e . p l a t f o r m _ d e s c " } }
< /p >
< /div >
< /div >
< div class = " u i s t a c k a b l e m i d d l e v e r y r e l a x e d p a g e g r i d " >
< div class = " e i g h t w i d e c e n t e r c o l u m n " >
< h1 class = " h e r o u i i c o n h e a d e r " >
{ { svg " o c t i c o n - r o c k e t " } } { { ctx . Locale . Tr " s t a r t p a g e . l i g h t w e i g h t " } }
< /h1 >
< p class = " l a r g e " >
{ { ctx . Locale . Tr " s t a r t p a g e . l i g h t w e i g h t _ d e s c " } }
< /p >
< /div >
< div class = " e i g h t w i d e c e n t e r c o l u m n " >
< h1 class = " h e r o u i i c o n h e a d e r " >
{ { svg " o c t i c o n - c o d e " } } { { ctx . Locale . Tr " s t a r t p a g e . l i c e n s e " } }
< /h1 >
< p class = " l a r g e " >
{ { ctx . Locale . Tr " s t a r t p a g e . l i c e n s e _ d e s c " " h t t p s : / / f o r g e j o . o r g / d o w n l o a d " " h t t p s : / / c o d e b e r g . o r g / f o r g e j o / f o r g e j o " } }
< /p >
< /div >
< /div >
< /div >
{ { template " b a s e / f o o t e r " . } }
'' ;
2025-02-14 13:31:18 -06:00
in
{
# systemd.tmpfiles.settings = {
# "10-forgejo" = {
# "/storage/forgejo" = {
# "d" = {
# mode = "0700";
# user = "forgejo";
# group = "nogroup";
# };
# };
# };
# };
services . forgejo = {
enable = true ;
package = pkgs . unstable-packages . forgejo ;
stateDir = " / s t o r a g e / f o r g e j o " ;
settings = {
DEFAULT = {
APP_NAME = " g i t . l y t e . d e v " ;
} ;
server = {
ROOT_URL = " h t t p s : / / g i t . l y t e . d e v " ;
HTTP_ADDR = " 1 2 7 . 0 . 0 . 1 " ;
HTTP_PORT = 3088 ;
DOMAIN = " g i t . l y t e . d e v " ;
} ;
migrations = {
ALLOWED_DOMAINS = " * . g i t h u b . c o m , g i t h u b . c o m , g i t l a b . c o m , * . g i t l a b . c o m " ;
} ;
actions = {
ENABLED = true ;
} ;
service = {
DISABLE_REGISTRATION = true ;
} ;
session = {
COOKIE_SECURE = true ;
} ;
log = {
# LEVEL = "Debug";
} ;
ui = {
THEMES = " c a t p p u c c i n - m o c h a - s a p p h i r e , f o r g e j o - a u t o , f o r g e j o - l i g h t , f o r g e j o - d a r k " ;
DEFAULT_THEME = " c a t p p u c c i n - m o c h a - s a p p h i r e " ;
} ;
indexer = {
REPO_INDEXER_ENABLED = " t r u e " ;
REPO_INDEXER_PATH = " i n d e x e r s / r e p o s . b l e v e " ;
MAX_FILE_SIZE = " 1 0 4 8 5 7 6 " ;
# REPO_INDEXER_INCLUDE =
REPO_INDEXER_EXCLUDE = " r e s o u r c e s / b i n / * * " ;
} ;
" m a r k u p . a s c i i d o c " = {
ENABLED = true ;
NEED_POSTPROCESS = true ;
FILE_EXTENSIONS = " . a d o c , . a s c i i d o c " ;
RENDER_COMMAND = " ${ pkgs . asciidoctor } / b i n / a s c i i d o c t o r - - e m b e d d e d - - s a f e - m o d e = s e c u r e - - o u t - f i l e = - - " ;
IS_INPUT_FILE = false ;
} ;
2024-09-06 15:39:26 -05:00
} ;
2025-02-14 13:31:18 -06:00
lfs = {
enable = true ;
2024-09-06 15:39:26 -05:00
} ;
2025-02-14 13:31:18 -06:00
dump = {
enable = false ;
2024-09-06 15:39:26 -05:00
} ;
2025-02-14 13:31:18 -06:00
database = {
# TODO: move to postgres?
type = " s q l i t e 3 " ;
2024-12-13 10:48:50 -06:00
} ;
2024-09-06 15:39:26 -05:00
} ;
2025-02-14 13:31:18 -06:00
services . restic . commonPaths = [
config . services . forgejo . stateDir
] ;
sops . secrets = {
" f o r g e j o - r u n n e r . e n v " = {
mode = " 0 4 0 0 " ;
} ;
2024-09-06 15:39:26 -05:00
} ;
2025-02-14 13:31:18 -06:00
systemd . services . gitea-runner-beefcake . after = [ " s o p s - n i x . s e r v i c e " ] ;
systemd . services . forgejo = {
preStart = lib . mkAfter ''
rm - rf $ { config . services . forgejo . stateDir } /custom/public
mkdir - p $ { config . services . forgejo . stateDir } /custom/public /
mkdir - p $ { config . services . forgejo . stateDir } /custom/public/assets /
mkdir - p $ { config . services . forgejo . stateDir } /custom/public/assets/img /
mkdir - p $ { config . services . forgejo . stateDir } /custom/public/assets/css /
mkdir - p $ { config . services . forgejo . stateDir } /custom/templates/custom /
ln - sf $ { logos . png } $ { config . services . forgejo . stateDir } /custom/public/assets/img/logo.png
ln - sf $ { logos . svg } $ { config . services . forgejo . stateDir } /custom/public/assets/img/logo.svg
ln - sf $ { logos . png } $ { config . services . forgejo . stateDir } /custom/public/assets/img/favicon.png
ln - sf $ { logos . svg-with-background } $ { config . services . forgejo . stateDir } /custom/public/assets/img/favicon.svg
ln - sf $ { theme } /theme-catppuccin-mocha-sapphire.css $ { config . services . forgejo . stateDir } /custom/public/assets/css /
ln - sf $ { forgejoCustomCss } $ { config . services . forgejo . stateDir } /custom/public/assets/css/iosevkalyte.css
ln - sf $ { forgejoCustomHeaderTmpl } $ { config . services . forgejo . stateDir } /custom/templates/custom/header.tmpl
ln - sf $ { forgejoCustomHomeTmpl } $ { config . services . forgejo . stateDir } /custom/templates/home.tmpl
'' ;
2024-09-06 15:39:26 -05:00
} ;
2024-12-13 20:48:40 -06:00
2025-02-14 13:31:18 -06:00
services . gitea-actions-runner = {
# TODO: simple git-based automation would be dope? maybe especially for
# mirroring to github super easy?
package = pkgs . forgejo-runner ;
instances . " b e e f c a k e " = {
enable = true ;
name = " b e e f c a k e " ;
url = " h t t p s : / / g i t . l y t e . d e v " ;
settings = {
container = {
# use the shared network which is bridged by default
# this lets us hit git.lyte.dev just fine
network = " p o d m a n " ;
} ;
2024-09-06 15:39:26 -05:00
} ;
2025-02-14 13:31:18 -06:00
labels = [
# type ":host" does not depend on docker/podman/lxc
" p o d m a n "
" n i x : d o c k e r : / / g i t . l y t e . d e v / l y t e d e v / n i x : l a t e s t "
" b e e f c a k e : h o s t "
" n i x o s - h o s t : h o s t "
] ;
tokenFile = config . sops . secrets . " f o r g e j o - r u n n e r . e n v " . path ;
hostPackages = with pkgs ; [
nix
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
gnutar # needed for cache action
wget
] ;
2024-09-06 15:39:26 -05:00
} ;
} ;
2025-02-14 13:31:18 -06:00
# environment.systemPackages = with pkgs; [nodejs];
services . caddy . virtualHosts . " g i t . l y t e . d e v " = {
extraConfig = ''
reverse_proxy : $ { toString config . services . forgejo . settings . server . HTTP_PORT }
'' ;
} ;
services . caddy . virtualHosts . " h t t p : / / g i t . b e e f c a k e . l a n " = {
extraConfig = ''
reverse_proxy : $ { toString config . services . forgejo . settings . server . HTTP_PORT }
'' ;
} ;
}
)
2024-09-06 16:05:29 -05:00
{
2024-09-11 11:57:27 -05:00
services . restic . commonPaths = [
config . services . vaultwarden . backupDir
] ;
2024-09-06 16:05:29 -05:00
services . vaultwarden = {
enable = true ;
2024-09-11 11:57:27 -05:00
backupDir = " / s t o r a g e / v a u l t w a r d e n / b a c k u p s " ;
2024-09-06 16:05:29 -05:00
config = {
DOMAIN = " h t t p s : / / b w . l y t e . d e v " ;
SIGNUPS_ALLOWED = " f a l s e " ;
ROCKET_ADDRESS = " 1 2 7 . 0 . 0 . 1 " ;
ROCKET_PORT = 8222 ;
2024-09-12 11:58:24 -05:00
/*
2025-02-14 13:31:18 -06:00
TODO : smtp setup ?
right now , I think I configured this manually by temporarily setting ADMIN_TOKEN
and then configuring in https://bw.lyte.dev/admin
2024-09-12 11:58:24 -05:00
* /
2024-09-06 16:05:29 -05:00
} ;
} ;
services . caddy . virtualHosts . " b w . l y t e . d e v " = {
extraConfig = '' r e v e r s e _ p r o x y : ${ toString config . services . vaultwarden . config . ROCKET_PORT } '' ;
} ;
}
2024-09-06 16:44:15 -05:00
{
2024-09-11 16:04:32 -05:00
users . users . atuin = {
isSystemUser = true ;
createHome = false ;
group = " a t u i n " ;
} ;
users . extraGroups = {
2025-02-14 13:31:18 -06:00
" a t u i n " = { } ;
2024-09-11 16:04:32 -05:00
} ;
2024-09-06 16:44:15 -05:00
services . postgresql = {
2025-02-14 13:31:18 -06:00
ensureDatabases = [ " a t u i n " ] ;
2024-09-06 16:44:15 -05:00
ensureUsers = [
{
name = " a t u i n " ;
ensureDBOwnership = true ;
}
] ;
} ;
services . atuin = {
enable = true ;
database = {
createLocally = false ;
2024-09-11 11:57:27 -05:00
# NOTE: this uses postgres over the unix domain socket by default
2024-09-06 16:57:30 -05:00
# uri = "postgresql://atuin@localhost:5432/atuin";
2024-09-06 16:44:15 -05:00
} ;
openRegistration = false ;
2024-09-11 16:04:32 -05:00
# TODO: would be neat to have a way to "force" a registration on the server
} ;
systemd . services . atuin . serviceConfig = {
Group = " a t u i n " ;
User = " a t u i n " ;
2024-09-06 16:44:15 -05:00
} ;
services . caddy . virtualHosts . " a t u i n . h . l y t e . d e v " = {
extraConfig = '' r e v e r s e _ p r o x y : ${ toString config . services . atuin . port } '' ;
} ;
}
2024-09-12 11:58:24 -05:00
{
# jland minecraft server
/*
2025-02-14 13:31:18 -06:00
users . groups . jland = {
gid = 982 ;
} ;
users . users . jland = {
uid = 986 ;
isSystemUser = true ;
createHome = false ;
group = " j l a n d " ;
} ;
virtualisation . oci-containers . containers . minecraft-jland = {
autoStart = false ;
# sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
image = " d o c k e r . i o / i t z g / m i n e c r a f t - s e r v e r " ;
# user = "${toString config.users.users.jland.uid}:${toString config.users.groups.jland.gid}";
extraOptions = [
" - - t t y "
" - - i n t e r a c t i v e "
] ;
environment = {
EULA = " t r u e " ;
## UID = toString config.users.users.jland.uid;
## GID = toString config.users.groups.jland.gid;
STOP_SERVER_ANNOUNCE_DELAY = " 2 0 " ;
TZ = " A m e r i c a / C h i c a g o " ;
VERSION = " 1 . 2 0 . 1 " ;
MEMORY = " 8 G " ;
MAX_MEMORY = " 1 6 G " ;
TYPE = " F O R G E " ;
FORGE_VERSION = " 4 7 . 1 . 3 " ;
ALLOW_FLIGHT = " t r u e " ;
ENABLE_QUERY = " t r u e " ;
MODPACK = " / d a t a / o r i g i n a t i o n - f i l e s / S e r v e r - F i l e s - 0 . 2 . 1 4 . z i p " ;
## TYPE = "AUTO_CURSEFORGE";
## CF_SLUG = "monumental-experience";
## CF_FILE_ID = "4826863"; # 2.2.53
## due to
## Nov 02 13:45:22 beefcake minecraft-jland[2738672]: me.itzg.helpers.errors.GenericException: The modpack authors have indicated this file is not allowed for project distribution. Please download the client zip file from https://www.curseforge.com/minecraft/modpacks/monumental-experience and pass via CF_MODPACK_ZIP environment variable or place indownloads repo directory.
## we must upload manually
## CF_MODPACK_ZIP = "/data/origination-files/Monumental+Experience-2.2.53.zip";
## ENABLE_AUTOPAUSE = "true"; # TODO: must increate or disable max-tick-time
## May also have mod/loader incompatibilities?
## https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/
} ;
environmentFiles = [
# config.sops.secrets."jland.env".path
] ;
ports = [ " 2 6 9 6 5 : 2 5 5 6 5 " ] ;
volumes = [
" / s t o r a g e / j l a n d / d a t a : / d a t a "
" / s t o r a g e / j l a n d / w o r l d s : / w o r l d s "
] ;
} ;
networking . firewall . allowedTCPPorts = [
26965
] ;
}
{
# dawncraft minecraft server
systemd . tmpfiles . rules = [
" d / s t o r a g e / d a w n c r a f t / 0 7 7 0 1 0 0 0 1 0 0 0 - "
" d / s t o r a g e / d a w n c r a f t / d a t a / 0 7 7 0 1 0 0 0 1 0 0 0 - "
" d / s t o r a g e / d a w n c r a f t / w o r l d s / 0 7 7 0 1 0 0 0 1 0 0 0 - "
" d / s t o r a g e / d a w n c r a f t / d o w n l o a d s / 0 7 7 0 1 0 0 0 1 0 0 0 - "
] ;
virtualisation . oci-containers . containers . minecraft-dawncraft = {
autoStart = false ;
# sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
image = " d o c k e r . i o / i t z g / m i n e c r a f t - s e r v e r " ;
extraOptions = [
" - - t t y "
" - - i n t e r a c t i v e "
] ;
environment = {
EULA = " t r u e " ;
STOP_SERVER_ANNOUNCE_DELAY = " 2 0 " ;
TZ = " A m e r i c a / C h i c a g o " ;
VERSION = " 1 . 1 8 . 2 " ;
MEMORY = " 8 G " ;
MAX_MEMORY = " 3 2 G " ;
ALLOW_FLIGHT = " t r u e " ;
ENABLE_QUERY = " t r u e " ;
SERVER_PORT = " 2 6 9 6 8 " ;
QUERY_PORT = " 2 6 9 6 8 " ;
TYPE = " A U T O _ C U R S E F O R G E " ;
CF_SLUG = " d a w n - c r a f t " ;
CF_EXCLUDE_MODS = " 3 6 8 3 9 8 " ;
CF_FORCE_SYNCHRONIZE = " t r u e " ;
# CF_FILE_ID = "5247696"; # 2.0.7 server
} ;
environmentFiles = [
config . sops . secrets . " d a w n c r a f t . e n v " . path
] ;
ports = [ " 2 6 9 6 8 : 2 6 9 6 8 / t c p " " 2 6 9 6 8 : 2 6 9 6 8 / u d p " ] ;
volumes = [
" / s t o r a g e / d a w n c r a f t / d a t a : / d a t a "
" / s t o r a g e / d a w n c r a f t / w o r l d s : / w o r l d s "
" / s t o r a g e / d a w n c r a f t / d o w n l o a d s : / d o w n l o a d s "
] ;
} ;
networking . firewall . allowedTCPPorts = [
26968
] ;
* /
}
(
{ . . . }:
let
port = 26969 ;
dir = " / s t o r a g e / f l a n i l l a " ;
user = " f l a n i l l a " ;
in
# uid = config.users.users.flanilla.uid;
# gid = config.users.groups.flanilla.gid;
{
# flanilla family minecraft server
users . groups . ${ user } = { } ;
users . users . ${ user } = {
2024-09-12 11:58:24 -05:00
isSystemUser = true ;
createHome = false ;
2025-02-14 13:31:18 -06:00
home = dir ;
group = user ;
2024-09-12 11:58:24 -05:00
} ;
2025-02-14 13:31:18 -06:00
virtualisation . oci-containers . containers . minecraft-flanilla = {
2024-09-12 11:58:24 -05:00
autoStart = false ;
2025-02-14 13:31:18 -06:00
environmentFiles = [
# config.sops.secrets."jland.env".path
] ;
2024-09-12 11:58:24 -05:00
image = " d o c k e r . i o / i t z g / m i n e c r a f t - s e r v e r " ;
2025-02-14 13:31:18 -06:00
# user = "${toString uid}:${toString gid}";
2024-09-12 11:58:24 -05:00
extraOptions = [
" - - t t y "
" - - i n t e r a c t i v e "
] ;
environment = {
EULA = " t r u e " ;
2025-02-14 13:31:18 -06:00
MOTD = " F l a n i l l a S u r v i v a l ! H a p p y h u n t i n g ! " ;
# UID = toString uid;
# GID = toString gid;
2024-09-12 11:58:24 -05:00
STOP_SERVER_ANNOUNCE_DELAY = " 2 0 " ;
TZ = " A m e r i c a / C h i c a g o " ;
2025-02-14 13:31:18 -06:00
VERSION = " 1 . 2 1 " ;
OPS = " l y t e d e v " ;
MODE = " s u r v i v a l " ;
DIFFICULTY = " e a s y " ;
ONLINE_MODE = " f a l s e " ;
2024-09-12 11:58:24 -05:00
MEMORY = " 8 G " ;
MAX_MEMORY = " 1 6 G " ;
ALLOW_FLIGHT = " t r u e " ;
ENABLE_QUERY = " t r u e " ;
2025-02-14 13:31:18 -06:00
ENABLE_COMMAND_BLOCK = " t r u e " ;
2024-09-12 11:58:24 -05:00
} ;
2025-02-14 13:31:18 -06:00
ports = [ " ${ toString port } : 2 5 5 6 5 " ] ;
2024-09-12 11:58:24 -05:00
volumes = [
2025-02-14 13:31:18 -06:00
" ${ dir } / d a t a : / d a t a "
" ${ dir } / w o r l d s : / w o r l d s "
2024-09-12 11:58:24 -05:00
] ;
} ;
2025-02-14 13:31:18 -06:00
systemd . services . podman-minecraft-flanilla . serviceConfig = {
User = user ;
Group = user ;
} ;
systemd . tmpfiles . settings = {
" 1 0 - ${ user } - s u r v i v a l " = {
" ${ dir } / d a t a " = {
" d " = {
mode = " 0 7 7 0 " ;
user = user ;
group = user ;
} ;
} ;
" ${ dir } / w o r l d s " = {
" d " = {
mode = " 0 7 7 0 " ;
user = user ;
group = user ;
} ;
} ;
} ;
} ;
services . restic . commonPaths = [ dir ] ;
2024-09-12 11:58:24 -05:00
networking . firewall . allowedTCPPorts = [
2025-02-14 13:31:18 -06:00
port
2024-09-12 11:58:24 -05:00
] ;
}
2025-02-14 13:31:18 -06:00
)
(
{ . . . }:
let
port = 26968 ;
dir = " / s t o r a g e / f l a n i l l a - c r e a t i v e " ;
user = " f l a n i l l a " ;
in
# uid = config.users.users.flanilla.uid;
# gid = config.users.groups.flanilla.gid;
2024-09-12 11:58:24 -05:00
{
2025-02-14 13:31:18 -06:00
# flanilla family minecraft server
users . groups . ${ user } = { } ;
users . users . ${ user } = {
isSystemUser = true ;
createHome = false ;
home = lib . mkForce dir ;
group = user ;
} ;
virtualisation . oci-containers . containers . minecraft-flanilla-creative = {
2025-02-16 23:53:40 -06:00
autoStart = false ;
2024-09-12 11:58:24 -05:00
image = " d o c k e r . i o / i t z g / m i n e c r a f t - s e r v e r " ;
2025-02-14 13:31:18 -06:00
# user = "${toString uid}:${toString gid}";
2024-09-12 11:58:24 -05:00
extraOptions = [
" - - t t y "
" - - i n t e r a c t i v e "
] ;
environment = {
EULA = " t r u e " ;
2025-02-14 13:31:18 -06:00
MOTD = " F l a n i l l a C r e a t i v e ! H a v e f u n b u i l d i n g ! " ;
# UID = toString uid;
# GID = toString gid;
2024-09-12 11:58:24 -05:00
STOP_SERVER_ANNOUNCE_DELAY = " 2 0 " ;
TZ = " A m e r i c a / C h i c a g o " ;
2025-02-14 13:31:18 -06:00
VERSION = " 1 . 2 1 " ;
OPS = " l y t e d e v " ;
MODE = " c r e a t i v e " ;
DIFFICULTY = " p e a c e f u l " ;
ONLINE_MODE = " f a l s e " ;
2024-09-12 11:58:24 -05:00
MEMORY = " 8 G " ;
2025-02-14 13:31:18 -06:00
MAX_MEMORY = " 1 6 G " ;
2024-09-12 11:58:24 -05:00
ALLOW_FLIGHT = " t r u e " ;
ENABLE_QUERY = " t r u e " ;
2025-02-14 13:31:18 -06:00
ENABLE_COMMAND_BLOCK = " t r u e " ;
2024-09-12 11:58:24 -05:00
} ;
2025-02-14 13:31:18 -06:00
ports = [ " ${ toString port } : 2 5 5 6 5 " ] ;
2024-09-12 11:58:24 -05:00
volumes = [
2025-02-14 13:31:18 -06:00
" ${ dir } / d a t a : / d a t a "
" ${ dir } / w o r l d s : / w o r l d s "
2024-09-12 11:58:24 -05:00
] ;
} ;
2025-02-14 13:31:18 -06:00
# systemd.services.podman-minecraft-flanilla-creative.serviceConfig = {
# User = user;
# Group = user;
# };
systemd . tmpfiles . settings = {
" 1 0 - ${ user } - c r e a t i v e " = {
" ${ dir } / d a t a " = {
" d " = {
mode = " 0 7 7 0 " ;
user = user ;
group = user ;
} ;
2024-10-03 09:29:26 -05:00
} ;
2025-02-14 13:31:18 -06:00
" ${ dir } / w o r l d s " = {
" d " = {
mode = " 0 7 7 0 " ;
user = user ;
group = user ;
} ;
2024-10-03 09:23:44 -05:00
} ;
} ;
} ;
2025-02-14 13:31:18 -06:00
services . restic . commonPaths = [ dir ] ;
networking . firewall . allowedTCPPorts = [
port
2024-09-12 11:58:24 -05:00
] ;
2025-02-14 13:31:18 -06:00
}
)
(
{
config ,
options ,
. . .
} :
let
domain = " i d m . h . l y t e . d e v " ;
name = " k a n i d m " ;
user = name ;
group = name ;
storage = " / s t o r a g e / ${ name } " ;
in
{
# kanidm
config = {
# reload certs from caddy every 5 minutes
# TODO: ideally some kind of file watcher service would make way more sense here?
# or we could simply setup the permissions properly somehow?
systemd . timers . " c o p y - k a n i d m - c e r t i f i c a t e s - f r o m - c a d d y " = {
wantedBy = [ " t i m e r s . t a r g e t " ] ;
timerConfig = {
OnBootSec = " 1 0 m " ; # 10 minutes after booting
OnUnitActiveSec = " 5 m " ; # every 5 minutes afterwards
Unit = " c o p y - k a n i d m - c e r t i f i c a t e s - f r o m - c a d d y . s e r v i c e " ;
2024-10-03 09:29:26 -05:00
} ;
} ;
2025-02-14 13:31:18 -06:00
systemd . services . " c o p y - k a n i d m - c e r t i f i c a t e s - f r o m - c a d d y " = {
# get the certificates that caddy provisions for us
script = ''
umask 077
# this line should be unnecessary now that we have this in tmpfiles
install - d - m 0700 - o " ${ name } " - g " ${ name } " " ${ storage } / d a t a " " ${ storage } / c e r t s "
cd /var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory/idm.h.lyte.dev
install - m 0700 - o " ${ name } " - g " ${ name } " idm . h . lyte . dev . key idm . h . lyte . dev . crt " ${ storage } / c e r t s "
'' ;
path = with pkgs ; [ rsync ] ;
serviceConfig = {
Type = " o n e s h o t " ;
User = " r o o t " ;
2024-10-03 09:23:44 -05:00
} ;
} ;
2024-09-12 11:58:24 -05:00
2025-02-14 13:31:18 -06:00
systemd . tmpfiles . settings . " 1 0 - k a n i d m " = {
" ${ config . services . kanidm . serverSettings . online_backup . path } " . d = {
user = name ;
group = name ;
mode = " 0 7 0 0 " ;
} ;
" ${ storage } / d a t a " . d = {
inherit user group ;
mode = " 0 7 0 0 " ;
} ;
" ${ storage } / c e r t s " . d = {
inherit user group ;
mode = " 0 7 0 0 " ;
} ;
2024-09-12 11:58:24 -05:00
} ;
2025-02-14 13:31:18 -06:00
services . kanidm = {
2025-02-16 23:53:40 -06:00
package = pkgs . unstable-packages . kanidm ;
2025-02-14 13:31:18 -06:00
enableServer = true ;
serverSettings = {
inherit domain ;
origin = " h t t p s : / / ${ domain } " ;
bindaddress = " 1 2 7 . 0 . 0 . 1 : 8 4 4 3 " ;
tls_chain = " ${ storage } / c e r t s / i d m . h . l y t e . d e v . c r t " ;
tls_key = " ${ storage } / c e r t s / i d m . h . l y t e . d e v . k e y " ;
log_level = " i n f o " ;
online_backup = {
path = " ${ storage } / b a c k u p s / " ;
schedule = " 0 0 2 2 * * * " ;
versions = 50 ;
} ;
} ;
2024-09-12 11:58:24 -05:00
2025-02-14 13:31:18 -06:00
enablePam = false ;
unixSettings = {
# pam_allowed_login_groups = [];
2025-02-11 00:41:52 -06:00
} ;
2024-09-12 11:58:24 -05:00
2025-02-14 13:31:18 -06:00
enableClient = true ;
clientSettings = {
uri = " h t t p s : / / i d m . h . l y t e . d e v " ;
} ;
2024-09-12 11:58:24 -05:00
2025-02-14 13:31:18 -06:00
provision = {
# enable = true;
# instanceUrl = "https://${domain}";
# adminPasswordFile = config.sops.secrets.kanidm-admin-password-file.path
# idmAdminPasswordFile = config.sops.secrets.kanidm-admin-password-file.path
# autoRemove = true;
# groups = {
# myGroup = {
# members = ["myUser" /* ...*/];
# }
# };
# persons = {
# myUser = {
# displayName = "display name";
# legalName = "My User";
# mailAddresses = ["myuser@example.com"];
# groups = ["myGroup"];
# }
# };
# systems = {
# oauth2 = {
# mySystem = {
# enableLegacyCrypto = false;
# enableLocalhostRedirects = true; # only for public
# allowInsecureClientDisablePkce = false;
# basicSecretFile = config.sops.secrets.basic-secret-file...
# claimMap = {};
# };
# };
# };
} ;
2025-02-11 00:41:52 -06:00
} ;
2024-09-12 11:58:24 -05:00
2025-02-14 13:31:18 -06:00
services . caddy . virtualHosts . " i d m . h . l y t e . d e v " = {
extraConfig = '' r e v e r s e _ p r o x y h t t p s : / / i d m . h . l y t e . d e v : 8 4 4 3 '' ;
2024-09-12 11:58:24 -05:00
} ;
2025-02-14 13:31:18 -06:00
networking = {
extraHosts = ''
: : 1 idm . h . lyte . dev
127 .0 .0 .1 idm . h . lyte . dev
'' ;
} ;
2024-09-12 11:58:24 -05:00
} ;
2025-02-14 13:31:18 -06:00
}
)
2024-09-06 16:48:59 -05:00
{
systemd . tmpfiles . settings = {
" 1 0 - a u d i o b o o k s h e l f " = {
" / s t o r a g e / a u d i o b o o k s h e l f " = {
" d " = {
mode = " 0 7 7 0 " ;
user = " a u d i o b o o k s h e l f " ;
group = " w h e e l " ;
} ;
} ;
" / s t o r a g e / a u d i o b o o k s h e l f / a u d i o b o o k s " = {
" d " = {
mode = " 0 7 7 0 " ;
user = " a u d i o b o o k s h e l f " ;
group = " w h e e l " ;
} ;
} ;
" / s t o r a g e / a u d i o b o o k s h e l f / p o d c a s t s " = {
" d " = {
mode = " 0 7 7 0 " ;
user = " a u d i o b o o k s h e l f " ;
group = " w h e e l " ;
} ;
} ;
} ;
} ;
2025-02-14 13:31:18 -06:00
users . groups . audiobookshelf = { } ;
2024-09-06 20:45:10 -05:00
users . users . audiobookshelf = {
isSystemUser = true ;
group = " a u d i o b o o k s h e l f " ;
} ;
2024-09-06 16:48:59 -05:00
services . audiobookshelf = {
enable = true ;
dataDir = " / s t o r a g e / a u d i o b o o k s h e l f " ;
port = 8523 ;
} ;
2024-09-06 20:45:10 -05:00
systemd . services . audiobookshelf . serviceConfig = {
WorkingDirectory = lib . mkForce config . services . audiobookshelf . dataDir ;
StateDirectory = lib . mkForce config . services . audiobookshelf . dataDir ;
Group = " a u d i o b o o k s h e l f " ;
User = " a u d i o b o o k s h e l f " ;
} ;
2024-09-06 16:48:59 -05:00
services . caddy . virtualHosts . " a u d i o . l y t e . d e v " = {
2024-09-06 20:45:10 -05:00
extraConfig = '' r e v e r s e _ p r o x y : ${ toString config . services . audiobookshelf . port } '' ;
2024-09-06 16:48:59 -05:00
} ;
}
2024-09-11 14:31:48 -05:00
{
# prometheus
services . restic . commonPaths = [
# TODO: do I want this backed up?
# "/var/lib/prometheus"
] ;
services . prometheus = {
enable = true ;
checkConfig = true ;
listenAddress = " 1 2 7 . 0 . 0 . 1 " ;
port = 9090 ;
2024-09-11 15:28:52 -05:00
scrapeConfigs = [
{
job_name = " b e e f c a k e " ;
static_configs = [
{
2025-02-14 13:31:18 -06:00
targets =
let
inherit ( config . services . prometheus . exporters . node ) port listenAddress ;
in
[ " ${ listenAddress } : ${ toString port } " ] ;
2024-09-11 15:28:52 -05:00
}
2024-09-11 16:04:32 -05:00
{
2025-02-14 13:31:18 -06:00
targets =
let
inherit ( config . services . prometheus . exporters . zfs ) port listenAddress ;
in
[ " ${ listenAddress } : ${ toString port } " ] ;
2024-09-11 16:04:32 -05:00
}
{
2025-02-14 13:31:18 -06:00
targets =
let
inherit ( config . services . prometheus . exporters . postgres ) port listenAddress ;
in
[ " ${ listenAddress } : ${ toString port } " ] ;
2024-09-11 16:04:32 -05:00
}
2024-09-11 15:28:52 -05:00
] ;
}
] ;
2024-09-11 14:31:48 -05:00
exporters = {
postgres = {
enable = true ;
2024-09-11 16:04:32 -05:00
listenAddress = " 1 2 7 . 0 . 0 . 1 " ;
runAsLocalSuperUser = true ;
2024-09-11 14:31:48 -05:00
} ;
2024-09-11 15:28:52 -05:00
node = {
enable = true ;
listenAddress = " 1 2 7 . 0 . 0 . 1 " ;
enabledCollectors = [
" s y s t e m d "
] ;
} ;
zfs = {
enable = true ;
2024-09-11 16:04:32 -05:00
listenAddress = " 1 2 7 . 0 . 0 . 1 " ;
2024-09-11 15:28:52 -05:00
} ;
2024-09-11 14:31:48 -05:00
} ;
} ;
2024-09-12 11:58:24 -05:00
/*
2025-02-14 13:31:18 -06:00
TODO : promtail ?
idrac exporter ?
restic exporter ?
smartctl exporter ?
systemd exporter ?
NOTE : we probably don't want this exposed
services . caddy . virtualHosts . " p r o m e t h e u s . h . l y t e . d e v " = {
extraConfig = '' r e v e r s e _ p r o x y : ${ toString config . services . prometheus . port } '' ;
} ;
2024-09-12 11:58:24 -05:00
* /
2024-09-11 14:31:48 -05:00
}
{
# grafana
systemd . tmpfiles . settings = {
" 1 0 - g r a f a n a " = {
" / s t o r a g e / g r a f a n a " = {
" d " = {
mode = " 0 7 5 0 " ;
2024-09-13 00:50:31 -05:00
user = " g r a f a n a " ;
group = " g r a f a n a " ;
2024-09-11 14:31:48 -05:00
} ;
} ;
} ;
} ;
services . restic . commonPaths = [
2024-09-11 14:58:17 -05:00
" / s t o r a g e / g r a f a n a "
2024-09-11 14:31:48 -05:00
] ;
2024-09-11 14:58:17 -05:00
sops . secrets = {
grafana-admin-password = {
owner = " g r a f a n a " ;
group = " g r a f a n a " ;
mode = " 0 4 0 0 " ;
} ;
2024-09-11 15:28:52 -05:00
grafana-smtp-password = {
owner = " g r a f a n a " ;
group = " g r a f a n a " ;
mode = " 0 4 0 0 " ;
} ;
2024-09-11 14:58:17 -05:00
} ;
2024-09-11 14:31:48 -05:00
services . grafana = {
enable = true ;
dataDir = " / s t o r a g e / g r a f a n a " ;
provision = {
enable = true ;
2024-09-11 15:28:52 -05:00
datasources = {
settings = {
datasources = [
{
name = " P r o m e t h e u s " ;
type = " p r o m e t h e u s " ;
access = " p r o x y " ;
url = " h t t p : / / l o c a l h o s t : ${ toString config . services . prometheus . port } " ;
isDefault = true ;
}
] ;
} ;
} ;
2024-09-11 14:31:48 -05:00
} ;
settings = {
server = {
http_port = 3814 ;
2024-09-13 13:25:34 -05:00
root_url = " h t t p s : / / g r a f a n a . h . l y t e . d e v " ;
2024-09-11 14:31:48 -05:00
} ;
2024-09-11 15:28:52 -05:00
smtp = {
enabled = true ;
from_address = " g r a f a n a @ l y t e . d e v " ;
2024-09-11 15:29:58 -05:00
user = " g r a f a n a @ l y t e . d e v " ;
host = " s m t p . m a i l g u n . o r g : 5 8 7 " ;
2024-09-11 15:28:52 -05:00
password = '' $_ _ f i l e { ${ config . sops . secrets . grafana-smtp-password . path } } '' ;
} ;
2024-09-11 14:58:17 -05:00
security = {
admin_email = " d a n i e l @ l y t e . d e v " ;
admin_user = " l y t e d e v " ;
admin_file = '' $_ _ f i l e { ${ config . sops . secrets . grafana-admin-password . path } } '' ;
} ;
# database = {
# };
2024-09-11 14:31:48 -05:00
} ;
} ;
networking . firewall . allowedTCPPorts = [
9000
] ;
services . caddy . virtualHosts . " g r a f a n a . h . l y t e . d e v " = {
extraConfig = '' r e v e r s e _ p r o x y : ${ toString config . services . grafana . settings . server . http_port } '' ;
} ;
}
2024-09-12 23:45:03 -05:00
{
2024-09-13 00:38:04 -05:00
systemd . tmpfiles . settings = {
" 1 0 - p a p e r l e s s " = {
" / s t o r a g e / p a p e r l e s s " = {
" d " = {
mode = " 0 7 5 0 " ;
user = " p a p e r l e s s " ;
group = " p a p e r l e s s " ;
} ;
} ;
} ;
} ;
services . restic . commonPaths = [
" / s t o r a g e / p a p e r l e s s "
] ;
sops . secrets . paperless-superuser-password = {
owner = " p a p e r l e s s " ;
group = " p a p e r l e s s " ;
mode = " 4 0 0 " ;
} ;
services . paperless = {
enable = true ;
2024-12-02 16:05:05 -06:00
# package = pkgs.paperless-ngx;
2024-09-13 00:38:04 -05:00
dataDir = " / s t o r a g e / p a p e r l e s s " ;
passwordFile = config . sops . secrets . paperless-superuser-password . path ;
} ;
services . caddy . virtualHosts . " p a p e r l e s s . h . l y t e . d e v " = {
extraConfig = '' r e v e r s e _ p r o x y : ${ toString config . services . paperless . port } '' ;
} ;
2024-09-12 23:45:03 -05:00
}
{
systemd . tmpfiles . settings = {
" 1 0 - a c t u a l " = {
" / s t o r a g e / a c t u a l " = {
" d " = {
mode = " 0 7 5 0 " ;
user = " r o o t " ;
group = " f a m i l y " ;
} ;
} ;
} ;
} ;
services . restic . commonPaths = [
2024-09-13 00:02:57 -05:00
" / s t o r a g e / a c t u a l "
2024-09-12 23:45:03 -05:00
] ;
virtualisation . oci-containers = {
containers . actual = {
2025-02-10 22:44:27 -06:00
image = " g h c r . i o / a c t u a l b u d g e t / a c t u a l - s e r v e r : 2 5 . 2 . 1 " ;
2024-09-12 23:45:03 -05:00
autoStart = true ;
2025-02-14 13:31:18 -06:00
ports = [ " 5 0 0 6 : 5 0 0 6 " ] ;
volumes = [ " / s t o r a g e / a c t u a l : / d a t a " ] ;
2024-09-12 23:45:03 -05:00
} ;
} ;
services . caddy . virtualHosts . " f i n a n c e s . h . l y t e . d e v " = {
extraConfig = '' r e v e r s e _ p r o x y : 5 0 0 6 '' ;
} ;
}
2024-10-14 09:54:39 -05:00
{
services . factorio = {
2025-02-16 23:53:40 -06:00
enable = false ;
2024-10-14 09:54:39 -05:00
package = pkgs . factorio-headless . override {
versionsJson = ./factorio-versions.json ;
} ;
2025-02-14 13:31:18 -06:00
admins = [ " l y t e d e v " ] ;
2024-10-14 09:54:39 -05:00
autosave-interval = 5 ;
game-name = " F l a n w h e e l O n l i n e " ;
description = " S p a c e A g e 2 . 0 " ;
openFirewall = true ;
2024-10-14 09:58:00 -05:00
lan = true ;
2024-10-14 09:54:39 -05:00
# public = true; # NOTE: cannot be true if requireUserVerification is false
port = 34197 ;
requireUserVerification = false ; # critical for DRM-free users
# contains the game password and account password for "public" servers
extraSettingsFile = config . sops . secrets . factorio-server-settings . path ;
} ;
sops . secrets = {
2025-02-14 13:31:18 -06:00
factorio-server-settings = {
mode = " 0 7 7 7 " ;
} ;
2024-10-14 09:54:39 -05:00
} ;
}
2025-02-16 23:53:40 -06:00
(
{
config ,
lib ,
pkgs ,
. . .
} :
let
cfg = config . services . conduwuit ;
defaultUser = " c o n d u w u i t " ;
defaultGroup = " c o n d u w u i t " ;
format = pkgs . formats . toml { } ;
configFile = format . generate " c o n d u w u i t . t o m l " cfg . settings ;
in
{
meta . maintainers = with lib . maintainers ; [ niklaskorz ] ;
options . services . conduwuit = {
enable = lib . mkEnableOption " c o n d u w u i t " ;
user = lib . mkOption {
type = lib . types . nonEmptyStr ;
description = ''
The user { command } ` conduwuit ` is run as .
'' ;
default = defaultUser ;
} ;
group = lib . mkOption {
type = lib . types . nonEmptyStr ;
description = ''
The group { command } ` conduwuit ` is run as .
'' ;
default = defaultGroup ;
} ;
extraEnvironment = lib . mkOption {
type = lib . types . attrsOf lib . types . str ;
description = " E x t r a E n v i r o n m e n t v a r i a b l e s t o p a s s t o t h e c o n d u w u i t s e r v e r . " ;
default = { } ;
example = {
RUST_BACKTRACE = " y e s " ;
} ;
} ;
package = lib . mkPackageOption pkgs . unstable-packages " c o n d u w u i t " { } ;
settings = lib . mkOption {
type = lib . types . submodule {
freeformType = format . type ;
options = {
global . server_name = lib . mkOption {
type = lib . types . nonEmptyStr ;
example = " e x a m p l e . c o m " ;
description = " T h e s e r v e r _ n a m e i s t h e n a m e o f t h i s s e r v e r . I t i s u s e d a s a s u f f i x f o r u s e r a n d r o o m i d s . " ;
} ;
global . address = lib . mkOption {
type = lib . types . nullOr ( lib . types . listOf lib . types . nonEmptyStr ) ;
default = null ;
example = [
" 1 2 7 . 0 . 0 . 1 "
" : : 1 "
] ;
description = ''
Addresses ( IPv4 or IPv6 ) to listen on for connections by the reverse proxy/tls terminator .
If set to ` null ` , conduwuit will listen on IPv4 and IPv6 localhost .
Must be ` null ` if ` unix_socket_path ` is set .
'' ;
} ;
global . port = lib . mkOption {
type = lib . types . listOf lib . types . port ;
default = [ 6167 ] ;
description = ''
The port ( s ) conduwuit will be running on .
You need to set up a reverse proxy in your web server ( e . g . apache or nginx ) ,
so all requests to /_matrix on port 443 and 8448 will be forwarded to the conduwuit
instance running on this port .
'' ;
} ;
global . unix_socket_path = lib . mkOption {
type = lib . types . nullOr lib . types . path ;
default = null ;
description = ''
Listen on a UNIX socket at the specified path . If listening on a UNIX socket ,
listening on an address will be disabled . The ` address ` option must be set to
` null ` ( the default value ) . The option { option } ` services . conduwuit . group ` must
be set to a group your reverse proxy is part of .
This will automatically add a system user " c o n d u w u i t " to your system if
{ option } ` services . conduwuit . user ` is left at the default , and a " c o n d u w u i t "
group if { option } ` services . conduwuit . group ` is left at the default .
'' ;
} ;
global . unix_socket_perms = lib . mkOption {
type = lib . types . ints . positive ;
default = 660 ;
description = " T h e d e f a u l t p e r m i s s i o n s ( i n o c t a l ) t o c r e a t e t h e U N I X s o c k e t w i t h . " ;
} ;
global . max_request_size = lib . mkOption {
type = lib . types . ints . positive ;
default = 20000000 ;
description = " M a x r e q u e s t s i z e i n b y t e s . D o n ' t f o r g e t t o a l s o c h a n g e i t i n t h e p r o x y . " ;
} ;
global . allow_registration = lib . mkOption {
type = lib . types . bool ;
default = false ;
description = ''
Whether new users can register on this server .
Registration with token requires ` registration_token ` or ` registration_token_file ` to be set .
If set to true without a token configured , and
` yes_i_am_very_very_sure_i_want_an_open_registration_server_prone_to_abuse `
is set to true , users can freely register .
'' ;
} ;
global . allow_encryption = lib . mkOption {
type = lib . types . bool ;
default = true ;
description = " W h e t h e r n e w e n c r y p t e d r o o m s c a n b e c r e a t e d . N o t e : e x i s t i n g r o o m s w i l l c o n t i n u e t o w o r k . " ;
} ;
global . allow_federation = lib . mkOption {
type = lib . types . bool ;
default = true ;
description = ''
Whether this server federates with other servers .
'' ;
} ;
global . trusted_servers = lib . mkOption {
type = lib . types . listOf lib . types . nonEmptyStr ;
default = [ " m a t r i x . o r g " ] ;
description = ''
Servers listed here will be used to gather public keys of other servers
( notary trusted key servers ) .
Currently , conduwuit doesn't support inbound batched key requests , so
this list should only contain other Synapse servers .
Example : ` [ " m a t r i x . o r g " " c o n s t e l l a t o r y . n e t " " t c h n c s . d e " ] `
'' ;
} ;
global . database_path = lib . mkOption {
readOnly = true ;
type = lib . types . path ;
default = " / v a r / l i b / c o n d u w u i t / " ;
description = ''
Path to the conduwuit database , the directory where conduwuit will save its data .
Note that database_path cannot be edited because of the service's reliance on systemd StateDir .
'' ;
} ;
global . allow_check_for_updates = lib . mkOption {
type = lib . types . bool ;
default = false ;
description = ''
If enabled , conduwuit will send a simple GET request periodically to
< https://pupbrain.dev/check-for-updates/stable > for any new announcements made .
Despite the name , this is not an update check endpoint , it is simply an announcement check endpoint .
Disabled by default .
'' ;
} ;
} ;
} ;
default = { } ;
# TOML does not allow null values, so we use null to omit those fields
apply = lib . filterAttrsRecursive ( _ : v : v != null ) ;
description = ''
Generates the conduwuit . toml configuration file . Refer to
< https://conduwuit.puppyirl.gay/configuration.html >
for details on supported values .
'' ;
} ;
} ;
config = lib . mkIf cfg . enable {
assertions = [
{
assertion = ! ( cfg . settings ? global . unix_socket_path ) || ! ( cfg . settings ? global . address ) ;
message = ''
In ` services . conduwuit . settings . global ` , ` unix_socket_path ` and ` address ` cannot be set at the
same time .
Leave one of the two options unset or explicitly set them to ` null ` .
'' ;
}
{
assertion = cfg . user != defaultUser -> config ? users . users . ${ cfg . user } ;
message = " I f ` s e r v i c e s . c o n d u w u i t . u s e r ` i s c h a n g e d , t h e c o n f i g u r e d u s e r m u s t a l r e a d y e x i s t . " ;
}
{
assertion = cfg . group != defaultGroup -> config ? users . groups . ${ cfg . group } ;
message = " I f ` s e r v i c e s . c o n d u w u i t . g r o u p ` i s c h a n g e d , t h e c o n f i g u r e d g r o u p m u s t a l r e a d y e x i s t . " ;
}
] ;
users . users = lib . mkIf ( cfg . user = = defaultUser ) {
$ { defaultUser } = {
group = cfg . group ;
home = cfg . settings . global . database_path ;
isSystemUser = true ;
} ;
} ;
users . groups = lib . mkIf ( cfg . group = = defaultGroup ) {
$ { defaultGroup } = { } ;
} ;
systemd . services . conduwuit = {
description = " C o n d u w u i t M a t r i x S e r v e r " ;
documentation = [ " h t t p s : / / c o n d u w u i t . p u p p y i r l . g a y / " ] ;
wantedBy = [ " m u l t i - u s e r . t a r g e t " ] ;
wants = [ " n e t w o r k - o n l i n e . t a r g e t " ] ;
after = [ " n e t w o r k - o n l i n e . t a r g e t " ] ;
environment = lib . mkMerge [
{ CONDUWUIT_CONFIG = configFile ; }
cfg . extraEnvironment
] ;
startLimitBurst = 5 ;
startLimitIntervalSec = 60 ;
serviceConfig = {
DynamicUser = true ;
User = cfg . user ;
Group = cfg . group ;
DevicePolicy = " c l o s e d " ;
LockPersonality = true ;
MemoryDenyWriteExecute = true ;
NoNewPrivileges = true ;
ProtectClock = true ;
ProtectControlGroups = true ;
ProtectHome = true ;
ProtectHostname = true ;
ProtectKernelLogs = true ;
ProtectKernelModules = true ;
ProtectKernelTunables = true ;
PrivateDevices = true ;
PrivateMounts = true ;
PrivateTmp = true ;
PrivateUsers = true ;
PrivateIPC = true ;
RemoveIPC = true ;
RestrictAddressFamilies = [
" A F _ I N E T "
" A F _ I N E T 6 "
" A F _ U N I X "
] ;
RestrictNamespaces = true ;
RestrictRealtime = true ;
SystemCallArchitectures = " n a t i v e " ;
SystemCallFilter = [
" @ s y s t e m - s e r v i c e "
" @ r e s o u r c e s "
" ~ @ c l o c k "
" @ d e b u g "
" @ m o d u l e "
" @ m o u n t "
" @ r e b o o t "
" @ s w a p "
" @ c p u - e m u l a t i o n "
" @ o b s o l e t e "
" @ t i m e r "
" @ c h o w n "
" @ s e t u i d "
" @ p r i v i l e g e d "
" @ k e y r i n g "
" @ i p c "
] ;
SystemCallErrorNumber = " E P E R M " ;
StateDirectory = " c o n d u w u i t " ;
StateDirectoryMode = " 0 7 0 0 " ;
RuntimeDirectory = " c o n d u w u i t " ;
RuntimeDirectoryMode = " 0 7 5 0 " ;
ExecStart = lib . getExe cfg . package ;
Restart = " o n - f a i l u r e " ;
RestartSec = 10 ;
} ;
} ;
} ;
}
)
2025-02-14 13:31:18 -06:00
(
{
pkgs ,
config ,
. . .
} :
let
port = builtins . head config . services . conduwuit . settings . global . port ;
sPort = toString port ;
in
{
sops . secrets . matrix-registration-token-file . mode = " 0 4 0 0 " ;
services . conduwuit = {
enable = true ;
settings = {
global = {
allow_check_for_updates = true ;
allow_federation = false ;
registration_token_file = config . sops . secrets . matrix-registration-token-file . path ;
server_name = " l y t e . d e v " ;
} ;
2025-02-11 01:27:43 -06:00
} ;
} ;
2025-02-14 13:31:18 -06:00
services . caddy . virtualHosts . " m a t r i x . l y t e . d e v " . extraConfig = ''
reverse_proxy /_matrix /* : $ { s P o r t }
reverse_proxy /_synapse/client /* : $ { s P o r t }
'' ;
services . caddy . virtualHosts . " l y t e . d e v : 8 4 4 8 " . extraConfig = ''
reverse_proxy /_matrix /* : $ { s P o r t }
'' ;
# TODO: backups
# TODO: reverse proxy
}
)
2024-03-13 21:12:14 -05:00
] ;
2023-09-04 11:40:30 -05:00
2024-09-12 11:58:24 -05:00
/*
2025-02-14 13:31:18 -06:00
TODO : non-root processes and services that access secrets need to be part of
the ' keys' group
2023-09-04 11:40:30 -05:00
2025-02-14 13:31:18 -06:00
systemd . services . some-service = {
serviceConfig . SupplementaryGroups = [ config . users . groups . keys . name ] ;
} ;
or
users . users . example-user . extraGroups = [ config . users . groups . keys . name ] ;
2023-09-04 11:40:30 -05:00
2025-02-14 13:31:18 -06:00
TODO : declarative directory quotas ? for storage / $ USER and /home / $ USER
2024-09-12 11:58:24 -05:00
* /
2023-09-04 11:40:30 -05:00
2024-09-12 11:58:24 -05:00
/*
2025-02-14 13:31:18 -06:00
# https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
services . lidarr = {
enable = true ;
dataDir = " / s t o r a g e / l i d a r r " ;
} ;
services . radarr = {
enable = true ;
dataDir = " / s t o r a g e / r a d a r r " ;
} ;
services . sonarr = {
enable = true ;
dataDir = " / s t o r a g e / s o n a r r " ;
} ;
services . bazarr = {
enable = true ;
listenPort = 6767 ;
} ;
networking . firewall . allowedTCPPorts = [ 9876 9877 ] ;
networking . firewall . allowedUDPPorts = [ 9876 9877 ] ;
networking . firewall . allowedUDPPortRanges = [
{
from = 27000 ;
to = 27100 ;
}
] ;
2024-09-12 11:58:24 -05:00
* /
2023-09-04 11:40:30 -05:00
}
