2023-10-12 22:54:05 -05:00
/*
if ur fans get loud :
# enable manual fan control
sudo nix run nixpkgs #ipmitool -- raw 0x30 0x30 0x01 0x00
# set fan speed to last byte as decimal
sudo nix run nixpkgs #ipmitool -- raw 0x30 0x30 0x02 0xff 0x00
* /
2023-10-03 11:52:44 -05:00
{
2023-11-02 13:14:43 -05:00
# inputs,
2023-10-03 16:26:45 -05:00
outputs ,
2023-10-03 11:52:44 -05:00
modulesPath ,
config ,
pkgs ,
. . .
} : {
2023-09-06 00:57:08 -05:00
imports = [
( modulesPath + " / i n s t a l l e r / s c a n / n o t - d e t e c t e d . n i x " )
2023-10-03 16:26:45 -05:00
outputs . nixosModules . intel
2023-11-02 13:14:43 -05:00
# inputs.nix-minecraft.nixosModules.minecraft-servers
] ;
nixpkgs . overlays = [
# inputs.nix-minecraft.overlay
2023-09-06 00:57:08 -05:00
] ;
2023-09-05 21:46:55 -05:00
2023-10-03 11:52:44 -05:00
boot . initrd . availableKernelModules = [ " e h c i _ p c i " " m e g a r a i d _ s a s " " u s b h i d " " u a s " " s d _ m o d " ] ;
boot . kernelModules = [ " k v m - i n t e l " ] ;
2023-09-05 21:46:55 -05:00
2023-10-03 11:52:44 -05:00
fileSystems . " / " = {
device = " / d e v / d i s k / b y - u u i d / 0 7 4 7 d c b a - f 5 9 0 - 4 2 e 6 - 8 9 c 8 - 6 c b 2 f 9 1 1 4 d 6 4 " ;
fsType = " e x t 4 " ;
options = [
" u s r q u o t a "
] ;
} ;
2023-09-05 21:46:55 -05:00
2023-10-03 11:52:44 -05:00
fileSystems . " / b o o t " = {
device = " / d e v / d i s k / b y - u u i d / 7 E 3 C - 9 0 1 8 " ;
fsType = " v f a t " ;
} ;
2023-09-05 21:46:55 -05:00
2023-10-03 11:52:44 -05:00
fileSystems . " / s t o r a g e " = {
device = " / d e v / d i s k / b y - u u i d / e a 8 2 5 8 d 7 - 5 4 d 1 - 4 3 0 e - 9 3 b 3 - e 1 5 d 3 3 2 3 1 0 6 3 " ;
fsType = " b t r f s " ;
options = [
" c o m p r e s s = z s t d : 5 "
" s p a c e _ c a c h e = v 2 "
] ;
} ;
2023-09-05 21:46:55 -05:00
2023-09-06 00:57:08 -05:00
services . nix-serve = {
enable = true ;
secretKeyFile = " / v a r / c a c h e - p r i v - k e y . p e m " ;
} ;
2023-09-04 11:40:30 -05:00
services . api-lyte-dev = rec {
enable = true ;
port = 5757 ;
stateDir = " / v a r / l i b / a p i - l y t e - d e v " ;
2023-09-28 12:29:21 -05:00
configFile = config . sops . secrets . " a p i . l y t e . d e v " . path ;
2023-09-04 11:40:30 -05:00
user = " a p i - l y t e - d e v " ;
group = user ;
} ;
systemd . services . api-lyte-dev . environment . LOG_LEVEL = " d e b u g " ;
sops = {
2023-10-03 16:26:45 -05:00
defaultSopsFile = ../../secrets/beefcake/secrets.yml ;
2023-09-04 11:40:30 -05:00
age = {
2023-10-03 11:52:44 -05:00
sshKeyPaths = [ " / e t c / s s h / s s h _ h o s t _ e d 2 5 5 1 9 _ k e y " ] ;
2023-09-04 11:40:30 -05:00
keyFile = " / v a r / l i b / s o p s - n i x / k e y . t x t " ;
generateKey = true ;
} ;
secrets = {
# example-key = {
# # see these and other options' documentation here:
# # https://github.com/Mic92/sops-nix#set-secret-permissionowner-and-allow-services-to-access-it
# # set permissions:
# # mode = "0440";
# # owner = config.users.users.nobody.name;
# # group = config.users.users.nobody.group;
# # restart service when a secret changes or is newly initialized
# # restartUnits = [ "home-assistant.service" ];
# # symlink to certain directories
# path = "/var/lib/my-example-key/secrets.yaml";
# # for use as a user password
# # neededForUsers = true;
# };
# subdirectory
# "myservice/my_subdir/my_secret" = { };
" a p i . l y t e . d e v " = {
2023-09-28 12:29:21 -05:00
path = " ${ config . services . api-lyte-dev . stateDir } / s e c r e t s . j s o n " ;
2023-10-05 10:41:31 -05:00
# TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
2023-09-04 11:40:30 -05:00
mode = " 0 4 4 0 " ;
2023-09-28 12:29:21 -05:00
owner = config . services . api-lyte-dev . user ;
group = config . services . api-lyte-dev . group ;
2023-09-04 11:40:30 -05:00
} ;
2023-11-02 13:33:45 -05:00
" j l a n d . e n v " = {
path = " / v a r / l i b / j l a n d / j l a n d . e n v " ;
# TODO: would be cool to assert that it's correctly-formatted JSON? probably should be done in a pre-commit hook?
mode = " 0 4 4 0 " ;
owner = config . users . users . jland . name ;
group = config . users . groups . jland . name ;
} ;
2023-09-28 12:29:21 -05:00
plausible-admin-password = {
# TODO: path = "${config.systemd.services.plausible.serviceConfig.WorkingDirectory}/plausible-admin-password.txt";
path = " / v a r / l i b / p l a u s i b l e / p l a u s i b l e - a d m i n - p a s s w o r d " ;
mode = " 0 4 4 0 " ;
owner = config . systemd . services . plausible . serviceConfig . User ;
group = config . systemd . services . plausible . serviceConfig . Group ;
} ;
plausible-erlang-cookie = {
path = " / v a r / l i b / p l a u s i b l e / p l a u s i b l e - e r l a n g - c o o k i e " ;
mode = " 0 4 4 0 " ;
owner = config . systemd . services . plausible . serviceConfig . User ;
group = config . systemd . services . plausible . serviceConfig . Group ;
} ;
plausible-secret-key-base = {
path = " / v a r / l i b / p l a u s i b l e / p l a u s i b l e - s e c r e t - k e y - b a s e " ;
mode = " 0 4 4 0 " ;
owner = config . systemd . services . plausible . serviceConfig . User ;
group = config . systemd . services . plausible . serviceConfig . Group ;
} ;
2023-10-20 16:24:50 -05:00
nextcloud-admin-password = {
path = " / v a r / l i b / n e x t c l o u d / a d m i n - p a s s w o r d " ;
mode = " 0 4 4 0 " ;
# owner = config.services.nextcloud.serviceConfig.User;
# group = config.services.nextcloud.serviceConfig.Group;
} ;
2023-09-04 11:40:30 -05:00
} ;
} ;
# TODO: non-root processes and services that access secrets need to be part of
# the 'keys' group
2023-10-04 21:34:20 -05:00
# maybe this will fix plausible?
2023-09-04 11:40:30 -05:00
# systemd.services.some-service = {
# serviceConfig.SupplementaryGroups = [ config.users.groups.keys.name ];
# };
# or
# users.users.example-user.extraGroups = [ config.users.groups.keys.name ];
# TODO: directory attributes for /storage subdirectories?
# example: user daniel should be able to write to /storage/files.lyte.dev and
# caddy should be able to serve it
# TODO: declarative directory quotas? for storage/$USER and /home/$USER
# TODO: would be nice to get ALL the storage stuff declared in here
# should I be using btrfs subvolumes? can I capture file ownership, perimssions, and ACLs?
boot . loader . systemd-boot . enable = true ;
boot . loader . efi . canTouchEfiVariables = true ;
systemd . tmpfiles . rules = [
" d / v a r / s p o o l / s a m b a 1 7 7 7 r o o t r o o t - "
] ;
networking . hostName = " b e e f c a k e " ;
2023-09-28 12:29:21 -05:00
users . extraGroups = {
2023-10-03 11:52:44 -05:00
" p l a u s i b l e " = { } ;
2023-10-16 16:50:55 -05:00
" n e x t c l o u d " = { } ;
2023-10-03 11:52:44 -05:00
" l y t e d e v " = { } ;
2023-09-28 12:29:21 -05:00
} ;
2023-10-03 11:52:44 -05:00
users . groups . daniel . members = [ " d a n i e l " ] ;
users . groups . nixadmin . members = [ " d a n i e l " ] ;
2023-09-04 11:40:30 -05:00
users . users . daniel = {
2023-10-20 16:24:50 -05:00
packages = [ pkgs . weechat ] ;
2023-09-04 11:40:30 -05:00
extraGroups = [
" n i x a d m i n " # write access to /etc/nixos/ files
" w h e e l " # sudo access
" c a d d y " # write access to /storage/files.lyte.dev
" u s e r s " # general users group
" j e l l y f i n " # write access to /storage/jellyfin
2023-11-02 14:38:37 -05:00
" j l a n d "
2023-09-04 11:40:30 -05:00
] ;
} ;
users . users . lytedev = {
# for running my services and applications and stuff
isNormalUser = true ;
2023-09-06 00:57:08 -05:00
openssh . authorizedKeys . keys = config . users . users . daniel . openssh . authorizedKeys . keys ;
2023-09-04 11:40:30 -05:00
group = " l y t e d e v " ;
} ;
users . users . ben = {
isNormalUser = true ;
2023-10-03 11:52:44 -05:00
packages = [ pkgs . vim ] ;
2023-09-04 11:40:30 -05:00
openssh . authorizedKeys . keys = [
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I K U f L Z + I X 8 5 p 9 3 5 5 P o 2 z P 1 H 2 t A x i E 0 r E 6 I Y b 8 S f + e F 9 T b e n @ b e n h a n y . c o m "
] ;
} ;
users . users . alan = {
isNormalUser = true ;
2023-10-03 11:52:44 -05:00
packages = [ pkgs . vim ] ;
2023-09-04 11:40:30 -05:00
openssh . authorizedKeys . keys = [
" "
] ;
} ;
users . users . restic = {
# used for other machines to backup to
isNormalUser = true ;
2023-10-03 11:52:44 -05:00
openssh . authorizedKeys . keys =
[
" s s h - e d 2 5 5 1 9 A A A A C 3 N z a C 1 l Z D I 1 N T E 5 A A A A I J b P q z K B 0 9 U + i 4 K q u 1 3 6 y O j f l L Z / J 7 p Y s N u l T A d 4 x 9 0 3 r o o t @ c h r o m e b o x . h . l y t e . d e v "
]
++ config . users . users . daniel . openssh . authorizedKeys . keys ;
2023-09-04 11:40:30 -05:00
} ;
users . users . guest = {
2023-09-06 00:57:08 -05:00
# used for anonymous samba access
2023-09-04 11:40:30 -05:00
isSystemUser = true ;
2023-09-06 00:57:08 -05:00
group = " u s e r s " ;
2023-09-04 11:40:30 -05:00
createHome = true ;
} ;
2023-09-28 12:29:21 -05:00
users . users . plausible = {
# used for anonymous samba access
isSystemUser = true ;
createHome = false ;
group = " p l a u s i b l e " ;
} ;
2023-11-02 14:38:37 -05:00
users . groups . jland = {
gid = 982 ;
} ;
2023-11-02 13:14:43 -05:00
users . users . jland = {
2023-11-02 14:38:37 -05:00
uid = 986 ;
2023-11-02 13:14:43 -05:00
# used for running the jland minecraft server
isSystemUser = true ;
createHome = false ;
group = " j l a n d " ;
} ;
2023-10-16 16:50:55 -05:00
users . users . nextcloud = {
# used for anonymous samba access
isSystemUser = true ;
createHome = false ;
group = " n e x t c l o u d " ;
} ;
2023-10-03 11:52:44 -05:00
environment . systemPackages = [ pkgs . linuxquota ] ;
2023-09-04 11:40:30 -05:00
2023-11-03 14:13:44 -05:00
systemd . services . weechat-in-tmux = {
serviceConfig = {
Type = " o n e s h o t " ;
RemainAfterExit = true ;
ExecStart = " ${ pkgs . tmux } / b i n / t m u x - 2 n e w - s e s s i o n - d - s w e e c h a t ${ pkgs . weechat } / b i n / w e e c h a t " ;
ExecStop = " ${ pkgs . tmux } / b i n / t m u x k i l l - s e s s i o n - t w e e c h a t " ;
} ;
} ;
2023-09-04 11:40:30 -05:00
# TODO: make the client declarative? right now I think it's manually git
# clone'd to /root
systemd . services . deno-netlify-ddns-client = {
serviceConfig . Type = " o n e s h o t " ;
2023-10-03 11:52:44 -05:00
path = with pkgs ; [ curl bash ] ;
2023-09-04 11:40:30 -05:00
environment = {
NETLIFY_DDNS_RC_FILE = " / r o o t / d e n o - n e t l i f y - d d n s - c l i e n t / . e n v " ;
} ;
script = ''
bash /root/deno-netlify-ddns-client/netlify-ddns-client.sh
'' ;
} ;
systemd . timers . deno-netlify-ddns-client = {
2023-10-03 11:52:44 -05:00
wantedBy = [ " t i m e r s . t a r g e t " ] ;
partOf = [ " d e n o - n e t l i f y - d d n s - c l i e n t . s e r v i c e " ] ;
2023-09-04 11:40:30 -05:00
timerConfig = {
OnBootSec = " 1 0 s e c " ;
OnUnitActiveSec = " 5 m i n " ;
Unit = " d e n o - n e t l i f y - d d n s - c l i e n t . s e r v i c e " ;
} ;
} ;
services . caddy = {
enable = true ;
2023-10-04 21:34:20 -05:00
email = " d a n i e l @ l y t e . d e v " ;
2023-09-04 11:40:30 -05:00
adapter = " c a d d y f i l e " ;
# acmeCA = "https://acme-staging-v02.api.letsencrypt.org/directory";
2023-09-28 12:29:21 -05:00
# TODO: there are some hardcoded ports here!
# https://github.com/NixOS/nixpkgs/blob/04af42f3b31dba0ef742d254456dc4c14eedac86/nixos/modules/services/misc/lidarr.nix#L72
2023-10-04 21:34:20 -05:00
# TODO: customize the files.lyte.dev template?
2023-09-04 11:40:30 -05:00
configFile = pkgs . writeText " C a d d y f i l e " ''
video . lyte . dev {
reverse_proxy : 8096
}
2023-09-28 12:29:21 -05:00
# lidarr.h.lyte.dev {
# reverse_proxy :8686
# }
# radarr.h.lyte.dev {
# reverse_proxy :7878
# }
# sonarr.h.lyte.dev {
# reverse_proxy :8989
# }
# bazarr.h.lyte.dev {
# reverse_proxy :${toString config.services.bazarr.listenPort}
# }
2023-09-04 11:40:30 -05:00
bw . lyte . dev {
2023-09-06 00:57:08 -05:00
reverse_proxy : $ { toString config . services . vaultwarden . config . ROCKET_PORT }
2023-09-04 11:40:30 -05:00
}
api . lyte . dev {
2023-09-06 00:57:08 -05:00
reverse_proxy : $ { toString config . services . api-lyte-dev . port }
2023-09-04 11:40:30 -05:00
}
a . lyte . dev {
2023-09-06 00:57:08 -05:00
reverse_proxy : $ { toString config . services . plausible . server . port }
2023-09-04 11:40:30 -05:00
}
2023-10-16 16:50:55 -05:00
nextcloud . lyte . dev {
reverse_proxy : $ { toString 9999 }
}
2023-09-04 11:40:30 -05:00
git . lyte . dev {
2023-09-06 00:57:08 -05:00
reverse_proxy : $ { toString config . services . gitea . settings . server . HTTP_PORT }
2023-09-04 11:40:30 -05:00
}
files . lyte . dev {
file_server browse {
2023-10-04 21:34:20 -05:00
# browse template
# hide .*
2023-09-04 11:40:30 -05:00
root /storage/files.lyte.dev
}
}
2023-09-06 00:57:08 -05:00
nix . h . lyte . dev {
reverse_proxy : $ { toString config . services . nix-serve . port }
}
2023-10-03 11:52:44 -05:00
2023-09-04 11:40:30 -05:00
# proxy everything else to chromebox
: 80 {
reverse_proxy 10 .0 .0 .5 : 80
}
: 443 {
reverse_proxy 10 .0 .0 .5 : 443
}
'' ;
} ;
services . vaultwarden = {
enable = true ;
config = {
DOMAIN = " h t t p s : / / b w . l y t e . d e v " ;
SIGNUPS_ALLOWED = " f a l s e " ;
ROCKET_ADDRESS = " 1 2 7 . 0 . 0 . 1 " ;
ROCKET_PORT = 8222 ;
} ;
} ;
services . gitea = {
enable = true ;
appName = " g i t . l y t e . d e v " ;
stateDir = " / s t o r a g e / g i t e a " ;
settings = {
server = {
ROOT_URL = " h t t p s : / / g i t . l y t e . d e v " ;
HTTP_ADDR = " 1 2 7 . 0 . 0 . 1 " ;
HTTP_PORT = 3088 ;
DOMAIN = " g i t . l y t e . d e v " ;
} ;
service = {
DISABLE_REGISTRATION = true ;
} ;
session = {
COOKIE_SECURE = true ;
} ;
log = {
# TODO: raise the log level
LEVEL = " D e b u g " ;
} ;
ui = {
THEMES = " c a t p p u c c i n - m o c h a - s a p p h i r e , g i t e a , a r c - g r e e n , a u t o , p i t c h b l a c k " ;
DEFAULT_THEME = " c a t p p u c c i n - m o c h a - s a p p h i r e " ;
} ;
} ;
lfs = {
enable = true ;
} ;
dump = {
enable = true ;
} ;
database = {
# TODO: move to postgres?
type = " s q l i t e 3 " ;
} ;
} ;
# TODO: ensure we're not doing the same dumb thing we were doing on the old host and eating storage
services . clickhouse . enable = true ;
2023-09-28 12:29:21 -05:00
systemd . services . plausible . serviceConfig . User = " p l a u s i b l e " ;
systemd . services . plausible . serviceConfig . Group = " p l a u s i b l e " ;
2023-09-04 11:40:30 -05:00
services . plausible = {
2023-09-28 12:29:21 -05:00
# TODO: enable
enable = false ;
2023-09-04 11:40:30 -05:00
releaseCookiePath = config . sops . secrets . plausible-erlang-cookie . path ;
database = {
clickhouse . setup = true ;
postgres = {
setup = false ;
dbname = " p l a u s i b l e " ;
} ;
} ;
server = {
baseUrl = " h t t p : / / b e e f c a k e . h a r e - c o d . t s . n e t : 8 8 9 9 " ;
disableRegistration = true ;
port = 8899 ;
secretKeybaseFile = config . sops . secrets . plausible-secret-key-base . path ;
} ;
adminUser = {
activate = false ;
email = " d a n i e l @ l y t e . d e v " ;
passwordFile = config . sops . secrets . plausible-admin-password . path ;
} ;
} ;
services . postgresql = {
enable = true ;
2023-10-16 16:50:55 -05:00
ensureDatabases = [ " d a n i e l " " p l a u s i b l e " " n e x t c l o u d " ] ;
2023-09-04 11:40:30 -05:00
ensureUsers = [
{
name = " d a n i e l " ;
ensurePermissions = {
" D A T A B A S E d a n i e l " = " A L L P R I V I L E G E S " ;
} ;
}
{
name = " p l a u s i b l e " ;
ensurePermissions = {
" D A T A B A S E p l a u s i b l e " = " A L L P R I V I L E G E S " ;
} ;
}
2023-10-16 16:50:55 -05:00
{
name = " n e x t c l o u d " ;
ensurePermissions = {
" D A T A B A S E n e x t c l o u d " = " A L L P R I V I L E G E S " ;
} ;
}
2023-09-04 11:40:30 -05:00
] ;
dataDir = " / s t o r a g e / p o s t g r e s " ;
enableTCPIP = true ;
package = pkgs . postgresql_15 ;
authentication = pkgs . lib . mkOverride 10 ''
#type database DBuser auth-method
2023-10-03 11:52:44 -05:00
local all postgres peer map = superuser_map
local all daniel peer map = superuser_map
local sameuser all peer map = superuser_map
2023-09-04 11:40:30 -05:00
local plausible plausible peer map = superuser_map
2023-10-16 16:50:55 -05:00
local nextcloud nextcloud peer map = superuser_map
2023-09-04 11:40:30 -05:00
# lan ipv4
host all all 10.0.0.0/24 trust
# tailnet ipv4
host all all 100.64.0.0/10 trust
'' ;
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
superuser_map daniel postgres
# Let other names login as themselves
superuser_map / ^ ( . * ) $ \ 1
'' ;
} ;
services . postgresqlBackup = {
enable = true ;
backupAll = true ;
compression = " n o n e " ; # hoping for deduplication here?
location = " / s t o r a g e / p o s t g r e s - b a c k u p s " ;
startAt = " * - * - * 0 3 : 0 0 : 0 0 " ;
} ;
services . tailscale = {
useRoutingFeatures = " s e r v e r " ;
} ;
services . jellyfin = {
enable = true ;
2023-10-04 21:34:20 -05:00
openFirewall = false ;
2023-09-04 11:40:30 -05:00
# uses port 8096 by default, configurable from admin UI
} ;
# NOTE: this server's xeon chips DO NOT seem to support quicksync or graphics in general
# but I can probably throw in a crappy GPU (or a big, cheap ebay GPU for ML
# stuff, too?) and get good transcoding performance
# jellyfin hardware encoding
# hardware.opengl = {
# enable = true;
# extraPackages = with pkgs; [
# intel-media-driver
# vaapiIntel
# vaapiVdpau
# libvdpau-va-gl
# intel-compute-runtime
# ];
# };
# nixpkgs.config.packageOverrides = pkgs: {
# vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
# };
services . openssh = {
listenAddresses = [
2023-10-03 11:52:44 -05:00
{
addr = " 0 . 0 . 0 . 0 " ;
port = 64022 ;
}
{
addr = " 0 . 0 . 0 . 0 " ;
port = 22 ;
}
2023-09-04 11:40:30 -05:00
] ;
} ;
2023-11-02 13:14:43 -05:00
# services.lidarr = {
# enable = true;
# dataDir = "/storage/lidarr";
# };
2023-09-28 12:29:21 -05:00
2023-11-02 13:14:43 -05:00
# services.radarr = {
# enable = true;
# dataDir = "/storage/radarr";
# };
2023-09-28 12:29:21 -05:00
2023-11-02 13:14:43 -05:00
# services.sonarr = {
# enable = true;
# dataDir = "/storage/sonarr";
# };
2023-09-28 12:29:21 -05:00
2023-11-02 13:14:43 -05:00
# services.bazarr = {
# enable = true;
# listenPort = 6767;
# };
2023-09-28 12:29:21 -05:00
2023-09-04 11:40:30 -05:00
services . samba-wsdd . enable = true ;
services . samba = {
enable = true ;
openFirewall = true ;
securityType = " u s e r " ;
package = pkgs . sambaFull ;
extraConfig = ''
workgroup = WORKGROUP
server string = beefcake
netbios name = beefcake
security = user
#use sendfile = yes
#max protocol = smb2
# note: localhost is the ipv6 localhost ::1
hosts allow = 10 . 192 .168 .0 . 127 .0 .0 .1 localhost
hosts deny = 0.0.0.0/0
guest account = nobody
map to guest = bad user
load printers = yes
printing = cups
printcap name = cups
'' ;
shares = {
libre = {
path = " / s t o r a g e / l i b r e " ;
browseable = " y e s " ;
" r e a d o n l y " = " n o " ;
" g u e s t o k " = " y e s " ;
" c r e a t e m a s k " = " 0 6 6 6 " ;
" d i r e c t o r y m a s k " = " 0 7 7 7 " ;
" f o r c e u s e r " = " n o b o d y " ;
" f o r c e g r o u p " = " u s e r s " ;
} ;
public = {
path = " / s t o r a g e / p u b l i c " ;
browseable = " y e s " ;
" r e a d o n l y " = " n o " ;
" g u e s t o k " = " y e s " ;
" c r e a t e m a s k " = " 0 6 6 4 " ;
" d i r e c t o r y m a s k " = " 0 7 7 5 " ;
" f o r c e u s e r " = " n o b o d y " ;
" f o r c e g r o u p " = " u s e r s " ;
} ;
family = {
path = " / s t o r a g e / f a m i l y " ;
browseable = " y e s " ;
" r e a d o n l y " = " n o " ;
" g u e s t o k " = " n o " ;
" c r e a t e m a s k " = " 0 6 6 4 " ;
" d i r e c t o r y m a s k " = " 0 7 7 5 " ;
" f o r c e u s e r " = " n o b o d y " ;
" f o r c e g r o u p " = " f a m i l y " ;
} ;
daniel = {
path = " / s t o r a g e / d a n i e l " ;
browseable = " y e s " ;
" r e a d o n l y " = " n o " ;
" g u e s t o k " = " n o " ;
" c r e a t e m a s k " = " 0 6 4 0 " ;
" d i r e c t o r y m a s k " = " 0 7 5 0 " ;
" f o r c e u s e r " = " d a n i e l " ;
" f o r c e g r o u p " = " u s e r s " ;
} ;
printers = {
comment = " A l l P r i n t e r s " ;
path = " / v a r / s p o o l / s a m b a " ;
public = " y e s " ;
browseable = " y e s " ;
# to allow user 'guest account' to print.
" g u e s t o k " = " y e s " ;
writable = " n o " ;
printable = " y e s " ;
" c r e a t e m o d e " = 0700 ;
} ;
} ;
} ;
# paths:
# TODO: move previous backups over and put here
# clickhouse and plausible analytics once they're up and running?
2023-11-01 13:01:56 -05:00
services . restic . backups = let
defaults = {
2023-09-04 11:40:30 -05:00
passwordFile = " / r o o t / r e s t i c - l o c a l b a c k u p - p a s s w o r d " ;
paths = [
" / s t o r a g e / f i l e s . l y t e . d e v "
" / s t o r a g e / d a n i e l "
" / s t o r a g e / g i t e a " # TODO: should maybe use configuration.nix's services.gitea.dump ?
2023-11-01 13:01:56 -05:00
" / s t o r a g e / p o s t g r e s - b a c k u p s "
2023-09-04 11:40:30 -05:00
# https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault
# specifically, https://github.com/dani-garcia/vaultwarden/wiki/Backing-up-your-vault#sqlite-database-files
2023-11-01 13:01:56 -05:00
" / v a r / l i b / b i t w a r d e n _ r s " # does this need any sqlite preprocessing?
2023-09-04 11:40:30 -05:00
2023-11-01 13:01:56 -05:00
# TODO: backup *arr configs?
2023-09-04 11:40:30 -05:00
] ;
initialize = true ;
2023-11-01 13:01:56 -05:00
exclude = [ ] ;
2023-09-04 11:40:30 -05:00
timerConfig = {
OnCalendar = " 0 4 : 4 5 " ;
} ;
} ;
2023-11-01 13:01:56 -05:00
in {
local =
defaults
// {
repository = " / s t o r a g e / b a c k u p s / l o c a l " ;
} ;
rascal =
defaults
// {
extraOptions = [
" s f t p . c o m m a n d = ' s s h b e e f c a k e @ r a s c a l - i / r o o t / . s s h / i d _ e d 2 5 5 1 9 - s s f t p ' "
] ;
repository = " s f t p : / / b e e f c a k e @ r a s c a l : / / s t o r a g e / b a c k u p s / b e e f c a k e " ;
} ;
2023-09-04 11:40:30 -05:00
# TODO: add ruby?
2023-11-01 13:01:56 -05:00
benland =
defaults
// {
extraOptions = [
" s f t p . c o m m a n d = ' s s h d a n i e l @ n . b e n h a n e y . c o m - p 1 0 0 2 2 - i / r o o t / . s s h / i d _ e d 2 5 5 1 9 - s s f t p ' "
] ;
repository = " s f t p : / / d a n i e l @ n . b e n h a n e y . c o m : / / s t o r a g e / b a c k u p s / b e e f c a k e " ;
2023-09-04 11:40:30 -05:00
} ;
} ;
2023-11-02 13:14:43 -05:00
# services.minecraft-servers.servers.jland = {
# enable = true;
# package = pkgs.fabricServers.fabric-1_19_2.override {loaderVersion = "0.14.9";};
# # Monumental Experience, modpack version 2.2.53, minecraft version 1.19.2
# # https://www.curseforge.com/minecraft/modpacks/monumental-experience/files/4826863
# # $ nix run nixpkgs#packwiz curseforge import Monumental+Experience-2.2.53.zip
# };
2023-11-02 13:33:45 -05:00
virtualisation . oci-containers . backend = " p o d m a n " ;
virtualisation . oci-containers . containers = {
2023-11-02 13:14:43 -05:00
minecraft-jland = {
# sending commands: https://docker-minecraft-server.readthedocs.io/en/latest/commands/
image = " d o c k e r . i o / i t z g / m i n e c r a f t - s e r v e r " ;
2023-11-02 14:38:37 -05:00
user = " ${ toString config . users . users . jland . uid } : ${ toString config . users . groups . jland . gid } " ;
2023-11-02 13:14:43 -05:00
extraOptions = [
" - - t t y "
" - - i n t e r a c t i v e "
] ;
environment = {
EULA = " t r u e " ;
2023-11-02 14:38:37 -05:00
UID = toString config . users . users . jland . uid ;
GID = toString config . users . groups . jland . gid ;
2023-11-02 13:14:43 -05:00
STOP_SERVER_ANNOUNCE_DELAY = " 2 0 " ;
TZ = " A m e r i c a / C h i c a g o " ;
VERSION = " 1 . 1 9 . 2 " ;
2023-11-02 14:38:37 -05:00
MEMORY = " 8 G " ;
MAX_MEMORY = " 1 6 G " ;
TYPE = " F O R G E " ;
FORGE_VERSION = " 4 3 . 3 . 2 " ;
2023-11-03 13:13:47 -05:00
ALLOW_FLIGHT = " t r u e " ;
2023-11-02 14:38:37 -05:00
MODPACK = " / d a t a / o r i g i n a t i o n - f i l e s / M o n u m e n t a l + E x p e r i e n c e - 2 . 2 . 5 3 . z i p " ;
# TYPE = "AUTO_CURSEFORGE";
# CF_SLUG = "monumental-experience";
# CF_FILE_ID = "4826863"; # 2.2.53
# due to
# Nov 02 13:45:22 beefcake minecraft-jland[2738672]: me.itzg.helpers.errors.GenericException: The modpack authors have indicated this file is not allowed for project distribution. Please download the client zip file from https://www.curseforge.com/minecraft/modpacks/monumental-experience and pass via CF_MODPACK_ZIP environment variable or place indownloads repo directory.
# we must upload manually
# CF_MODPACK_ZIP = "/data/origination-files/Monumental+Experience-2.2.53.zip";
2023-11-02 13:14:43 -05:00
# ENABLE_AUTOPAUSE = "true"; # TODO: must increate or disable max-tick-time
# May also have mod/loader incompatibilities?
# https://docker-minecraft-server.readthedocs.io/en/latest/misc/autopause-autostop/autopause/
} ;
environmentFiles = [
config . sops . secrets . " j l a n d . e n v " . path
] ;
2023-11-02 14:38:37 -05:00
ports = [ " 2 5 5 6 5 : 2 5 5 6 5 " ] ;
2023-11-02 13:14:43 -05:00
volumes = [
" / s t o r a g e / j l a n d / d a t a : / d a t a "
" / s t o r a g e / j l a n d / w o r l d s : / w o r l d s "
] ;
} ;
} ;
2023-09-04 11:40:30 -05:00
networking . firewall . allowedTCPPorts = [
80 # http (caddy)
443 # https (caddy)
# 5357 # ???
22 # ssh
64022 # ssh (for ben?)
] ;
networking . firewall . allowedUDPPorts = [
# 53 # DNS
# 3702 # ???
64020 # mosh (for ben?)
] ;
networking . firewall . allowedUDPPortRanges = [
{
# mosh
from = 60000 ;
to = 60010 ;
}
] ;
networking . firewall = {
enable = true ;
allowPing = true ;
} ;
2023-09-06 00:57:08 -05:00
system . stateVersion = " 2 2 . 0 5 " ;
2023-09-04 11:40:30 -05:00
}