flakes/systems/x86_64-linux/bicboye/default.nix

{
  config,
  lib,
  pkgs,
  userdata,
  ...
}: {
  imports = [./hardware.nix];

  hardware.cpu.intel.updateMicrocode = true;
  hardware.enableRedistributableFirmware = true;

  networking = {
    hostName = "bicboye";
    useDHCP = lib.mkDefault false;
    interfaces.enp2s0 = {
      useDHCP = lib.mkDefault true;
      wakeOnLan.enable = true;
    };
    firewall.allowedTCPPorts = [80 443];
  };

  # Enable weekly btrfs auto-scrub.
  services.btrfs.autoScrub = {
    enable = true;
    interval = "weekly";
    fileSystems = ["/"];
  };

  # Power management, enable powertop and thermald.
  powerManagement.powertop.enable = true;
  services.thermald.enable = true;

  snowflake = {
    stateVersion = "24.05";

    extraPackages = with pkgs; [
      nmap
      recyclarr
    ];

    core.docker.enable = true;
    core.docker.storageDriver = "btrfs";
    core.security.sysctl.enable = lib.mkForce false;

    networking.firewall.enable = true;
    networking.networkManager.enable = true;
    networking.resolved.enable = true;

    hardware.initrd-luks = {
      enable = true;
      authorizedKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"
      ];
      availableKernelModules = ["r8169"];
    };

    monitoring = {
      enable = true;
      grafana = {
        domain = "lens.deku.moe";
        adminPasswordFile = userdata.secrets.monitoring.grafana.password;
      };
      victoriametrics.extraPrometheusConfig = [
        {
          job_name = "unpoller";
          static_configs = [
            {
              targets = ["127.0.0.1:${toString config.services.prometheus.exporters.unpoller.port}"];
            }
          ];
        }
        {
          job_name = "router";
          static_configs = [
            {
              targets = ["192.168.69.1:9100"];
            }
          ];
          relabel_configs = [
            {
              source_labels = ["__address__"];
              target_label = "instance";
              regex = "([^:]+)(:[0-9]+)?";
              replacement = "openwrt";
            }
          ];
        }
      ];
    };

    services = {
      arr.enable = true;

      backups = {
        enable = true;
        repository = "b2:restic-nix";
        resticPasswordFile = userdata.secrets.services.backups.password;
        resticEnvironmentFile = userdata.secrets.services.backups.environment;
      };

      fail2ban.enable = true;

      gitea = {
        enable = true;
        domain = "git.deku.moe";
        sshDomain = "git-ssh.deku.moe";
        dbPasswordFile = userdata.secrets.services.gitea.password;
      };

      immich = {
        enable = true;
        domain = "photos.deku.moe";
      };

      miniflux = {
        enable = true;
        domain = "flux.deku.moe";
        adminTokenFile = userdata.secrets.services.miniflux.password;
      };

      nginx = {
        enable = true;
        acmeEmail = "chinmaydpai@gmail.com";
        enableCloudflareRealIP = true;
      };

      ntfy-sh = {
        enable = true;
        domain = "ntfy.deku.moe";
      };

      paperless = {
        enable = true;
        domain = "docs.deku.moe";
        passwordFile = userdata.secrets.services.paperless.password;
        adminUser = "chinmay";
      };

      postgresql = {
        enable = true;
        backup.enable = true;
      };

      vaultwarden = {
        enable = true;
        domain = "bw.deku.moe";
        adminTokenFile = userdata.secrets.services.vaultwarden.password;
      };

      static-site = {
        enable = true;
        package = pkgs.maych-in;
        domain = "maych.in";
      };

      unifi-controller = {
        enable = true;
        unpoller = {
          enable = true;
          passwordFile = userdata.secrets.services.unifi-unpoller.password;
        };
      };
    };

    user = {
      enable = true;
      username = "server";
      description = "Bicboye Server";
      userPasswordAgeModule = userdata.secrets.machines.bicboye.password;
      rootPasswordAgeModule = userdata.secrets.machines.bicboye.root-password;
      extraAuthorizedKeys = [
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"
        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"
      ];
    };
  };
}
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`{`
feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`config,`
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`lib,`
			`pkgs,`
			`userdata,`
			`...`
			`}: {`
			`imports = [./hardware.nix];`

			`hardware.cpu.intel.updateMicrocode = true;`
			`hardware.enableRedistributableFirmware = true;`

			`networking = {`
			`hostName = "bicboye";`
			`useDHCP = lib.mkDefault false;`
feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`interfaces.enp2s0 = {`
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`useDHCP = lib.mkDefault true;`
			`wakeOnLan.enable = true;`
			`};`
feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`firewall.allowedTCPPorts = [80 443];`
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`};`

			`# Enable weekly btrfs auto-scrub.`
			`services.btrfs.autoScrub = {`
			`enable = true;`
			`interval = "weekly";`
			`fileSystems = ["/"];`
			`};`

			`# Power management, enable powertop and thermald.`
			`powerManagement.powertop.enable = true;`
			`services.thermald.enable = true;`

			`snowflake = {`
			`stateVersion = "24.05";`

feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`extraPackages = with pkgs; [`
			`nmap`
			`recyclarr`
			`];`

feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`core.docker.enable = true;`
			`core.docker.storageDriver = "btrfs";`
			`core.security.sysctl.enable = lib.mkForce false;`

fix: enable firewall on bicboye Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-29 23:28:13 +05:30			`networking.firewall.enable = true;`
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`networking.networkManager.enable = true;`
feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`networking.resolved.enable = true;`
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30
			`hardware.initrd-luks = {`
			`enable = true;`
			`authorizedKeys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"`
feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"`
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`];`
			`availableKernelModules = ["r8169"];`
			`};`

feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`monitoring = {`
			`enable = true;`
			`grafana = {`
			`domain = "lens.deku.moe";`
			`adminPasswordFile = userdata.secrets.monitoring.grafana.password;`
			`};`
			`victoriametrics.extraPrometheusConfig = [`
			`{`
			`job_name = "unpoller";`
			`static_configs = [`
			`{`
			`targets = ["127.0.0.1:${toString config.services.prometheus.exporters.unpoller.port}"];`
			`}`
			`];`
			`}`
			`{`
			`job_name = "router";`
			`static_configs = [`
			`{`
			`targets = ["192.168.69.1:9100"];`
			`}`
			`];`
			`relabel_configs = [`
			`{`
			`source_labels = ["__address__"];`
			`target_label = "instance";`
			`regex = "([^:]+)(:[0-9]+)?";`
			`replacement = "openwrt";`
			`}`
			`];`
			`}`
			`];`
			`};`

feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`services = {`
feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`arr.enable = true;`

feat: enable restic backup service for vaultwarden and paperless Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-30 01:17:54 +05:30			`backups = {`
			`enable = true;`
			`repository = "b2:restic-nix";`
			`resticPasswordFile = userdata.secrets.services.backups.password;`
			`resticEnvironmentFile = userdata.secrets.services.backups.environment;`
			`};`

chore: enable fail2ban on bicboye Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-10-05 21:01:54 +05:30			`fail2ban.enable = true;`

feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`gitea = {`
			`enable = true;`
			`domain = "git.deku.moe";`
			`sshDomain = "git-ssh.deku.moe";`
			`dbPasswordFile = userdata.secrets.services.gitea.password;`
			`};`

feat: add module for immich service Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-29 23:32:15 +05:30			`immich = {`
			`enable = true;`
			`domain = "photos.deku.moe";`
			`};`

feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`miniflux = {`
			`enable = true;`
			`domain = "flux.deku.moe";`
			`adminTokenFile = userdata.secrets.services.miniflux.password;`
			`};`

feat: create module for nginx and prepare for fail2ban setup * create new module for nginx * setup cloudflare real_ip_header forwarding for fail2ban setup * add hsts, improve qualys score Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-10-05 20:52:11 +05:30			`nginx = {`
			`enable = true;`
			`acmeEmail = "chinmaydpai@gmail.com";`
			`enableCloudflareRealIP = true;`
			`};`

feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`ntfy-sh = {`
			`enable = true;`
			`domain = "ntfy.deku.moe";`
			`};`

feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`paperless = {`
			`enable = true;`
			`domain = "docs.deku.moe";`
			`passwordFile = userdata.secrets.services.paperless.password;`
			`adminUser = "chinmay";`
			`};`

feat: add service for postgresql with upgrade and backup * replace per-app postgresql configuration with a single, global postgres setup * add backup configuration to backup using restic * add cluster upgrade script based on the NixOS Manual: https://nixos.org/manual/nixos/stable/#module-services-postgres-upgrading Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-30 12:01:57 +05:30			`postgresql = {`
			`enable = true;`
			`backup.enable = true;`
			`};`

feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`vaultwarden = {`
			`enable = true;`
			`domain = "bw.deku.moe";`
			`adminTokenFile = userdata.secrets.services.vaultwarden.password;`
			`};`

			`static-site = {`
			`enable = true;`
			`package = pkgs.maych-in;`
			`domain = "maych.in";`
			`};`
chore: enable fail2ban on bicboye Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-10-05 21:01:54 +05:30
feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`unifi-controller = {`
			`enable = true;`
			`unpoller = {`
			`enable = true;`
			`passwordFile = userdata.secrets.services.unifi-unpoller.password;`
			`};`
			`};`
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`};`

			`user = {`
			`enable = true;`
			`username = "server";`
			`description = "Bicboye Server";`
			`userPasswordAgeModule = userdata.secrets.machines.bicboye.password;`
			`rootPasswordAgeModule = userdata.secrets.machines.bicboye.root-password;`
			`extraAuthorizedKeys = [`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"`
feat: add modules to bicboye * change interface name from `enp6s0` to `enp2s0` * add arr suite + ntfy deployment, monitoring * add keys for ssh access * add default_server configuration to nginx for security Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 19:19:09 +05:30			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"`
			`"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"`
feat: add nixos configuration based on snowfall-lib Signed-off-by: Chinmay D. Pai <chinmaydpai@gmail.com> 2024-09-02 18:31:19 +05:30			`];`
			`};`
			`};`
			`}`