2024-09-02 18:31:19 +05:30
|
|
|
{
|
2024-09-02 19:19:09 +05:30
|
|
|
config,
|
2024-09-02 18:31:19 +05:30
|
|
|
lib,
|
|
|
|
pkgs,
|
|
|
|
userdata,
|
|
|
|
...
|
|
|
|
}: {
|
|
|
|
imports = [./hardware.nix];
|
|
|
|
|
|
|
|
hardware.cpu.intel.updateMicrocode = true;
|
|
|
|
hardware.enableRedistributableFirmware = true;
|
|
|
|
|
|
|
|
networking = {
|
|
|
|
hostName = "bicboye";
|
|
|
|
useDHCP = lib.mkDefault false;
|
2024-09-02 19:19:09 +05:30
|
|
|
interfaces.enp2s0 = {
|
2024-09-02 18:31:19 +05:30
|
|
|
useDHCP = lib.mkDefault true;
|
|
|
|
wakeOnLan.enable = true;
|
|
|
|
};
|
2024-09-02 19:19:09 +05:30
|
|
|
firewall.allowedTCPPorts = [80 443];
|
2024-09-02 18:31:19 +05:30
|
|
|
};
|
|
|
|
|
|
|
|
# Enable weekly btrfs auto-scrub.
|
|
|
|
services.btrfs.autoScrub = {
|
|
|
|
enable = true;
|
|
|
|
interval = "weekly";
|
|
|
|
fileSystems = ["/"];
|
|
|
|
};
|
|
|
|
|
|
|
|
# Power management, enable powertop and thermald.
|
|
|
|
powerManagement.powertop.enable = true;
|
|
|
|
services.thermald.enable = true;
|
|
|
|
|
|
|
|
# TODO: move to module
|
|
|
|
security.acme.defaults.email = "chinmaydpai@gmail.com";
|
2024-09-02 19:19:09 +05:30
|
|
|
security.dhparams = {
|
|
|
|
enable = true;
|
|
|
|
params.nginx = {};
|
|
|
|
};
|
2024-09-02 18:31:19 +05:30
|
|
|
services.nginx = {
|
|
|
|
enable = true;
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
recommendedOptimisation = true;
|
|
|
|
recommendedGzipSettings = true;
|
|
|
|
recommendedTlsSettings = true;
|
2024-09-02 19:19:09 +05:30
|
|
|
sslDhparam = config.security.dhparams.params.nginx.path;
|
|
|
|
|
|
|
|
# Disable default_server access and return HTTP 444.
|
|
|
|
appendHttpConfig = ''
|
|
|
|
server {
|
|
|
|
listen 80 http2 default_server;
|
|
|
|
listen 443 ssl http2 default_server;
|
|
|
|
|
|
|
|
ssl_reject_handshake on;
|
|
|
|
return 444;
|
|
|
|
}
|
|
|
|
'';
|
2024-09-02 18:31:19 +05:30
|
|
|
};
|
|
|
|
|
|
|
|
snowflake = {
|
|
|
|
stateVersion = "24.05";
|
|
|
|
|
2024-09-02 19:19:09 +05:30
|
|
|
extraPackages = with pkgs; [
|
|
|
|
nmap
|
|
|
|
recyclarr
|
|
|
|
];
|
|
|
|
|
2024-09-02 18:31:19 +05:30
|
|
|
core.docker.enable = true;
|
|
|
|
core.docker.storageDriver = "btrfs";
|
|
|
|
core.security.sysctl.enable = lib.mkForce false;
|
|
|
|
|
2024-09-29 23:28:13 +05:30
|
|
|
networking.firewall.enable = true;
|
2024-09-02 18:31:19 +05:30
|
|
|
networking.networkManager.enable = true;
|
2024-09-02 19:19:09 +05:30
|
|
|
networking.resolved.enable = true;
|
2024-09-02 18:31:19 +05:30
|
|
|
|
|
|
|
hardware.initrd-luks = {
|
|
|
|
enable = true;
|
|
|
|
authorizedKeys = [
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
|
2024-09-02 19:19:09 +05:30
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"
|
2024-09-02 18:31:19 +05:30
|
|
|
];
|
|
|
|
availableKernelModules = ["r8169"];
|
|
|
|
};
|
|
|
|
|
2024-09-02 19:19:09 +05:30
|
|
|
monitoring = {
|
|
|
|
enable = true;
|
|
|
|
grafana = {
|
|
|
|
domain = "lens.deku.moe";
|
|
|
|
adminPasswordFile = userdata.secrets.monitoring.grafana.password;
|
|
|
|
};
|
|
|
|
victoriametrics.extraPrometheusConfig = [
|
|
|
|
{
|
|
|
|
job_name = "unpoller";
|
|
|
|
static_configs = [
|
|
|
|
{
|
|
|
|
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.unpoller.port}"];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
|
|
|
{
|
|
|
|
job_name = "router";
|
|
|
|
static_configs = [
|
|
|
|
{
|
|
|
|
targets = ["192.168.69.1:9100"];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
relabel_configs = [
|
|
|
|
{
|
|
|
|
source_labels = ["__address__"];
|
|
|
|
target_label = "instance";
|
|
|
|
regex = "([^:]+)(:[0-9]+)?";
|
|
|
|
replacement = "openwrt";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2024-09-02 18:31:19 +05:30
|
|
|
services = {
|
2024-09-02 19:19:09 +05:30
|
|
|
arr.enable = true;
|
|
|
|
|
2024-09-30 01:17:54 +05:30
|
|
|
backups = {
|
|
|
|
enable = true;
|
|
|
|
repository = "b2:restic-nix";
|
|
|
|
resticPasswordFile = userdata.secrets.services.backups.password;
|
|
|
|
resticEnvironmentFile = userdata.secrets.services.backups.environment;
|
|
|
|
};
|
|
|
|
|
2024-09-02 18:31:19 +05:30
|
|
|
gitea = {
|
|
|
|
enable = true;
|
|
|
|
domain = "git.deku.moe";
|
|
|
|
sshDomain = "git-ssh.deku.moe";
|
|
|
|
dbPasswordFile = userdata.secrets.services.gitea.password;
|
|
|
|
};
|
|
|
|
|
2024-09-29 23:32:15 +05:30
|
|
|
immich = {
|
|
|
|
enable = true;
|
|
|
|
domain = "photos.deku.moe";
|
|
|
|
};
|
|
|
|
|
2024-09-02 18:31:19 +05:30
|
|
|
miniflux = {
|
|
|
|
enable = true;
|
|
|
|
domain = "flux.deku.moe";
|
|
|
|
adminTokenFile = userdata.secrets.services.miniflux.password;
|
|
|
|
};
|
|
|
|
|
2024-09-02 19:19:09 +05:30
|
|
|
ntfy-sh = {
|
|
|
|
enable = true;
|
|
|
|
domain = "ntfy.deku.moe";
|
|
|
|
};
|
|
|
|
|
2024-09-02 18:31:19 +05:30
|
|
|
paperless = {
|
|
|
|
enable = true;
|
|
|
|
domain = "docs.deku.moe";
|
|
|
|
passwordFile = userdata.secrets.services.paperless.password;
|
|
|
|
adminUser = "chinmay";
|
|
|
|
};
|
|
|
|
|
2024-09-30 12:01:57 +05:30
|
|
|
postgresql = {
|
|
|
|
enable = true;
|
|
|
|
backup.enable = true;
|
|
|
|
upgrade.enable = true;
|
|
|
|
};
|
|
|
|
|
2024-09-02 18:31:19 +05:30
|
|
|
vaultwarden = {
|
|
|
|
enable = true;
|
|
|
|
domain = "bw.deku.moe";
|
|
|
|
adminTokenFile = userdata.secrets.services.vaultwarden.password;
|
|
|
|
};
|
|
|
|
|
|
|
|
static-site = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.maych-in;
|
|
|
|
domain = "maych.in";
|
|
|
|
};
|
2024-09-02 19:19:09 +05:30
|
|
|
unifi-controller = {
|
|
|
|
enable = true;
|
|
|
|
unpoller = {
|
|
|
|
enable = true;
|
|
|
|
passwordFile = userdata.secrets.services.unifi-unpoller.password;
|
|
|
|
};
|
|
|
|
};
|
2024-09-02 18:31:19 +05:30
|
|
|
};
|
|
|
|
|
|
|
|
user = {
|
|
|
|
enable = true;
|
|
|
|
username = "server";
|
|
|
|
description = "Bicboye Server";
|
|
|
|
userPasswordAgeModule = userdata.secrets.machines.bicboye.password;
|
|
|
|
rootPasswordAgeModule = userdata.secrets.machines.bicboye.root-password;
|
|
|
|
extraAuthorizedKeys = [
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
|
2024-09-02 19:19:09 +05:30
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"
|
|
|
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"
|
2024-09-02 18:31:19 +05:30
|
|
|
];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|