Compare commits
No commits in common. "8f4c7fe4cc7fe14236a746afef4e123c84508542" and "3a3a8afe306d10dc91a133eacb9102100a9d574f" have entirely different histories.
8f4c7fe4cc
...
3a3a8afe30
8
data.nix
8
data.nix
@ -10,11 +10,6 @@
|
|||||||
root-password.file = ./secrets/machines/bicboye/root-password.age;
|
root-password.file = ./secrets/machines/bicboye/root-password.age;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
monitoring = {
|
|
||||||
grafana = {
|
|
||||||
password.file = ./secrets/monitoring/grafana/password.age;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
services = {
|
services = {
|
||||||
gitea = {
|
gitea = {
|
||||||
password.file = ./secrets/services/gitea/password.age;
|
password.file = ./secrets/services/gitea/password.age;
|
||||||
@ -25,9 +20,6 @@
|
|||||||
paperless = {
|
paperless = {
|
||||||
password.file = ./secrets/services/paperless/password.age;
|
password.file = ./secrets/services/paperless/password.age;
|
||||||
};
|
};
|
||||||
unifi-unpoller = {
|
|
||||||
password.file = ./secrets/services/unifi-unpoller/password.age;
|
|
||||||
};
|
|
||||||
vaultwarden = {
|
vaultwarden = {
|
||||||
password.file = ./secrets/services/vaultwarden/password.age;
|
password.file = ./secrets/services/vaultwarden/password.age;
|
||||||
};
|
};
|
||||||
|
@ -24,9 +24,9 @@
|
|||||||
|
|
||||||
config = {
|
config = {
|
||||||
console = {
|
console = {
|
||||||
font = "Lat2-Terminus16";
|
|
||||||
keyMap = lib.mkDefault "us";
|
keyMap = lib.mkDefault "us";
|
||||||
useXkbConfig = true;
|
useXkbConfig = true;
|
||||||
|
font = lib.mkDefault "${pkgs.terminus_font}/share/consolefonts/ter-u28n.psf.gz";
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable all snowflake core modules.
|
# Enable all snowflake core modules.
|
||||||
@ -46,6 +46,7 @@
|
|||||||
kernelParams = [
|
kernelParams = [
|
||||||
"pcie_aspm.policy=performance"
|
"pcie_aspm.policy=performance"
|
||||||
"nmi_watchdog=0"
|
"nmi_watchdog=0"
|
||||||
|
"udev.log_level=3"
|
||||||
];
|
];
|
||||||
|
|
||||||
loader = {
|
loader = {
|
||||||
|
@ -20,6 +20,7 @@
|
|||||||
autoPrune = {
|
autoPrune = {
|
||||||
enable = true;
|
enable = true;
|
||||||
};
|
};
|
||||||
|
extraOptions = "--iptables=False";
|
||||||
inherit (config.snowflake.core.docker) storageDriver;
|
inherit (config.snowflake.core.docker) storageDriver;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -1,23 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.monitoring.enable = lib.mkEnableOption "Enable the base monitoring stack configuration";
|
|
||||||
|
|
||||||
config = lib.mkIf config.snowflake.monitoring.enable {
|
|
||||||
# Enable base snowflake monitoring modules.
|
|
||||||
snowflake.monitoring = {
|
|
||||||
victoriametrics.enable = lib.mkDefault true;
|
|
||||||
grafana.enable = lib.mkDefault true;
|
|
||||||
exporter.collectd.enable = lib.mkDefault true;
|
|
||||||
exporter.node.enable = lib.mkDefault true;
|
|
||||||
exporter.systemd.enable = lib.mkDefault true;
|
|
||||||
# NOTE: Extra modules such as unifi-unpoller can be
|
|
||||||
# enabled in the system configuration manually.
|
|
||||||
# For example:
|
|
||||||
# exporter.unifi = true;
|
|
||||||
# Check exporter/default.nix for more details.
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,33 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.monitoring.exporter = {
|
|
||||||
collectd.enable = lib.mkEnableOption "Enable collectd exporter service";
|
|
||||||
node.enable = lib.mkEnableOption "Enable node-exporter service";
|
|
||||||
systemd.enable = lib.mkEnableOption "Enable systemd exporter service";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = let
|
|
||||||
cfg = config.snowflake.monitoring.exporter;
|
|
||||||
in {
|
|
||||||
services.prometheus.exporters = {
|
|
||||||
collectd.enable = cfg.collectd.enable;
|
|
||||||
node.enable = cfg.node.enable;
|
|
||||||
systemd.enable = cfg.systemd.enable;
|
|
||||||
# NOTE: These are the base monitoring modules meant to
|
|
||||||
# be enabled by default as sane defaults.
|
|
||||||
# Extra options for the defined exporters or custom exporters
|
|
||||||
# can be added to machine configuration manually.
|
|
||||||
# For example:
|
|
||||||
# services.prometheus.exporters.unifi = {
|
|
||||||
# enable = true;
|
|
||||||
# unifiUsername = "username";
|
|
||||||
# unifiPassword = "password";
|
|
||||||
# unifiInsecure = true;
|
|
||||||
# };
|
|
||||||
# This can then be added to the vmagent configuration as extraConfig.
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,90 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.monitoring.grafana = let
|
|
||||||
settingsFormat = pkgs.formats.yaml {};
|
|
||||||
in {
|
|
||||||
enable = lib.mkEnableOption "Enable grafana for monitoring stack";
|
|
||||||
|
|
||||||
domain = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "";
|
|
||||||
description = "Configuration domain to use for the grafana service";
|
|
||||||
};
|
|
||||||
|
|
||||||
adminPasswordFile = lib.mkOption {
|
|
||||||
description = "Age module containing the administrator password to use for grafana";
|
|
||||||
};
|
|
||||||
|
|
||||||
port = lib.mkOption {
|
|
||||||
type = lib.types.port;
|
|
||||||
default = 3010;
|
|
||||||
description = "Configuration port to use for the grafana service";
|
|
||||||
};
|
|
||||||
|
|
||||||
extraDatasourceConfig = lib.mkOption {
|
|
||||||
description = "Extra datasource configuration for grafana";
|
|
||||||
type = lib.types.listOf (lib.types.submodule {freeformType = settingsFormat.type;});
|
|
||||||
default = [];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = let
|
|
||||||
cfg = config.snowflake.monitoring.grafana;
|
|
||||||
in
|
|
||||||
lib.mkIf cfg.enable {
|
|
||||||
age.secrets.grafana = {
|
|
||||||
inherit (cfg.adminPasswordFile) file;
|
|
||||||
owner = "grafana";
|
|
||||||
group = "grafana";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.grafana = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
settings = {
|
|
||||||
server = {
|
|
||||||
http_addr = "127.0.0.1";
|
|
||||||
http_port = cfg.port;
|
|
||||||
};
|
|
||||||
|
|
||||||
analytics = {
|
|
||||||
reporting_enabled = false;
|
|
||||||
feedback_links_enabled = false;
|
|
||||||
};
|
|
||||||
security.admin_password = "$__file{${config.age.secrets.grafana.path}}";
|
|
||||||
};
|
|
||||||
|
|
||||||
provision = {
|
|
||||||
enable = true;
|
|
||||||
|
|
||||||
datasources.settings.datasources =
|
|
||||||
[]
|
|
||||||
++ lib.optional config.services.victoriametrics.enable {
|
|
||||||
name = "Victoriametrics";
|
|
||||||
type = "prometheus";
|
|
||||||
access = "proxy";
|
|
||||||
url = "http://127.0.0.1:${toString config.snowflake.monitoring.victoriametrics.port}";
|
|
||||||
}
|
|
||||||
++ cfg.extraDatasourceConfig;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Requires services.nginx.enable.
|
|
||||||
services.nginx = {
|
|
||||||
virtualHosts = {
|
|
||||||
"${cfg.domain}" = {
|
|
||||||
serverName = "${cfg.domain}";
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://${config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,81 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.monitoring.victoriametrics = let
|
|
||||||
settingsFormat = pkgs.formats.json {};
|
|
||||||
in {
|
|
||||||
enable = lib.mkEnableOption "Enable victoriametrics and vmagent stack";
|
|
||||||
|
|
||||||
port = lib.mkOption {
|
|
||||||
type = lib.types.port;
|
|
||||||
default = 8428;
|
|
||||||
description = "Port to listen on for victoriametrics";
|
|
||||||
};
|
|
||||||
|
|
||||||
extraPrometheusConfig = lib.mkOption {
|
|
||||||
description = "Extra prometheus scrape config for vmagent";
|
|
||||||
type = lib.types.listOf (lib.types.submodule {freeformType = settingsFormat.type;});
|
|
||||||
default = [];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = let
|
|
||||||
cfg = config.snowflake.monitoring.victoriametrics;
|
|
||||||
exporterCfg = config.services.prometheus.exporters;
|
|
||||||
in
|
|
||||||
lib.mkIf cfg.enable {
|
|
||||||
services.victoriametrics = {
|
|
||||||
enable = cfg.enable;
|
|
||||||
listenAddress = "127.0.0.1:${toString cfg.port}";
|
|
||||||
retentionPeriod = 3;
|
|
||||||
};
|
|
||||||
services.vmagent = {
|
|
||||||
enable = cfg.enable;
|
|
||||||
remoteWrite.url = "http://${config.services.victoriametrics.listenAddress}/api/v1/write";
|
|
||||||
prometheusConfig = {
|
|
||||||
global = {
|
|
||||||
scrape_interval = "1m";
|
|
||||||
scrape_timeout = "30s";
|
|
||||||
};
|
|
||||||
scrape_configs =
|
|
||||||
[]
|
|
||||||
++ lib.optional exporterCfg.node.enable {
|
|
||||||
job_name = "node";
|
|
||||||
static_configs = [
|
|
||||||
{
|
|
||||||
targets = ["127.0.0.1:${toString exporterCfg.node.port}"];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
relabel_configs = [
|
|
||||||
{
|
|
||||||
source_labels = ["__address__"];
|
|
||||||
target_label = "instance";
|
|
||||||
regex = "([^:]+)(:[0-9]+)?";
|
|
||||||
replacement = config.networking.hostName;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
++ lib.optional exporterCfg.collectd.enable {
|
|
||||||
job_name = "collectd";
|
|
||||||
static_configs = [
|
|
||||||
{
|
|
||||||
targets = ["127.0.0.1:${toString exporterCfg.collectd.port}"];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
++ lib.optional exporterCfg.systemd.enable {
|
|
||||||
job_name = "systemd";
|
|
||||||
static_configs = [
|
|
||||||
{
|
|
||||||
targets = ["127.0.0.1:${toString exporterCfg.systemd.port}"];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
++ cfg.extraPrometheusConfig;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,18 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.services.bazarr = {
|
|
||||||
enable = lib.mkEnableOption "Enable bazarr deployment configuration";
|
|
||||||
};
|
|
||||||
|
|
||||||
# NOTE: No good subtitle providers are available right now.
|
|
||||||
# There's no need to enable bazarr, private trackers have decent
|
|
||||||
# subtitles for releases.
|
|
||||||
config = lib.mkIf config.snowflake.services.bazarr.enable {
|
|
||||||
services.bazarr.enable = true;
|
|
||||||
services.bazarr.group = "media";
|
|
||||||
services.bazarr.openFirewall = true;
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,32 +1,51 @@
|
|||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
lib,
|
lib,
|
||||||
|
pkgs,
|
||||||
...
|
...
|
||||||
}: {
|
}: {
|
||||||
options.snowflake.services.arr = {
|
options.snowflake.services.arr = {
|
||||||
enable = lib.mkEnableOption "Enable arr suite configuration";
|
enable = lib.mkEnableOption "Enable arr suite configuration";
|
||||||
monitoring = {
|
jellyfin.enable = lib.mkEnableOption "Enable jellyfin configuration for NixOS";
|
||||||
enable = lib.mkEnableOption "Enable monitoring for arr suite";
|
# mediaDir = lib.mkOption {
|
||||||
sonarrApiKeyFile = lib.mkOption {
|
# type = lib.types.path;
|
||||||
description = "Age module containing the sonarr API Key to use for monitoring";
|
# description = "Path to media storage directory, accessible by all *arr suite applications";
|
||||||
};
|
# };
|
||||||
radarrApiKeyFile = lib.mkOption {
|
|
||||||
description = "Age module containing the radarr API Key to use for monitoring";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
config = lib.mkIf config.snowflake.services.arr.enable {
|
config = let
|
||||||
snowflake.services = {
|
cfg = config.snowflake.services.arr;
|
||||||
jellyfin.enable = true;
|
in
|
||||||
jellyseerr.enable = true;
|
lib.mkIf cfg.enable {
|
||||||
radarr.enable = true;
|
services.jellyfin = {
|
||||||
sonarr.enable = true;
|
enable = cfg.jellyfin.enable;
|
||||||
prowlarr.enable = true;
|
|
||||||
qbittorrent-nox = {
|
|
||||||
enable = true;
|
|
||||||
openFirewall = true;
|
openFirewall = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
users.groups.media = {
|
||||||
|
members = ["@wheel" "jellyfin"];
|
||||||
|
};
|
||||||
|
|
||||||
|
nixpkgs.config.packageOverrides = pkgs: {
|
||||||
|
jellyfin-ffmpeg = pkgs.jellyfin-ffmpeg.override {
|
||||||
|
ffmpeg_6-full = pkgs.ffmpeg_6-full.override {
|
||||||
|
withMfx = false;
|
||||||
|
withVpl = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
hardware.graphics = {
|
||||||
|
enable = true;
|
||||||
|
extraPackages = with pkgs; [
|
||||||
|
intel-media-driver
|
||||||
|
intel-compute-runtime
|
||||||
|
onevpl-intel-gpu
|
||||||
|
libvdpau-va-gl
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
services.jellyseerr.enable = true;
|
||||||
|
services.jellyseerr.openFirewall = true;
|
||||||
};
|
};
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
@ -1,66 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.services.jellyfin = {
|
|
||||||
enable = lib.mkEnableOption "Enable jellyfin deployment configuration";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = let
|
|
||||||
cfg = config.snowflake.services.jellyfin;
|
|
||||||
in
|
|
||||||
lib.mkIf cfg.enable {
|
|
||||||
services.jellyfin = {
|
|
||||||
enable = true;
|
|
||||||
openFirewall = true;
|
|
||||||
};
|
|
||||||
|
|
||||||
users.groups.media = {
|
|
||||||
members = ["@wheel" "jellyfin"];
|
|
||||||
};
|
|
||||||
|
|
||||||
nixpkgs.config.packageOverrides = pkgs: {
|
|
||||||
jellyfin-ffmpeg = pkgs.jellyfin-ffmpeg.override {
|
|
||||||
ffmpeg_6-full = pkgs.ffmpeg_6-full.override {
|
|
||||||
withMfx = false;
|
|
||||||
withVpl = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
|
|
||||||
};
|
|
||||||
|
|
||||||
environment.systemPackages = with pkgs; [
|
|
||||||
jellyfin-ffmpeg
|
|
||||||
];
|
|
||||||
|
|
||||||
hardware.graphics = {
|
|
||||||
enable = true;
|
|
||||||
extraPackages = with pkgs; [
|
|
||||||
intel-media-driver
|
|
||||||
intel-compute-runtime
|
|
||||||
vpl-gpu-rt
|
|
||||||
vaapiIntel
|
|
||||||
vaapiVdpau
|
|
||||||
libvdpau-va-gl
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
services.jellyseerr.enable = true;
|
|
||||||
services.jellyseerr.openFirewall = true;
|
|
||||||
|
|
||||||
services.nginx = {
|
|
||||||
virtualHosts = {
|
|
||||||
"jelly.deku.moe" = {
|
|
||||||
serverName = "jelly.deku.moe";
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://localhost:8096/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,26 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.services.jellyseerr = {
|
|
||||||
enable = lib.mkEnableOption "Enable jellyseerr deployment configuration";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf config.snowflake.services.jellyseerr.enable {
|
|
||||||
services.jellyseerr.enable = true;
|
|
||||||
services.jellyseerr.openFirewall = true;
|
|
||||||
services.nginx = {
|
|
||||||
virtualHosts = {
|
|
||||||
"seerr.deku.moe" = {
|
|
||||||
serverName = "seerr.deku.moe";
|
|
||||||
enableACME = true;
|
|
||||||
forceSSL = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://localhost:5055/";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,14 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.services.prowlarr = {
|
|
||||||
enable = lib.mkEnableOption "Enable prowlarr deployment configuration";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf config.snowflake.services.prowlarr.enable {
|
|
||||||
services.prowlarr.enable = true;
|
|
||||||
services.prowlarr.openFirewall = true;
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,76 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
pkgs,
|
|
||||||
namespace,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.services.qbittorrent-nox = {
|
|
||||||
enable = lib.mkEnableOption "Enable qbittorrent-nox service configuration";
|
|
||||||
|
|
||||||
package = lib.mkPackageOption pkgs "qbittorrent-nox" {};
|
|
||||||
|
|
||||||
openFirewall = lib.mkOption {
|
|
||||||
description = "Allow firewall access for qbittorrent-nox";
|
|
||||||
type = lib.types.bool;
|
|
||||||
default = false;
|
|
||||||
};
|
|
||||||
|
|
||||||
uiPort = lib.mkOption {
|
|
||||||
description = "Web UI Port for qbittorrent-nox";
|
|
||||||
type = lib.types.port;
|
|
||||||
default = 8069;
|
|
||||||
};
|
|
||||||
|
|
||||||
torrentPort = lib.mkOption {
|
|
||||||
description = "Torrenting port";
|
|
||||||
type = with lib.types; nullOr port;
|
|
||||||
default = 64211;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
config = let
|
|
||||||
cfg = config.snowflake.services.qbittorrent-nox;
|
|
||||||
in
|
|
||||||
lib.mkIf cfg.enable {
|
|
||||||
networking.firewall.allowedTCPPorts =
|
|
||||||
lib.optional (cfg.openFirewall && cfg.torrentPort != null) cfg.torrentPort
|
|
||||||
++ lib.optional cfg.openFirewall cfg.uiPort;
|
|
||||||
networking.firewall.allowedUDPPorts =
|
|
||||||
lib.optional (cfg.openFirewall && cfg.torrentPort != null) cfg.torrentPort;
|
|
||||||
|
|
||||||
users.users.qbittorrent-nox = {
|
|
||||||
isSystemUser = true;
|
|
||||||
group = "media";
|
|
||||||
home = "/var/lib/qbittorrent-nox";
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.services.qbittorrent-nox = {
|
|
||||||
description = "qBittorrent-nox service";
|
|
||||||
wants = ["network-online.target"];
|
|
||||||
after = ["local-fs.target" "network-online.target" "nss-lookup.target"];
|
|
||||||
wantedBy = ["multi-user.target"];
|
|
||||||
unitConfig.Documentation = "man:qbittorrent-nox(1)";
|
|
||||||
# required for reverse proxying
|
|
||||||
preStart = ''
|
|
||||||
rm -rf /var/lib/qbittorrent-nox/qBittorrent/config/vuetorrent
|
|
||||||
ln -sf ${pkgs.${namespace}.vuetorrent} /var/lib/qbittorrent-nox/qBittorrent/config/vuetorrent
|
|
||||||
|
|
||||||
if [[ ! -f /var/lib/qbittorrent-nox/qBittorrent/config/qBittorrent.conf ]]; then
|
|
||||||
mkdir -p /var/lib/qbittorrent-nox/qBittorrent/config
|
|
||||||
echo "Preferences\WebUI\HostHeaderValidation=false" >> /var/lib/qbittorrent-nox/qBittorrent/config/qBittorrent.conf
|
|
||||||
fi
|
|
||||||
'';
|
|
||||||
serviceConfig = {
|
|
||||||
User = "qbittorrent-nox";
|
|
||||||
Group = "media";
|
|
||||||
StateDirectory = "qbittorrent-nox";
|
|
||||||
WorkingDirectory = "/var/lib/qbittorrent-nox";
|
|
||||||
ExecStart = ''
|
|
||||||
${cfg.package}/bin/qbittorrent-nox ${lib.optionalString (cfg.torrentPort != null) "--torrenting-port=${toString cfg.torrentPort}"} \
|
|
||||||
--webui-port=${toString cfg.uiPort} --profile=/var/lib/qbittorrent-nox
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,15 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.services.radarr = {
|
|
||||||
enable = lib.mkEnableOption "Enable radarr deployment configuration";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf config.snowflake.services.radarr.enable {
|
|
||||||
services.radarr.enable = true;
|
|
||||||
services.radarr.group = "media";
|
|
||||||
services.radarr.openFirewall = true;
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,15 +0,0 @@
|
|||||||
{
|
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.services.sonarr = {
|
|
||||||
enable = lib.mkEnableOption "Enable sonarr deployment configuration";
|
|
||||||
};
|
|
||||||
|
|
||||||
config = lib.mkIf config.snowflake.services.sonarr.enable {
|
|
||||||
services.sonarr.enable = true;
|
|
||||||
services.sonarr.group = "media";
|
|
||||||
services.sonarr.openFirewall = true;
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,8 +1,5 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
{
|
{
|
||||||
config,
|
|
||||||
lib,
|
|
||||||
...
|
|
||||||
}: {
|
|
||||||
options.snowflake.services.gitea = {
|
options.snowflake.services.gitea = {
|
||||||
enable = lib.mkEnableOption "Enable gitea service";
|
enable = lib.mkEnableOption "Enable gitea service";
|
||||||
|
|
||||||
@ -63,7 +60,7 @@
|
|||||||
HTTP_ADDR = "127.0.0.1";
|
HTTP_ADDR = "127.0.0.1";
|
||||||
HTTP_PORT = config.snowflake.services.gitea.httpPort;
|
HTTP_PORT = config.snowflake.services.gitea.httpPort;
|
||||||
ROOT_URL = "https://${config.snowflake.services.gitea.domain}";
|
ROOT_URL = "https://${config.snowflake.services.gitea.domain}";
|
||||||
SSH_DOMAIN = config.snowflake.services.gitea.sshDomain;
|
SSH_DOMAIN = "https://${config.snowflake.services.gitea.sshDomain}";
|
||||||
SSH_PORT = config.snowflake.services.gitea.sshPort;
|
SSH_PORT = config.snowflake.services.gitea.sshPort;
|
||||||
};
|
};
|
||||||
service = {
|
service = {
|
||||||
@ -84,7 +81,7 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.firewall = lib.mkIf config.networking.firewall.enable {
|
networking.firewall = lib.mkIf config.networking.firewall.enable {
|
||||||
allowedTCPPorts = [config.snowflake.services.gitea.sshPort];
|
allowedTCPPorts = [ config.snowflake.services.gitea.sshPort ];
|
||||||
};
|
};
|
||||||
|
|
||||||
users.users.git = {
|
users.users.git = {
|
||||||
@ -94,7 +91,7 @@
|
|||||||
group = "git";
|
group = "git";
|
||||||
isSystemUser = true;
|
isSystemUser = true;
|
||||||
};
|
};
|
||||||
users.groups.git = {};
|
users.groups.git = { };
|
||||||
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
virtualHosts = {
|
virtualHosts = {
|
||||||
|
@ -3,71 +3,19 @@
|
|||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
...
|
...
|
||||||
}: {
|
}:
|
||||||
options.snowflake.services.unifi-controller = {
|
{
|
||||||
enable = lib.mkEnableOption "Enable Unifi controller service for Unifi devices";
|
options.snowflake.services.unifi-controller.enable = lib.mkEnableOption "Enable Unifi controller service for Unifi devices";
|
||||||
unpoller = {
|
|
||||||
enable = lib.mkEnableOption "Enable unpoller metrics for Unifi controller";
|
|
||||||
|
|
||||||
user = lib.mkOption {
|
config = lib.mkIf config.snowflake.services.unifi-controller.enable {
|
||||||
type = lib.types.str;
|
networking.firewall.allowedTCPPorts = [ 8443 ];
|
||||||
default = "unifi-unpoller";
|
services.unifi = {
|
||||||
description = "Username for unpoller access to Unifi controller";
|
enable = true;
|
||||||
};
|
unifiPackage = pkgs.unifi8;
|
||||||
|
# Limit memory to 256MB. Works well enough
|
||||||
passwordFile = lib.mkOption {
|
# for small, home-based controller deployments.
|
||||||
description = "Age module containing the password to use for unpoller user";
|
maximumJavaHeapSize = 256;
|
||||||
};
|
openFirewall = true;
|
||||||
|
|
||||||
url = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "https://127.0.0.1:8443";
|
|
||||||
description = "URL for the unifi controller service";
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
config = let
|
|
||||||
cfg = config.snowflake.services.unifi-controller;
|
|
||||||
in
|
|
||||||
lib.mkMerge [
|
|
||||||
(lib.mkIf cfg.enable
|
|
||||||
{
|
|
||||||
networking.firewall.allowedTCPPorts = [8443];
|
|
||||||
services.unifi = {
|
|
||||||
enable = true;
|
|
||||||
unifiPackage = pkgs.unifi8;
|
|
||||||
# mongodbPackage = pkgs.mongodb-6_0;
|
|
||||||
# Limit memory to 256MB. Works well enough
|
|
||||||
# for small, home-based controller deployments.
|
|
||||||
maximumJavaHeapSize = 256;
|
|
||||||
openFirewall = true;
|
|
||||||
};
|
|
||||||
})
|
|
||||||
|
|
||||||
(lib.mkIf cfg.unpoller.enable
|
|
||||||
{
|
|
||||||
age.secrets.unpoller-password = {
|
|
||||||
inherit (cfg.unpoller.passwordFile) file;
|
|
||||||
owner = config.services.prometheus.exporters.unpoller.user;
|
|
||||||
group = config.services.prometheus.exporters.unpoller.user;
|
|
||||||
};
|
|
||||||
|
|
||||||
services.prometheus.exporters.unpoller = {
|
|
||||||
enable = cfg.unpoller.enable;
|
|
||||||
controllers = [
|
|
||||||
{
|
|
||||||
url = cfg.unpoller.url;
|
|
||||||
user = cfg.unpoller.user;
|
|
||||||
pass = config.age.secrets.unpoller-password.path;
|
|
||||||
save_ids = true;
|
|
||||||
save_events = true;
|
|
||||||
save_alarms = true;
|
|
||||||
save_anomalies = true;
|
|
||||||
verify_ssl = false;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
})
|
|
||||||
];
|
|
||||||
}
|
}
|
||||||
|
@ -1,35 +0,0 @@
|
|||||||
{
|
|
||||||
pkgs,
|
|
||||||
lib,
|
|
||||||
stdenv,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
stdenv.mkDerivation rec {
|
|
||||||
pname = "vuetorrent";
|
|
||||||
version = "2.10.2";
|
|
||||||
|
|
||||||
src = pkgs.fetchurl {
|
|
||||||
url = "https://github.com/WDaan/VueTorrent/releases/download/v${version}/vuetorrent.zip";
|
|
||||||
sha256 = "sha256-pJzj3jHXmpKca1zyOTlzUQvp7/LtjjMGNt9SMDo89yo=";
|
|
||||||
};
|
|
||||||
|
|
||||||
buildInputs = with pkgs; [unzip];
|
|
||||||
|
|
||||||
unpackPhase = ''
|
|
||||||
unzip $src
|
|
||||||
'';
|
|
||||||
|
|
||||||
dontStrip = true;
|
|
||||||
|
|
||||||
installPhase = ''
|
|
||||||
mkdir -p $out/
|
|
||||||
cp -r vuetorrent/public/ $out/
|
|
||||||
'';
|
|
||||||
|
|
||||||
meta = with lib; {
|
|
||||||
description = "The sleekest looking WEBUI for qBittorrent made with Vuejs! ";
|
|
||||||
homepage = "https://github.com/WDaan/VueTorrent";
|
|
||||||
license = [licenses.gpl3Only];
|
|
||||||
platforms = ["x86_64-darwin" "aarch64-darwin" "aarch64-linux" "x86_64-linux"];
|
|
||||||
};
|
|
||||||
}
|
|
@ -1,10 +1,7 @@
|
|||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 XInHQA /NRM0XjHa8w8lmRHi+aTpCuViwJGcUxAVAez0PSGdwQ
|
-> ssh-ed25519 XInHQA KqFc6Ej8L8yNVX3EoEqlJZlpdmsBTAn3GDPlH0CsmWc
|
||||||
UiW+Vnk2Z1/8apx8JTTXNw0+Mw+txBvwzh3xgQyslig
|
6cEtER5dcQNzWfPUGeN0tMyPEwOUMkSTiqnCQrsNhp8
|
||||||
-> ssh-ed25519 9JjquQ Cd54qelvmj8O4x4eIi0UtWxGhqvlfCIHBqBxtd99h2E
|
-> ssh-ed25519 9JjquQ sFTTVGk5VDcfw/K4yKbwGX73O2LFXp5eHWkzHhAeDVY
|
||||||
IdYDmPrOPzAimL/M2foYOFsEMcLXTMUolPOy+0gZxNg
|
usZ/giJLoWxXJ0pA8HZZSHMybxuxf8HxjDkeD5Kpuz4
|
||||||
-> ssh-ed25519 8S096g x1o/dQKQIywGlX/vJ2eQqCuWPb2BQNZsEIO4RkkNRxA
|
--- CjABvoWY5QYTJ2OmUnqxOxyehm3r/YQmYyx00auShxY
|
||||||
oijplPOdsYYreti3I7bX1KwdHQrWft63bAJBlUGcSzg
|
t0æ<EFBFBD>Ç]—iéû<C3A9>‡›fEÇ!ö¿‹úi µ—+ÕÔ¬íA(¥Ò£TÚ”R ë,ªM9׺‚¤Ã?‰¼såÎ~ù=ÓÀ¦ýžOô“Ôõ¢þx<C3BE>}–¼7!õã<12>{£"'FÎC¥ $Æ@Æžoæø‘ïç%§íJÝ®bxE·W:³x<ò3(U±
|
||||||
--- H78isjmjr1DgBAaq0cuzpxQHEwrdVf7rgbgGSX/K/pQ
|
|
||||||
Ȯ8²D>X€<å X€9 ‹?Ǥ{>ìüšLÌ«ž°üãk·††Œ}݉_ß%×Sµ÷<C2B5>ïÈ\—|-žÊø"Ã䩘#;ÃJŽÁ»£ãÕäÉ2iÚ(ƒ¹ùR3°ÜØÔ(Ð=F’–zü.^‹¦<E280B9>»‚<C2BB>
|
|
||||||
Iž£MLuäãÎ ì©ÙïÜ
'ÕúÚ
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -1,7 +0,0 @@
|
|||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 XInHQA k39Tpe44MbIY/fa8Sf3f9JXjTlQN849nKWI3G+c4plA
|
|
||||||
Y05ZLbNPJePRU1mLV87KuhQceWZC3LcpM/qX5mOMHg8
|
|
||||||
-> ssh-ed25519 9JjquQ Si+4zoaU6TMP0cymWGQdc54fDhLisYGIi1EXZ9+vbmY
|
|
||||||
cMRoa1Owu1zwhnT6HPwGKk6y3vtHBi8rCnyJfbrAPZY
|
|
||||||
--- Y27ZK2+ekW1WKGZqTV6Q3mrNNzVWXA7v8JPOylZWYdE
|
|
||||||
‹> âQà0lZy±¼jÈI|TVÖ KPæ[ìþ˜ªFàI*~LŒÅܯK|b ™!|ÏÅ,é¯ûö´e™G
|
|
@ -13,9 +13,7 @@ let
|
|||||||
];
|
];
|
||||||
|
|
||||||
smolboye = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQFm91hLes24sYbq96zD52mDrrr1l2F2xstcfAEg+qI"];
|
smolboye = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICQFm91hLes24sYbq96zD52mDrrr1l2F2xstcfAEg+qI"];
|
||||||
bicboye = [
|
bicboye = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsciEMPwLAYtbHNkdedjhSrb66fFQ46lgnVGssCuiLH"];
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBsciEMPwLAYtbHNkdedjhSrb66fFQ46lgnVGssCuiLH"
|
|
||||||
];
|
|
||||||
|
|
||||||
servers = bicboye ++ smolboye;
|
servers = bicboye ++ smolboye;
|
||||||
users = thunderbottom ++ codingcoffee;
|
users = thunderbottom ++ codingcoffee;
|
||||||
@ -24,7 +22,6 @@ in {
|
|||||||
"machines/thonkpad/root-password.age".publicKeys = thunderbottom ++ thonkpad;
|
"machines/thonkpad/root-password.age".publicKeys = thunderbottom ++ thonkpad;
|
||||||
"machines/bicboye/password.age".publicKeys = thunderbottom ++ bicboye;
|
"machines/bicboye/password.age".publicKeys = thunderbottom ++ bicboye;
|
||||||
"machines/bicboye/root-password.age".publicKeys = thunderbottom ++ bicboye;
|
"machines/bicboye/root-password.age".publicKeys = thunderbottom ++ bicboye;
|
||||||
"monitoring/grafana/password.age".publicKeys = thunderbottom ++ bicboye;
|
|
||||||
"services/backup/environment.age".publicKeys = thunderbottom ++ bicboye;
|
"services/backup/environment.age".publicKeys = thunderbottom ++ bicboye;
|
||||||
"services/backup/password.age".publicKeys = thunderbottom ++ bicboye;
|
"services/backup/password.age".publicKeys = thunderbottom ++ bicboye;
|
||||||
"services/gitea/password.age".publicKeys = thunderbottom ++ bicboye;
|
"services/gitea/password.age".publicKeys = thunderbottom ++ bicboye;
|
||||||
@ -32,6 +29,5 @@ in {
|
|||||||
"services/maddy/user-watashi.age".publicKeys = thunderbottom ++ servers;
|
"services/maddy/user-watashi.age".publicKeys = thunderbottom ++ servers;
|
||||||
"services/miniflux/password.age".publicKeys = thunderbottom ++ bicboye;
|
"services/miniflux/password.age".publicKeys = thunderbottom ++ bicboye;
|
||||||
"services/paperless/password.age".publicKeys = users ++ bicboye;
|
"services/paperless/password.age".publicKeys = users ++ bicboye;
|
||||||
"services/unifi-unpoller/password.age".publicKeys = users ++ bicboye;
|
|
||||||
"services/vaultwarden/password.age".publicKeys = users ++ bicboye;
|
"services/vaultwarden/password.age".publicKeys = users ++ bicboye;
|
||||||
}
|
}
|
||||||
|
Binary file not shown.
@ -1,9 +1,7 @@
|
|||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 XInHQA aJsT3kOeJa2ZPVkY8qcu74Ch+KHOxdN/8FLRu5hcrw0
|
-> ssh-ed25519 XInHQA cu04OlowGfn91ape/TGXYToi4kFU9JIS4iY09qlMPmo
|
||||||
PehT0Fp2CVTIO77v8jhGcIcUYS33d5NvmVQeNt3TtjY
|
Yv2vSFELyNl93DaNQc+E3b9MuwGr0k79TISXF2fUxTY
|
||||||
-> ssh-ed25519 9JjquQ Kuvah0sJwGwGGDFAUTjqmkapUGUW9QPCvZ206cFgukU
|
-> ssh-ed25519 9JjquQ FJ0QtlUi+VKZ7S6BtqCj21x5Q2QG/8s2bay4j+JFFlQ
|
||||||
yan/IUu6MrhctKCgrAtbMwdsp+hX9FjHIAeG/gkokHw
|
K1ijqw6pz7F0CZedLxNdXWuPrKMm/y4cnVaVlMuQ4CM
|
||||||
-> ssh-ed25519 8S096g CLror+G56H5TOuOqjBOLL1GvOyPU8jzYXTlXEjoM6xY
|
--- WJz/j8eixXYAzN4VxyHrdMaXCSFsVzlVAhXU8cgq6cU
|
||||||
LmqGHmsW5M2TTa4+BuWJk7qNP4YtT6/bHZBXwKKx6VU
|
â[Ŕ
–˙U‹uŕÜ ßfL—8ľĚ¶śÇQÂRrV4Łň'_&Ĺ»zĎ<7A>ţ,<2C>ĆîQ•š6gä<>ˇNŮ‚q
|
||||||
--- q3W/w3KhMsEENOa+L0F7Do3H1gQtrlD8F53RrAYtsWQ
|
|
||||||
Žm`—îê%¨Ë¼ìezéñžW›÷`—ÐZA.ÓüÔ„Êʴ·|¨ÊM'ë%3á´Ëî&Ö»lÇV
|
|
@ -1,9 +1,7 @@
|
|||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 XInHQA CHnxIyP3ch6zmozgHHGKyrNwCukFOzpQqzqmhBBK3HU
|
-> ssh-ed25519 XInHQA PIaYFOuYTsAufLY3jySjdLfKzfcQ6hAetR8sG9k4KTM
|
||||||
cShHERfT2fay87wUcFMzLo2CqQjo2GlPckbN9ajIzoE
|
Wg1kb+WgD8MW81bJfwejeTiiEVJCH9WWQ7O7J5zeYj8
|
||||||
-> ssh-ed25519 9JjquQ JUjEXgduMtZG7k3p8vs4kAp7npo5yenMlaqYeRDvs3I
|
-> ssh-ed25519 9JjquQ nN0gqdhhk+tcsXgb2YdlNr9TCM8ZzJ8jgwFQK+o3Cw0
|
||||||
FTzPyilqsUhBE1tVzePrWEG9AMaBTvYfJpPp9dMahfs
|
uklN8haFY8XCUMIlAPqIheganGtCyLSg2w/4LM9dcdM
|
||||||
-> ssh-ed25519 8S096g +kQ00HeKJSTEZhH+kDYVAS8JmphGAIX3O4gAcg+uATs
|
--- uNsDhT+Z43s4wRMaKiuVS0CIib7Geh+zBtSHIPLdHmY
|
||||||
Lswx4AtFXJBrJThwIzeKeUFdOYkNXmAEEuJ8OuNmCVo
|
7Vÿ<EFBFBD>ÌäŒ%Ð)¶},1¾Ã½r㊔_×Ù;œçÝ·ï°õÿÍNbîl
|
||||||
--- LmvUVzAHHAEgun76eCLHe+nxgv2Xj5qhPbUgVWirjxU
|
|
||||||
Ÿi—Ø¡v(•<-‰d'ЫG‹ñ£ÔEzV¾š;ߺ咵Kc3ŸÈèI¹ÁX´
|
|
Binary file not shown.
@ -1,11 +1,9 @@
|
|||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 XInHQA RfnooKxGudC9db3TeLiHCeBAQmoBMKQYwne1kPwBB3Y
|
-> ssh-ed25519 XInHQA OsckddKmgFuwo64IFPysoEWhUWdaNz0fQOpgup0dKQY
|
||||||
Cy7nE5t4HksIkTGiE5A5eWugtPpLLgKg675a9QAJ1OQ
|
o1/BcRP/NND8YHZYuQnclfa1GxlczSdc57nOw9Zm2io
|
||||||
-> ssh-ed25519 9JjquQ IXrC89snSDyCk0/cHfZxK3I7VBDOkMB7RqLikSzFfhc
|
-> ssh-ed25519 9JjquQ pLjLs2p363cKXPmz8iYAOJUYSlmK4N9GCXlizaE5fj4
|
||||||
gJUgWJT00puABYjKgSlQIScxwIzLzw9G04MeYq5skMw
|
kIdPVG/i3WdRGYxLefEnCA8cTytHCZEcpqbp5Y8aG2o
|
||||||
-> ssh-ed25519 8S096g euxCvoiDEsR3+X5YsbTeDluRA8f5iLFV7KOC1aLwH3U
|
-> ssh-ed25519 H9OGOA BowCiYKCWxWbiapKpdshcRzdZR1UEscscAAOe/kEig8
|
||||||
TDIIZoqkh2DPUVno76U16Y/9HaU5dCL/AqgbqBNF/BU
|
Lexjp0LuPZs5bV8CQ63Scb+xh8lPDM7x17KD9r0/1qU
|
||||||
-> ssh-ed25519 H9OGOA VmODcaMxRDUeD0sbrtFNTAiuI/gI7+zVEQwfhC7gT1s
|
--- e+NBlts82HBx3gbjznmUKufAYF1w2fzEO+LNx9yvq18
|
||||||
p95/aXRwH3PdgsiMMxR/pEFlithxc68STelHRxAZoKM
|
<EFBFBD>#<ÐUŲݲ?Ã{çþC¹ÝÈäÓ_ÞoyXüZBEʶ£%é§Ä,m<>#÷fSõkÀ§à~z
|
||||||
--- WVxsIeOZysNFXyQiihNL527CpfNy6WuSVw7UnrMEmAU
|
|
||||||
Ì ¦=K+t¹zf8
coœÈÅQZ÷<5A>ÀŸ.ý²/xðSç«Yª?ÜÊÂ<=^Ny€‘¿`'ŠÜù¯Z¸¾ŠÚà7
|
|
Binary file not shown.
@ -1,13 +1,12 @@
|
|||||||
age-encryption.org/v1
|
age-encryption.org/v1
|
||||||
-> ssh-ed25519 XInHQA UWrsDGlrkZ6xmFFSOCrAZbybIvIYQc1QKhgXhdDSoxY
|
-> ssh-ed25519 XInHQA uCUIywKJrUQhqYI8uhhxNIsXoTcRBbZSRVfUJPCp2wM
|
||||||
5Je6sUO8h71WJkFpof3XcxnIUEexutrEz5TXT1Bwobg
|
2p1OvwRBUMJTXvhp2PdGBCwxKU/rFPBHKZaKJ38HvAo
|
||||||
-> ssh-ed25519 K8TEKA Kxxgpb4qEFVQ+KJpb2wBwKjQc22PwjEEB3Y3ERmm924
|
-> ssh-ed25519 K8TEKA d4DDO/774I+lhafaKbrERWsl6NqeqpdkbmZy0FA6Dws
|
||||||
2O4zzOOyH8SeRScBhGFKopMD5eZKtOF63fWs3YjqC5Q
|
ObQGhn0BmzqE5pSg+vPSVdx3rLng9h3wPfoFx2umVAI
|
||||||
-> ssh-ed25519 7+Zv5Q 3A3v+goiSRXpBhb3hAVJXbHuHdT+L4Xr178ML/pfG2s
|
-> ssh-ed25519 7+Zv5Q M1P+teBvn1p4zbFNIVvGremZC5hViNswi9q24mCxCEg
|
||||||
Ds1qBZlDl2mnlZvRcI0fEvDQ79KmUFAYICoVrcoA+Oc
|
zR1sV/5t8nI3jky5Ou9Ud7IYC8E8nkQnvRIW9lG7nbA
|
||||||
-> ssh-ed25519 9JjquQ 0p+mZLwhphoGDdmpOxgQrzIX+Y2w0RvIdNMlSarL90s
|
-> ssh-ed25519 9JjquQ P5F2UqVRXkySbbI4OHM6rChELU0wpx6Stpvz78Ie1yY
|
||||||
8P+l4oPQ3qEtR4KWk7W7wkxGEjroqMA5f70+1eUjdY8
|
uWOhkO0vx0anNHA5EWuLmDmTQvoY/c1iSzlVl2xldC4
|
||||||
-> ssh-ed25519 8S096g 5cTN3f5x+9Qizop1nRdjkqe0pa1S3LjR0pbMTccsPWM
|
--- BARoI30iwdy5g5hWJoHpVlA6Hlhu4SBpGhxrTPvG8ok
|
||||||
gGn24WckcR1iCNJH2oB8gekTTty/a4asssRmDlgEpwU
|
´•µãØÄ;”Ö&ß_xIúXÛRŸøóÏ£ÂĴ螞ܾ]¹9ÅÏ'La§1ø÷¡Q )ê@
|
||||||
--- LCrdBMibVYcT7SAS+jw+IBSb8nHdqvCpP0oe4fVc9OQ
|
°WMeÎ%€3¼K
|
||||||
<1F>æèQÐÒ<C390>x¥Q,•¹ºÓéS<53>WŠõ<C5A0>$2È’Ó3E“Aîß-×fc‰dæ•wV¿i2ÌvÏŸê >Z
|
|
@ -1,12 +0,0 @@
|
|||||||
age-encryption.org/v1
|
|
||||||
-> ssh-ed25519 XInHQA bMzwX3D3LAeB2oFjeCgQy6NtXfde87lGBBhJN7Nrox4
|
|
||||||
h6hwikEijHYMUTWhBuSgz+nxnnj00VlSibTZc2JmnBY
|
|
||||||
-> ssh-ed25519 K8TEKA s2cQpiLdC+1XBH5cIE5Z/IUEpsk564jYrsafVZSMgVQ
|
|
||||||
d5qPoJhyUToxN639uoR0J9kcfvubItuzXGoVk6Sewao
|
|
||||||
-> ssh-ed25519 7+Zv5Q pdOyuEw0qr/owYTSBq1Ewmge/0iGrf5PVQe8nSRKRhk
|
|
||||||
WWnMY5blWR6JOEz8dcOXdFoz9Vfj7J3EmVfVfb0qAmQ
|
|
||||||
-> ssh-ed25519 9JjquQ V82cwaqtAmVTMeyWvd23c0xOUk38tnmwFMKPeNZbbik
|
|
||||||
iWuQQSWFGf5ZqTyv78YRk7D96W8UXTnbaMLZ6F0ctj8
|
|
||||||
--- PtBBUhavizHrdmvxBF9qcB4rYEcB0A4AWqRl1Wp1Hic
|
|
||||||
ÅêÞ`ÐXj*Ä3U±Ë÷ :¢7…ä´s<C2B4>Zž1eA«
|
|
||||||
ø‰‘µýíRú#ì
|
|
Binary file not shown.
@ -1,5 +1,4 @@
|
|||||||
{
|
{
|
||||||
config,
|
|
||||||
lib,
|
lib,
|
||||||
pkgs,
|
pkgs,
|
||||||
userdata,
|
userdata,
|
||||||
@ -13,11 +12,14 @@
|
|||||||
networking = {
|
networking = {
|
||||||
hostName = "bicboye";
|
hostName = "bicboye";
|
||||||
useDHCP = lib.mkDefault false;
|
useDHCP = lib.mkDefault false;
|
||||||
interfaces.enp2s0 = {
|
interfaces.enp6s0 = {
|
||||||
useDHCP = lib.mkDefault true;
|
useDHCP = lib.mkDefault true;
|
||||||
wakeOnLan.enable = true;
|
wakeOnLan.enable = true;
|
||||||
};
|
};
|
||||||
firewall.allowedTCPPorts = [80 443];
|
firewall.allowedTCPPorts = [
|
||||||
|
80
|
||||||
|
443
|
||||||
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Enable weekly btrfs auto-scrub.
|
# Enable weekly btrfs auto-scrub.
|
||||||
@ -33,93 +35,33 @@
|
|||||||
|
|
||||||
# TODO: move to module
|
# TODO: move to module
|
||||||
security.acme.defaults.email = "chinmaydpai@gmail.com";
|
security.acme.defaults.email = "chinmaydpai@gmail.com";
|
||||||
security.dhparams = {
|
|
||||||
enable = true;
|
|
||||||
params.nginx = {};
|
|
||||||
};
|
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedOptimisation = true;
|
recommendedOptimisation = true;
|
||||||
recommendedGzipSettings = true;
|
recommendedGzipSettings = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
sslDhparam = config.security.dhparams.params.nginx.path;
|
|
||||||
|
|
||||||
# Disable default_server access and return HTTP 444.
|
|
||||||
appendHttpConfig = ''
|
|
||||||
server {
|
|
||||||
listen 80 http2 default_server;
|
|
||||||
listen 443 ssl http2 default_server;
|
|
||||||
|
|
||||||
ssl_reject_handshake on;
|
|
||||||
return 444;
|
|
||||||
}
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
snowflake = {
|
snowflake = {
|
||||||
stateVersion = "24.05";
|
stateVersion = "24.05";
|
||||||
|
|
||||||
extraPackages = with pkgs; [
|
|
||||||
nmap
|
|
||||||
recyclarr
|
|
||||||
];
|
|
||||||
|
|
||||||
core.docker.enable = true;
|
core.docker.enable = true;
|
||||||
core.docker.storageDriver = "btrfs";
|
core.docker.storageDriver = "btrfs";
|
||||||
core.security.sysctl.enable = lib.mkForce false;
|
core.security.sysctl.enable = lib.mkForce false;
|
||||||
|
|
||||||
networking.networkManager.enable = true;
|
networking.networkManager.enable = true;
|
||||||
networking.resolved.enable = true;
|
|
||||||
|
|
||||||
hardware.initrd-luks = {
|
hardware.initrd-luks = {
|
||||||
enable = true;
|
enable = true;
|
||||||
authorizedKeys = [
|
authorizedKeys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"
|
|
||||||
];
|
];
|
||||||
availableKernelModules = ["r8169"];
|
availableKernelModules = ["r8169"];
|
||||||
};
|
};
|
||||||
|
|
||||||
monitoring = {
|
|
||||||
enable = true;
|
|
||||||
grafana = {
|
|
||||||
domain = "lens.deku.moe";
|
|
||||||
adminPasswordFile = userdata.secrets.monitoring.grafana.password;
|
|
||||||
};
|
|
||||||
victoriametrics.extraPrometheusConfig = [
|
|
||||||
{
|
|
||||||
job_name = "unpoller";
|
|
||||||
static_configs = [
|
|
||||||
{
|
|
||||||
targets = ["127.0.0.1:${toString config.services.prometheus.exporters.unpoller.port}"];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
{
|
|
||||||
job_name = "router";
|
|
||||||
static_configs = [
|
|
||||||
{
|
|
||||||
targets = ["192.168.69.1:9100"];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
relabel_configs = [
|
|
||||||
{
|
|
||||||
source_labels = ["__address__"];
|
|
||||||
target_label = "instance";
|
|
||||||
regex = "([^:]+)(:[0-9]+)?";
|
|
||||||
replacement = "openwrt";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
arr.enable = true;
|
|
||||||
|
|
||||||
gitea = {
|
gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "git.deku.moe";
|
domain = "git.deku.moe";
|
||||||
@ -133,11 +75,6 @@
|
|||||||
adminTokenFile = userdata.secrets.services.miniflux.password;
|
adminTokenFile = userdata.secrets.services.miniflux.password;
|
||||||
};
|
};
|
||||||
|
|
||||||
ntfy-sh = {
|
|
||||||
enable = true;
|
|
||||||
domain = "ntfy.deku.moe";
|
|
||||||
};
|
|
||||||
|
|
||||||
paperless = {
|
paperless = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "docs.deku.moe";
|
domain = "docs.deku.moe";
|
||||||
@ -156,13 +93,7 @@
|
|||||||
package = pkgs.maych-in;
|
package = pkgs.maych-in;
|
||||||
domain = "maych.in";
|
domain = "maych.in";
|
||||||
};
|
};
|
||||||
unifi-controller = {
|
unifi-controller.enable = true;
|
||||||
enable = true;
|
|
||||||
unpoller = {
|
|
||||||
enable = true;
|
|
||||||
passwordFile = userdata.secrets.services.unifi-unpoller.password;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
|
|
||||||
user = {
|
user = {
|
||||||
@ -174,8 +105,6 @@
|
|||||||
extraAuthorizedKeys = [
|
extraAuthorizedKeys = [
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG3PeMbehJBkmv8Ee7xJimTzXoSdmAnxhBatHSdS+saM"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
|
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOyY8ZkhwWiqJCiTqXvHnLpXQb1qWwSZAoqoSWJI1ogP"
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJQWA+bAwpm9ca5IhC6q2BsxeQH4WAiKyaht48b7/xkN"
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKJnFvU6nBXEuZF08zRLFfPpxYjV3o0UayX0zTPbDb7C"
|
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -10,14 +10,14 @@ _: {
|
|||||||
"usb_storage"
|
"usb_storage"
|
||||||
"sd_mod"
|
"sd_mod"
|
||||||
];
|
];
|
||||||
luks.devices."cryptroot".device = "/dev/disk/by-uuid/e570c2be-65df-4208-9cac-a03de08a6209";
|
luks.devices."root".device = "/dev/disk/by-uuid/e70bfc3c-1147-4af7-9bae-69f70146953f";
|
||||||
};
|
};
|
||||||
kernelModules = ["kvm-intel"];
|
kernelModules = ["kvm-intel"];
|
||||||
};
|
};
|
||||||
|
|
||||||
fileSystems = {
|
fileSystems = {
|
||||||
"/" = {
|
"/" = {
|
||||||
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
|
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
@ -30,7 +30,7 @@ _: {
|
|||||||
};
|
};
|
||||||
|
|
||||||
"/home" = {
|
"/home" = {
|
||||||
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
|
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
@ -42,7 +42,7 @@ _: {
|
|||||||
};
|
};
|
||||||
|
|
||||||
"/.snapshots" = {
|
"/.snapshots" = {
|
||||||
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
|
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
@ -54,7 +54,7 @@ _: {
|
|||||||
};
|
};
|
||||||
|
|
||||||
"/var/log" = {
|
"/var/log" = {
|
||||||
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
|
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
@ -66,7 +66,7 @@ _: {
|
|||||||
};
|
};
|
||||||
|
|
||||||
"/etc/nixos" = {
|
"/etc/nixos" = {
|
||||||
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
|
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
@ -78,7 +78,7 @@ _: {
|
|||||||
};
|
};
|
||||||
|
|
||||||
"/var/cache" = {
|
"/var/cache" = {
|
||||||
device = "/dev/disk/by-uuid/a1b57a56-16d4-45ea-bac3-daeacd3dbcb2";
|
device = "/dev/disk/by-uuid/5cabc339-898c-4604-9bfc-0a2cf17e44ca";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
@ -90,13 +90,24 @@ _: {
|
|||||||
};
|
};
|
||||||
|
|
||||||
"/boot" = {
|
"/boot" = {
|
||||||
device = "/dev/disk/by-uuid/B731-09A3";
|
device = "/dev/disk/by-uuid/1C6C-122C";
|
||||||
fsType = "vfat";
|
fsType = "vfat";
|
||||||
options = ["fmask=0022" "dmask=0022"];
|
|
||||||
};
|
};
|
||||||
|
|
||||||
"/storage/media" = {
|
"/storage/immich" = {
|
||||||
device = "/dev/disk/by-uuid/f8aadf58-d561-476b-a2c5-64b266dc5755";
|
device = "/dev/disk/by-uuid/bae65b7a-4f08-4b0d-963c-72e71bfcff46";
|
||||||
|
fsType = "btrfs";
|
||||||
|
options = [
|
||||||
|
"defaults"
|
||||||
|
"compress-force=zstd"
|
||||||
|
"noatime"
|
||||||
|
"user"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
# TODO: delete btrfs subvolume
|
||||||
|
"/storage/syncthing" = {
|
||||||
|
device = "/dev/disk/by-uuid/e3a4c251-a3e2-4b5e-a63b-70f53b51836a";
|
||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
|
@ -31,6 +31,7 @@ _: {
|
|||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
|
# "autodefrag"
|
||||||
"compress-force=zstd"
|
"compress-force=zstd"
|
||||||
"noatime"
|
"noatime"
|
||||||
"ssd"
|
"ssd"
|
||||||
@ -45,6 +46,7 @@ _: {
|
|||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
|
# "autodefrag"
|
||||||
"compress-force=zstd"
|
"compress-force=zstd"
|
||||||
"noatime"
|
"noatime"
|
||||||
"ssd"
|
"ssd"
|
||||||
@ -71,6 +73,7 @@ _: {
|
|||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
|
# "autodefrag"
|
||||||
"compress-force=zstd"
|
"compress-force=zstd"
|
||||||
"noatime"
|
"noatime"
|
||||||
"ssd"
|
"ssd"
|
||||||
@ -84,6 +87,7 @@ _: {
|
|||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
|
# "autodefrag"
|
||||||
"compress-force=zstd"
|
"compress-force=zstd"
|
||||||
"noatime"
|
"noatime"
|
||||||
"ssd"
|
"ssd"
|
||||||
@ -109,6 +113,7 @@ _: {
|
|||||||
fsType = "btrfs";
|
fsType = "btrfs";
|
||||||
options = [
|
options = [
|
||||||
"defaults"
|
"defaults"
|
||||||
|
# "autodefrag"
|
||||||
"compress-force=zstd"
|
"compress-force=zstd"
|
||||||
"noatime"
|
"noatime"
|
||||||
"ssd"
|
"ssd"
|
||||||
|
Loading…
Reference in New Issue
Block a user