init

2024-09-26 23:50:15 -04:00 · 2024-09-26 23:50:15 -04:00 · 36ae02372c
commit 36ae02372c
15 changed files with 623 additions and 0 deletions
--- a/.git-crypt/.gitattributes
+++ b/.git-crypt/.gitattributes
@ -0,0 +1,4 @@
+# Do not edit this file.  To specify the files to encrypt, create your own
+# .gitattributes file in the directory where your files are.
+* !filter !diff
+*.gpg binary
--- a/.git-crypt/keys/default/0/D15E4754FE1AEDA15A6D47029AB28AC10ECE533D.gpg
+++ b/.git-crypt/keys/default/0/D15E4754FE1AEDA15A6D47029AB28AC10ECE533D.gpg
--- a/.gitattributes
+++ b/.gitattributes
@ -0,0 +1,3 @@
+secrets/murmur_password filter=git-crypt diff=git-crypt
+secrets/hashedPass filter=git-crypt diff=git-crypt
+secrets/mullvad.nix filter=git-crypt diff=git-crypt
--- a/configuration.nix
+++ b/configuration.nix
@ -0,0 +1,231 @@
+{
+  config,
+  lib,
+  pkgs,
+  hostname,
+  username,
+  eth_interface,
+  service_configs,
+  ...
+}:
+{
+  imports = [
+    ./hardware.nix
+    # ./services/jellyfin.nix
+    ./services/caddy.nix
+    ./services/quadlet.nix
+    ./services/immich.nix
+    ./services/git.nix
+  ];
+
+  nix = {
+    #garbage collection and cleanup stuff
+    gc = {
+      automatic = true;
+      dates = "weekly";
+      options = "--delete-older-than 7d";
+    };
+
+    #optimize the store
+    optimise.automatic = true;
+
+    #enable flakes!
+    settings.experimental-features = [
+      "nix-command"
+      "flakes"
+    ];
+  };
+
+  boot = {
+    kernelPackages = pkgs.linuxPackages_6_10;
+
+    supportedFilesystems = [ "zfs" ];
+    zfs.extraPools = [ "tank" ];
+    loader = {
+      # Use the systemd-boot EFI boot loader.
+      systemd-boot.enable = true;
+      efi.canTouchEfiVariables = true;
+    };
+  };
+
+  # Set your time zone.
+  time.timeZone = "America/New_York";
+
+  # Enable the OpenSSH daemon.
+  services.openssh = {
+    enable = true;
+    settings = {
+      PasswordAuthentication = false;
+      PermitRootLogin = "no";
+    };
+  };
+
+  #Intel GPU stuff
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
+  };
+
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-vaapi-driver # previously vaapiIntel
+      vaapiVdpau
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+      vpl-gpu-rt # QSV on 11th gen or newer
+    ];
+  };
+
+  #fwupd for updating firmware
+  services.fwupd = {
+    enable = true;
+    extraRemotes = [ "lvfs-testing" ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    helix
+    nixfmt-rfc-style
+
+    lm_sensors
+    bottom
+    htop
+
+    borgbackup
+    smartmontools
+
+    nil
+
+    ripgrep
+
+    intel-gpu-tools
+  ];
+
+  services.zfs = {
+    autoScrub.enable = true;
+    autoSnapshot.enable = true;
+  };
+
+  systemd.services.no-rgb =
+    let
+      no-rgb = pkgs.writeScriptBin "no-rgb" ''
+        #!/bin/sh
+        NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.coreutils}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l)
+
+        for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do
+          ${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000
+        done
+      '';
+    in
+    {
+      description = "disable rgb";
+      serviceConfig = {
+        ExecStart = "${no-rgb}/bin/no-rgb";
+        Type = "oneshot";
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+  services.hardware.openrgb = {
+    enable = true;
+    package = pkgs.openrgb-with-all-plugins;
+    motherboard = "amd";
+  };
+
+  services.udev.packages = [ pkgs.openrgb-with-all-plugins ];
+  hardware.i2c.enable = true;
+
+  networking = {
+    nameservers = [
+      "1.1.1.1"
+      "9.9.9.9"
+    ];
+
+    hostName = hostname;
+    hostId = "0f712d56";
+    firewall.enable = true;
+    useDHCP = false;
+
+    interfaces.${eth_interface} = {
+      ipv4.addresses = [
+        {
+          address = "10.1.1.102";
+          prefixLength = 24;
+        }
+      ];
+    };
+    defaultGateway = {
+      address = "10.1.1.1";
+      interface = eth_interface;
+    };
+  };
+
+  virtualisation = {
+    containers.enable = true;
+    podman = {
+      enable = true;
+
+      # Required for containers under podman-compose to be able to talk to each other.
+      defaultNetwork.settings.dns_enabled = true;
+    };
+  };
+
+  users.users.${username} = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "video"
+      "render"
+    ];
+    hashedPasswordFile = "/etc/nixos/secrets/hashedPass";
+
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
+    ];
+  };
+
+  # https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
+  programs.fish.enable = true;
+  programs.bash = {
+    interactiveShellInit = ''
+      if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
+      then
+        shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
+        exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
+      fi
+    '';
+  };
+
+  security = {
+    #lets use doas and not sudo!
+    doas.enable = true;
+    sudo.enable = false;
+    # Configure doas
+    doas.extraRules = [
+      {
+        users = [ username ];
+        keepEnv = true;
+        persist = true;
+      }
+    ];
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    service_configs.ports.minecraft
+  ];
+
+  services.murmur = {
+    enable = true;
+    openFirewall = true;
+    welcometext = "meow meow meow meow meow :3 xd";
+    password = builtins.readFile ./secrets/murmur_password;
+  };
+
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_16;
+    dataDir = "/tank/services/sql";
+  };
+
+  system.stateVersion = "24.05";
+}
--- a/flake.lock
+++ b/flake.lock
@ -0,0 +1,48 @@
+{
+  "nodes": {
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1727444619,
+        "narHash": "sha256-Y4X22oYrmYZcVVLa708GX/trYjSGkPgd2HpnOR0kTfg=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c198f2dc39f569fadff23d199715be9c345a1383",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "master",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "quadlet-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1727065535,
+        "narHash": "sha256-jX83vspAPZnnpFUylUYqP+J1RoZc9w10bbQtsEwD20A=",
+        "owner": "SEIAROTg",
+        "repo": "quadlet-nix",
+        "rev": "51e2beaaf127c8b4460d909c6c29ed9d60bfde0c",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SEIAROTg",
+        "repo": "quadlet-nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "nixpkgs": "nixpkgs",
+        "quadlet-nix": "quadlet-nix"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
--- a/flake.nix
+++ b/flake.nix
@ -0,0 +1,82 @@
+{
+  description = "Flake for server muffin";
+
+  inputs = {
+    # nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+    nixpkgs.url = "github:NixOS/nixpkgs/master";
+    quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
+    quadlet-nix.inputs.nixpkgs.follows = "nixpkgs";
+  };
+
+  outputs =
+    {
+      nixpkgs,
+      quadlet-nix,
+      ...
+    }:
+    let
+      username = "primary";
+      hostname = "muffin";
+      eth_interface = "enp3s0";
+
+      service_configs = {
+        hdd_path = "/mnt/hdd";
+
+        # TODO: add checks to make sure none of these collide
+        ports = {
+          https = 443;
+          immich = 3001;
+          jellyfin = 8096;
+          torrent = 6011;
+          minecraft = 25565;
+          git-server = 3281;
+        };
+
+        https = {
+          certs = "/tank/services/http_certs";
+          data_dir = "/tank/services/http";
+        };
+
+        gitea = {
+          dir = "/tank/services/gitea";
+        };
+
+        postgres = {
+          socket = "/run/postgresql";
+        };
+
+        immich = {
+          dir = "/tank/services/immich";
+        };
+
+        minecraft = {
+          dir = "/tank/services/minecraft";
+        };
+
+        gluetun = {
+          dir = "/tank/services/gluetun";
+        };
+
+        torrent = {
+          config_dir = "/tank/services/qbittorrent/config";
+          download_dir = "${service_configs.hdd_path}/torrents";
+        };
+      };
+    in
+    {
+      nixosConfigurations.${hostname} = nixpkgs.lib.nixosSystem {
+        specialArgs = {
+          inherit
+            username
+            hostname
+            eth_interface
+            service_configs
+            ;
+        };
+        modules = [
+          ./configuration.nix
+          quadlet-nix.nixosModules.quadlet
+        ];
+      };
+    };
+}
--- a/hardware.nix
+++ b/hardware.nix
@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  pkgs,
+  service_configs,
+  ...
+}:
+
+{
+  boot.initrd.availableKernelModules = [
+    "xhci_pci"
+    "ahci"
+    "usb_storage"
+    "usbhid"
+    "sd_mod"
+  ];
+  boot.initrd.kernelModules = [ "dm-snapshot" ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/f467d1e8-5f00-40ee-aa67-55a999181918";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/96DC-6E54";
+    fsType = "vfat";
+    options = [
+      "fmask=0022"
+      "dmask=0022"
+    ];
+  };
+
+  # 3tb HDD
+  fileSystems.${service_configs.hdd_path} = {
+    device = "/dev/disk/by-uuid/f69b8c84-20ca-448f-b580-8951f20b9fc1";
+    fsType = "xfs";
+  };
+
+  swapDevices = [ ];
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = true;
+  hardware.enableRedistributableFirmware = true;
+}
--- a/secrets/hashedPass
+++ b/secrets/hashedPass
--- a/secrets/mullvad.nix
+++ b/secrets/mullvad.nix
--- a/secrets/murmur_password
+++ b/secrets/murmur_password
--- a/services/caddy.nix
+++ b/services/caddy.nix
@ -0,0 +1,41 @@
+{ service_configs, ... }:
+{
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      ":${builtins.toString service_configs.ports.https}".extraConfig = ''
+        tls ${service_configs.https.certs}/cert.crt ${service_configs.https.certs}/cert.key
+
+        handle_path /torrent* {
+        	reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.torrent}
+        }
+
+        root * ${service_configs.https.data_dir}
+        file_server browse
+      '';
+
+      "immich.gardling.com".extraConfig = ''
+        reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.immich}
+      '';
+
+      "jellyfin.gardling.com".extraConfig = ''
+        reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.jellyfin}
+        request_body {
+        	max_size 4096MB
+        }
+      '';
+
+      "git.gardling.com".extraConfig = ''
+        reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.git-server}
+      '';
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    service_configs.ports.https
+  ];
+
+  networking.firewall.allowedUDPPorts = [
+    service_configs.ports.https
+  ];
+}
--- a/services/git.nix
+++ b/services/git.nix
@ -0,0 +1,40 @@
+{
+  config,
+  service_configs,
+  ...
+}:
+{
+  services.gitea = {
+    enable = true;
+    appName = "TBD name of my gitea server";
+    stateDir = service_configs.gitea.dir;
+    database = {
+      type = "postgres";
+      socket = service_configs.postgres.socket;
+    };
+    settings = {
+      server = {
+        DOMAIN = "git.gardling.com";
+        ROOT_URL = "https://git.gardling.com";
+        HTTP_PORT = service_configs.ports.git-server;
+      };
+      session = {
+        # https cookies or smth
+        COOKIE_SECURE = true;
+      };
+      # only I shall use gitea
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ config.services.gitea.user ];
+    ensureUsers = [
+      {
+        name = config.services.gitea.database.user;
+        ensureDBOwnership = true;
+        ensureClauses.login = true;
+      }
+    ];
+  };
+}
--- a/services/immich.nix
+++ b/services/immich.nix
@ -0,0 +1,26 @@
+{
+  service_configs,
+  pkgs,
+  config,
+  ...
+}:
+{
+  services.immich = {
+    enable = true;
+    mediaLocation = service_configs.immich.dir;
+    port = service_configs.ports.immich;
+    host = "0.0.0.0";
+    database = {
+      createDB = true;
+    };
+  };
+
+  environment.systemPackages = with pkgs; [
+    immich-go
+  ];
+
+  users.users.${config.services.immich.user}.extraGroups = [
+    "video"
+    "render"
+  ];
+}
--- a/services/jellyfin.nix
+++ b/services/jellyfin.nix
@ -0,0 +1,18 @@
+{ pkgs, config, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+  ];
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  users.users.${config.services.jellyfin.user}.extraGroups = [
+    "video"
+    "render"
+  ];
+}
--- a/services/quadlet.nix
+++ b/services/quadlet.nix
@ -0,0 +1,84 @@
+{ service_configs, ... }:
+{
+  virtualisation.quadlet = {
+    containers =
+      let
+        baseContainerConfig = {
+          autoUpdate = "registry";
+          environments = {
+            PUID = 1000;
+            PGID = 1000;
+          };
+        };
+      in
+      {
+        minecraft-server.containerConfig = baseContainerConfig // {
+          image = "docker.io/itzg/minecraft-server:java21-graalvm";
+          name = "minecraft";
+
+          environments = {
+            TYPE = "QUILT";
+            MEMORY = "4G";
+            MOD_PLATFORM = "MODRINTH";
+            USE_AIKAR_FLAGS = true;
+            JVM_OPTS = "-XX:-UseJVMCICompiler";
+            MODRINTH_MODPACK = "https://modrinth.com/modpack/sop";
+            VERSION = "1.21.1";
+          };
+
+          publishPorts = [ "${builtins.toString service_configs.ports.minecraft}:25565" ];
+          volumes = [ "${service_configs.minecraft.dir}:/data:z" ];
+        };
+
+        gluetun.containerConfig = baseContainerConfig // {
+          image = "docker.io/qmcgaw/gluetun";
+          name = "gluetun";
+
+          addCapabilities = [
+            "NET_ADMIN"
+            "MKNOD"
+          ];
+
+          environments = import ../secrets/mullvad.nix;
+
+          publishPorts = [
+            "6081:6081"
+            "6081:6081/udp"
+            "${builtins.toString service_configs.ports.torrent}:6011"
+          ];
+
+          volumes = [ "${service_configs.gluetun.dir}:/gluetun:z" ];
+          podmanArgs = [
+            "--device=/dev/net/tun"
+            "--security-opt label=disable"
+          ];
+        };
+
+        qbittorrent = {
+          containerConfig = baseContainerConfig // {
+            image = "lscr.io/linuxserver/qbittorrent:latest";
+            name = "qbittorrent";
+            environments = {
+              WEBUI_PORT = service_configs.ports.torrent;
+              DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
+            };
+
+            volumes = [
+              "${service_configs.torrent.config_dir}:/config:z"
+              "${service_configs.torrent.download_dir}:/downloads:z"
+            ];
+
+            networks = [ "container:gluetun" ];
+          };
+
+          serviceConfig = {
+            requires = [ "gluetun.service" ];
+            after = [ "gluetun.service" ];
+          };
+        };
+      };
+    networks = {
+      internal.networkConfig.subnets = [ "10.0.123.1/24" ];
+    };
+  };
+}