titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Simon Gardling
2024-09-26 23:50:15 -04:00
commit 36ae02372c
15 changed files with 623 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.git-crypt/.gitattributes vendored Normal file
View File

@@ -0,0 +1,4 @@
# Do not edit this file. To specify the files to encrypt, create your own
# .gitattributes file in the directory where your files are.
* !filter !diff
*.gpg binary

BIN
.git-crypt/keys/default/0/D15E4754FE1AEDA15A6D47029AB28AC10ECE533D.gpg Normal file
View File

Binary file not shown.

3
.gitattributes vendored Normal file
View File

@@ -0,0 +1,3 @@
secrets/murmur_password filter=git-crypt diff=git-crypt
secrets/hashedPass filter=git-crypt diff=git-crypt
secrets/mullvad.nix filter=git-crypt diff=git-crypt

231
configuration.nix Normal file
View File

@@ -0,0 +1,231 @@
{
config,
lib,
pkgs,
hostname,
username,
eth_interface,
service_configs,
...
}:
{
imports = [
./hardware.nix
# ./services/jellyfin.nix
./services/caddy.nix
./services/quadlet.nix
./services/immich.nix
./services/git.nix
];
nix = {
#garbage collection and cleanup stuff
gc = {
automatic = true;
dates = "weekly";
options = "--delete-older-than 7d";
};
#optimize the store
optimise.automatic = true;
#enable flakes!
settings.experimental-features = [
"nix-command"
"flakes"
];
};
boot = {
kernelPackages = pkgs.linuxPackages_6_10;
supportedFilesystems = [ "zfs" ];
zfs.extraPools = [ "tank" ];
loader = {
# Use the systemd-boot EFI boot loader.
systemd-boot.enable = true;
efi.canTouchEfiVariables = true;
};
};
# Set your time zone.
time.timeZone = "America/New_York";
# Enable the OpenSSH daemon.
services.openssh = {
enable = true;
settings = {
PasswordAuthentication = false;
PermitRootLogin = "no";
};
};
#Intel GPU stuff
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver
intel-vaapi-driver # previously vaapiIntel
vaapiVdpau
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
vpl-gpu-rt # QSV on 11th gen or newer
];
};
#fwupd for updating firmware
services.fwupd = {
enable = true;
extraRemotes = [ "lvfs-testing" ];
};
environment.systemPackages = with pkgs; [
helix
nixfmt-rfc-style
lm_sensors
bottom
htop
borgbackup
smartmontools
nil
ripgrep
intel-gpu-tools
];
services.zfs = {
autoScrub.enable = true;
autoSnapshot.enable = true;
};
systemd.services.no-rgb =
let
no-rgb = pkgs.writeScriptBin "no-rgb" ''
#!/bin/sh
NUM_DEVICES=$(${pkgs.openrgb}/bin/openrgb --noautoconnect --list-devices | ${pkgs.coreutils}/bin/grep -E '^[0-9]+: ' | ${pkgs.coreutils}/bin/wc -l)
for i in $(${pkgs.coreutils}/bin/seq 0 $(($NUM_DEVICES - 1))); do
${pkgs.openrgb}/bin/openrgb --noautoconnect --device $i --mode direct --color 000000
done
'';
in
{
description = "disable rgb";
serviceConfig = {
ExecStart = "${no-rgb}/bin/no-rgb";
Type = "oneshot";
};
wantedBy = [ "multi-user.target" ];
};
services.hardware.openrgb = {
enable = true;
package = pkgs.openrgb-with-all-plugins;
motherboard = "amd";
};
services.udev.packages = [ pkgs.openrgb-with-all-plugins ];
hardware.i2c.enable = true;
networking = {
nameservers = [
"1.1.1.1"
"9.9.9.9"
];
hostName = hostname;
hostId = "0f712d56";
firewall.enable = true;
useDHCP = false;
interfaces.${eth_interface} = {
ipv4.addresses = [
{
address = "10.1.1.102";
prefixLength = 24;
}
];
};
defaultGateway = {
address = "10.1.1.1";
interface = eth_interface;
};
};
virtualisation = {
containers.enable = true;
podman = {
enable = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
};
};
users.users.${username} = {
isNormalUser = true;
extraGroups = [
"wheel"
"video"
"render"
];
hashedPasswordFile = "/etc/nixos/secrets/hashedPass";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
];
};
# https://nixos.wiki/wiki/Fish#Setting_fish_as_your_shell
programs.fish.enable = true;
programs.bash = {
interactiveShellInit = ''
if [[ $(${pkgs.procps}/bin/ps --no-header --pid=$PPID --format=comm) != "fish" && -z ''${BASH_EXECUTION_STRING} ]]
then
shopt -q login_shell && LOGIN_OPTION='--login' || LOGIN_OPTION=""
exec ${pkgs.fish}/bin/fish $LOGIN_OPTION
fi
'';
};
security = {
#lets use doas and not sudo!
doas.enable = true;
sudo.enable = false;
# Configure doas
doas.extraRules = [
{
users = [ username ];
keepEnv = true;
persist = true;
}
];
};
networking.firewall.allowedTCPPorts = [
service_configs.ports.minecraft
];
services.murmur = {
enable = true;
openFirewall = true;
welcometext = "meow meow meow meow meow :3 xd";
password = builtins.readFile ./secrets/murmur_password;
};
services.postgresql = {
enable = true;
package = pkgs.postgresql_16;
dataDir = "/tank/services/sql";
};
system.stateVersion = "24.05";
}

48
flake.lock generated Normal file
View File

@@ -0,0 +1,48 @@
{
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1727444619,
"narHash": "sha256-Y4X22oYrmYZcVVLa708GX/trYjSGkPgd2HpnOR0kTfg=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "c198f2dc39f569fadff23d199715be9c345a1383",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "master",
"repo": "nixpkgs",
"type": "github"
}
},
"quadlet-nix": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1727065535,
"narHash": "sha256-jX83vspAPZnnpFUylUYqP+J1RoZc9w10bbQtsEwD20A=",
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"rev": "51e2beaaf127c8b4460d909c6c29ed9d60bfde0c",
"type": "github"
},
"original": {
"owner": "SEIAROTg",
"repo": "quadlet-nix",
"type": "github"
}
},
"root": {
"inputs": {
"nixpkgs": "nixpkgs",
"quadlet-nix": "quadlet-nix"
}
}
},
"root": "root",
"version": 7
}

82
flake.nix Normal file
View File

@@ -0,0 +1,82 @@
{
description = "Flake for server muffin";
inputs = {
# nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
nixpkgs.url = "github:NixOS/nixpkgs/master";
quadlet-nix.url = "github:SEIAROTg/quadlet-nix";
quadlet-nix.inputs.nixpkgs.follows = "nixpkgs";
};
outputs =
{
nixpkgs,
quadlet-nix,
...
}:
let
username = "primary";
hostname = "muffin";
eth_interface = "enp3s0";
service_configs = {
hdd_path = "/mnt/hdd";
# TODO: add checks to make sure none of these collide
ports = {
https = 443;
immich = 3001;
jellyfin = 8096;
torrent = 6011;
minecraft = 25565;
git-server = 3281;
};
https = {
certs = "/tank/services/http_certs";
data_dir = "/tank/services/http";
};
gitea = {
dir = "/tank/services/gitea";
};
postgres = {
socket = "/run/postgresql";
};
immich = {
dir = "/tank/services/immich";
};
minecraft = {
dir = "/tank/services/minecraft";
};
gluetun = {
dir = "/tank/services/gluetun";
};
torrent = {
config_dir = "/tank/services/qbittorrent/config";
download_dir = "${service_configs.hdd_path}/torrents";
};
};
in
{
nixosConfigurations.${hostname} = nixpkgs.lib.nixosSystem {
specialArgs = {
inherit
username
hostname
eth_interface
service_configs
;
};
modules = [
./configuration.nix
quadlet-nix.nixosModules.quadlet
];
};
};
}

46
hardware.nix Normal file
View File

@@ -0,0 +1,46 @@
{
config,
lib,
pkgs,
service_configs,
...
}:
{
boot.initrd.availableKernelModules = [
"xhci_pci"
"ahci"
"usb_storage"
"usbhid"
"sd_mod"
];
boot.initrd.kernelModules = [ "dm-snapshot" ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-uuid/f467d1e8-5f00-40ee-aa67-55a999181918";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-uuid/96DC-6E54";
fsType = "vfat";
options = [
"fmask=0022"
"dmask=0022"
];
};
# 3tb HDD
fileSystems.${service_configs.hdd_path} = {
device = "/dev/disk/by-uuid/f69b8c84-20ca-448f-b580-8951f20b9fc1";
fsType = "xfs";
};
swapDevices = [ ];
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = true;
hardware.enableRedistributableFirmware = true;
}

BIN
secrets/hashedPass Normal file
View File

Binary file not shown.

BIN
secrets/mullvad.nix Normal file
View File

Binary file not shown.

BIN
secrets/murmur_password Normal file
View File

Binary file not shown.

41
services/caddy.nix Normal file
View File

@@ -0,0 +1,41 @@
{ service_configs, ... }:
{
services.caddy = {
enable = true;
virtualHosts = {
":${builtins.toString service_configs.ports.https}".extraConfig = ''
tls ${service_configs.https.certs}/cert.crt ${service_configs.https.certs}/cert.key
handle_path /torrent* {
reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.torrent}
}
root * ${service_configs.https.data_dir}
file_server browse
'';
"immich.gardling.com".extraConfig = ''
reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.immich}
'';
"jellyfin.gardling.com".extraConfig = ''
reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.jellyfin}
request_body {
max_size 4096MB
}
'';
"git.gardling.com".extraConfig = ''
reverse_proxy 127.0.0.1:${builtins.toString service_configs.ports.git-server}
'';
};
};
networking.firewall.allowedTCPPorts = [
service_configs.ports.https
];
networking.firewall.allowedUDPPorts = [
service_configs.ports.https
];
}

40
services/git.nix Normal file
View File

@@ -0,0 +1,40 @@
{
config,
service_configs,
...
}:
{
services.gitea = {
enable = true;
appName = "TBD name of my gitea server";
stateDir = service_configs.gitea.dir;
database = {
type = "postgres";
socket = service_configs.postgres.socket;
};
settings = {
server = {
DOMAIN = "git.gardling.com";
ROOT_URL = "https://git.gardling.com";
HTTP_PORT = service_configs.ports.git-server;
};
session = {
# https cookies or smth
COOKIE_SECURE = true;
};
# only I shall use gitea
service.DISABLE_REGISTRATION = true;
};
};
services.postgresql = {
ensureDatabases = [ config.services.gitea.user ];
ensureUsers = [
{
name = config.services.gitea.database.user;
ensureDBOwnership = true;
ensureClauses.login = true;
}
];
};
}

26
services/immich.nix Normal file
View File

@@ -0,0 +1,26 @@
{
service_configs,
pkgs,
config,
...
}:
{
services.immich = {
enable = true;
mediaLocation = service_configs.immich.dir;
port = service_configs.ports.immich;
host = "0.0.0.0";
database = {
createDB = true;
};
};
environment.systemPackages = with pkgs; [
immich-go
];
users.users.${config.services.immich.user}.extraGroups = [
"video"
"render"
];
}

18
services/jellyfin.nix Normal file
View File

@@ -0,0 +1,18 @@
{ pkgs, config, ... }:
{
environment.systemPackages = with pkgs; [
jellyfin
jellyfin-web
jellyfin-ffmpeg
];
services.jellyfin = {
enable = true;
openFirewall = true;
};
users.users.${config.services.jellyfin.user}.extraGroups = [
"video"
"render"
];
}

84
services/quadlet.nix Normal file
View File

@@ -0,0 +1,84 @@
{ service_configs, ... }:
{
virtualisation.quadlet = {
containers =
let
baseContainerConfig = {
autoUpdate = "registry";
environments = {
PUID = 1000;
PGID = 1000;
};
};
in
{
minecraft-server.containerConfig = baseContainerConfig // {
image = "docker.io/itzg/minecraft-server:java21-graalvm";
name = "minecraft";
environments = {
TYPE = "QUILT";
MEMORY = "4G";
MOD_PLATFORM = "MODRINTH";
USE_AIKAR_FLAGS = true;
JVM_OPTS = "-XX:-UseJVMCICompiler";
MODRINTH_MODPACK = "https://modrinth.com/modpack/sop";
VERSION = "1.21.1";
};
publishPorts = [ "${builtins.toString service_configs.ports.minecraft}:25565" ];
volumes = [ "${service_configs.minecraft.dir}:/data:z" ];
};
gluetun.containerConfig = baseContainerConfig // {
image = "docker.io/qmcgaw/gluetun";
name = "gluetun";
addCapabilities = [
"NET_ADMIN"
"MKNOD"
];
environments = import ../secrets/mullvad.nix;
publishPorts = [
"6081:6081"
"6081:6081/udp"
"${builtins.toString service_configs.ports.torrent}:6011"
];
volumes = [ "${service_configs.gluetun.dir}:/gluetun:z" ];
podmanArgs = [
"--device=/dev/net/tun"
"--security-opt label=disable"
];
};
qbittorrent = {
containerConfig = baseContainerConfig // {
image = "lscr.io/linuxserver/qbittorrent:latest";
name = "qbittorrent";
environments = {
WEBUI_PORT = service_configs.ports.torrent;
DOCKER_MODS = "ghcr.io/gabe565/linuxserver-mod-vuetorrent";
};
volumes = [
"${service_configs.torrent.config_dir}:/config:z"
"${service_configs.torrent.download_dir}:/downloads:z"
];
networks = [ "container:gluetun" ];
};
serviceConfig = {
requires = [ "gluetun.service" ];
after = [ "gluetun.service" ];
};
};
};
networks = {
internal.networkConfig.subnets = [ "10.0.123.1/24" ];
};
};
}