titaniumtown/server-config
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

overhaul

Browse Source
This commit is contained in:
Simon Gardling 2025-02-01 20:13:37 -05:00
parent a8ea520f9f
commit b98adc50f6
Signed by: titaniumtown
GPG Key ID: 9AB28AC10ECE533D
8 changed files with 118 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
configuration.nix
View File

@ -11,6 +11,7 @@
{ {
imports = [ imports = [
./hardware.nix ./hardware.nix
./zfs.nix
./services/jellyfin.nix ./services/jellyfin.nix
./services/caddy.nix ./services/caddy.nix
./services/immich.nix ./services/immich.nix
@ -60,15 +61,6 @@
boot = { boot = {
kernelPackages = pkgs.linuxPackages; kernelPackages = pkgs.linuxPackages;
zfs.package = pkgs.zfs_unstable;
kernelParams = [
# 2048MB
"zfs.zfs_arc_max=2048000000"
];
supportedFilesystems = [ "zfs" ];
zfs.extraPools = [ "tank" ];
loader = { loader = {
# Use the systemd-boot EFI boot loader. # Use the systemd-boot EFI boot loader.
@ -96,13 +88,10 @@
#!/bin/sh #!/bin/sh
rm -fr ${config.boot.lanzaboote.pkiBundle} || true rm -fr ${config.boot.lanzaboote.pkiBundle} || true
mkdir -p ${config.boot.lanzaboote.pkiBundle} mkdir -p ${config.boot.lanzaboote.pkiBundle}
${pkgs.gnutar}/bin/tar xf /etc/nixos/secrets/secureboot.tar -C ${config.boot.lanzaboote.pkiBundle} ${pkgs.gnutar}/bin/tar xf ${./secrets/secureboot.tar} -C ${config.boot.lanzaboote.pkiBundle}
''; '';
}; };
# encryption key for zpool (VERY IMPORTANT)
boot.initrd.secrets."/etc/zfs-key" = /etc/nixos/secrets/zfs-key;
environment.etc = { environment.etc = {
"issue".text = ""; "issue".text = "";
}; };
@ -160,25 +149,32 @@
powertop powertop
(pkgs.writeScriptBin "mc-console" '' (pkgs.writeShellApplication {
#!/bin/sh name = "disk-smart-test";
${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach runtimeInputs = with pkgs; [
'') gnugrep
coreutils
smartmontools
];
(pkgs.writeScriptBin "disk-smart-test" '' # i gotta fix that
#!/bin/sh excludeShellChecks = [ "SC2010" ];
set -e
if [[ $EUID -ne 0 ]]; then
echo "This command requires root."
exit 2
fi
DISKS=$(${pkgs.coreutils}/bin/ls /dev/sd* | ${pkgs.gnugrep}/bin/grep -v "[0-9]$") text = ''
for i in $DISKS; do #!/bin/sh
${pkgs.coreutils}/bin/echo -n "$i " set -e
${pkgs.smartmontools}/bin/smartctl -a "$i" | ${pkgs.gnugrep}/bin/grep "SMART overall-health self-assessment test result:" | ${pkgs.coreutils}/bin/cut -d' ' -f6 if [[ $EUID -ne 0 ]]; then
done echo "This command requires root."
'') exit 2
fi
DISKS=$(ls /dev/sd* | grep -v "[0-9]$")
for i in $DISKS; do
echo -n "$i "
smartctl -a "$i" | grep "SMART overall-health self-assessment test result:" | cut -d' ' -f6
done
'';
})
(pkgs.writeShellApplication { (pkgs.writeShellApplication {
name = "reflac"; name = "reflac";
@ -279,6 +275,8 @@
# }; # };
}; };
users.groups.${service_configs.torrent_group} = { };
users.users.${username} = { users.users.${username} = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ extraGroups = [
@ -286,9 +284,11 @@
"video" "video"
"render" "render"
"postgres" "postgres"
"owntracks" "media"
service_configs.torrent_group
]; ];
hashedPasswordFile = "/etc/nixos/secrets/hashedPass";
hashedPasswordFile = "${./secrets/hashedPass}";
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop

39
flake.lock generated
View File

@ -15,6 +15,26 @@
"type": "github" "type": "github"
} }
}, },
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1738148035,
"narHash": "sha256-KYOATYEwaKysL3HdHdS5kbQMXvzS4iPJzJrML+3TKAo=",
"owner": "nix-community",
"repo": "disko",
"rev": "18d0a984cc2bc82cf61df19523a34ad463aa7f54",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"flake-compat": { "flake-compat": {
"flake": false, "flake": false,
"locked": { "locked": {
@ -163,11 +183,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1738287839, "lastModified": 1738374527,
"narHash": "sha256-Vh060kC/aTX+e8Ru195wo+QySd0z91wJ++JZNSDJxy8=", "narHash": "sha256-OcZG42dKolSREIIBM39/kY2TqykihbtYopQSjBbgBjM=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "58f1ae4ac2620cbcef912e32b17f9a64fcb372ad", "rev": "2c815583946bcf1f7327c89fdf9bb4af7f3f5a14",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -178,11 +198,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1737751639, "lastModified": 1738391520,
"narHash": "sha256-ZEbOJ9iT72iwqXsiEMbEa8wWjyFvRA9Ugx8utmYbpz4=", "narHash": "sha256-6HI58PKjddsC0RA0gBQlt6ox47oH//jLUHwx05RO8g0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "dfad538f751a5aa5d4436d9781ab27a6128ec9d4", "rev": "34b64e4e1ddb14e3ffc7db8d4a781396dbbab773",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -194,11 +214,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1738163270, "lastModified": 1738277201,
"narHash": "sha256-B/7Y1v4y+msFFBW1JAdFjNvVthvNdJKiN6EGRPnqfno=", "narHash": "sha256-6L+WXKCw5mqnUIExvqkD99pJQ41xgyCk6z/H9snClwk=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "59e618d90c065f55ae48446f307e8c09565d5ab0", "rev": "666e1b3f09c267afd66addebe80fb05a5ef2b554",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -269,6 +289,7 @@
}, },
"root": { "root": {
"inputs": { "inputs": {
"disko": "disko",
"home-manager": "home-manager", "home-manager": "home-manager",
"lanzaboote": "lanzaboote", "lanzaboote": "lanzaboote",
"nix-minecraft": "nix-minecraft", "nix-minecraft": "nix-minecraft",

4
flake.nix
View File

@ -46,11 +46,13 @@
let let
username = "primary"; username = "primary";
hostname = "muffin"; hostname = "muffin";
eth_interface = "enp3s0"; eth_interface = "enp4s0";
service_configs = rec { service_configs = rec {
zpool = "tank";
hdd_path = "/mnt/hdd"; hdd_path = "/mnt/hdd";
services_dir = "/tank/services"; services_dir = "/tank/services";
torrent_group = "media";
# TODO: add checks to make sure none of these collide # TODO: add checks to make sure none of these collide
ports = { ports = {

1
services/jellyfin.nix
View File

@ -30,6 +30,7 @@
users.users.${config.services.jellyfin.user}.extraGroups = [ users.users.${config.services.jellyfin.user}.extraGroups = [
"video" "video"
"render" "render"
service_configs.torrent_group
]; ];
users.users.${username}.extraGroups = [ users.users.${username}.extraGroups = [

7
services/minecraft.nix
View File

@ -9,6 +9,13 @@ let
heap_size = "4000M"; heap_size = "4000M";
in in
{ {
environment.systemPackages = [
(pkgs.writeScriptBin "mc-console" ''
#!/bin/sh
${pkgs.tmux}/bin/tmux -S /run/minecraft/${service_configs.minecraft.server_name}.sock attach
'')
];
nixpkgs.config.allowUnfreePredicate = nixpkgs.config.allowUnfreePredicate =
pkg: pkg:
builtins.elem (lib.getName pkg) [ builtins.elem (lib.getName pkg) [

11
services/owntracks.nix
View File

@ -1,4 +1,9 @@
{ pkgs, service_configs, ... }: {
pkgs,
service_configs,
username,
...
}:
let let
owntracks_pkg = pkgs.owntracks-recorder.overrideAttrs (old: { owntracks_pkg = pkgs.owntracks-recorder.overrideAttrs (old: {
installPhase = installPhase =
@ -31,4 +36,8 @@ in
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks" "d ${service_configs.owntracks.data_dir} 0770 owntracks owntracks"
]; ];
users.users.${username}.extraGroups = [
"owntracks"
];
} }

8
services/qbittorrent.nix
View File

@ -82,8 +82,8 @@
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.SavePath} 0770 ${config.services.qbittorrent.user} ${service_configs.torrent_group}"
"d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0770 ${config.services.qbittorrent.user} ${config.services.qbittorrent.group}" "d ${config.services.qbittorrent.serverConfig.Preferences.Downloads.TempPath} 0770 ${config.services.qbittorrent.user} ${service_configs.torrent_group}"
]; ];
# make qbittorrent use a vpn # make qbittorrent use a vpn
@ -92,6 +92,10 @@
vpnNamespace = "wg"; vpnNamespace = "wg";
}; };
users.users.${config.services.qbittorrent.user}.extraGroups = [
service_configs.torrent_group
];
users.users.${username}.extraGroups = [ users.users.${username}.extraGroups = [
config.services.qbittorrent.group config.services.qbittorrent.group
]; ];

29
zfs.nix Normal file
View File

@ -0,0 +1,29 @@
{
service_configs,
config,
pkgs,
...
}:
let
zfs-key = "/etc/zfs-key";
in
{
system.activationScripts = {
"zfs-key".text = ''
#!/bin/sh
rm -fr ${zfs-key} || true
cp ${./secrets/zfs-key} ${zfs-key}
'';
};
boot.zfs.package = pkgs.zfs_unstable;
boot.initrd.kernelModules = [ "zfs" ];
boot.kernelParams = [
# 2048MB
"zfs.zfs_arc_max=2048000000"
];
boot.supportedFilesystems = [ "zfs" ];
boot.zfs.extraPools = [ service_configs.zpool ];
}