From 1dff87b0445072fdf74fc7c21e22175a8b904e5d Mon Sep 17 00:00:00 2001 From: Richie Cahill Date: Fri, 13 Sep 2024 20:58:40 -0400 Subject: [PATCH] adding jeeves --- flake.lock | 173 +++++++++++++++++++++++--- flake.nix | 10 ++ systems/common/global/ssh.nix | 2 +- systems/jeeves/arch_mirror.nix | 29 +++++ systems/jeeves/default.nix | 122 ++++++++++++++++++ systems/jeeves/docker/default.nix | 11 ++ systems/jeeves/docker/filebrowser.nix | 15 +++ systems/jeeves/docker/haproxy.cfg | 68 ++++++++++ systems/jeeves/docker/internal.nix | 145 +++++++++++++++++++++ systems/jeeves/docker/postgresql.nix | 33 +++++ systems/jeeves/docker/uptime_kuma.nix | 16 +++ systems/jeeves/docker/web.nix | 57 +++++++++ systems/jeeves/hardware.nix | 62 +++++++++ systems/jeeves/networking.nix | 41 ++++++ systems/jeeves/programs.nix | 7 ++ systems/jeeves/services.nix | 47 +++++++ systems/jeeves/vars.nix | 23 ++++ users/richie/home/cli/zsh.nix | 1 + users/richie/home/programs.nix | 1 - users/richie/systems/jeeves.nix | 5 + 20 files changed, 852 insertions(+), 16 deletions(-) create mode 100644 systems/jeeves/arch_mirror.nix create mode 100644 systems/jeeves/default.nix create mode 100644 systems/jeeves/docker/default.nix create mode 100644 systems/jeeves/docker/filebrowser.nix create mode 100644 systems/jeeves/docker/haproxy.cfg create mode 100644 systems/jeeves/docker/internal.nix create mode 100644 systems/jeeves/docker/postgresql.nix create mode 100644 systems/jeeves/docker/uptime_kuma.nix create mode 100644 systems/jeeves/docker/web.nix create mode 100644 systems/jeeves/hardware.nix create mode 100644 systems/jeeves/networking.nix create mode 100644 systems/jeeves/programs.nix create mode 100644 systems/jeeves/services.nix create mode 100644 systems/jeeves/vars.nix create mode 100644 users/richie/systems/jeeves.nix diff --git a/flake.lock b/flake.lock index b4a463c..f8039a6 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ }, "locked": { "dir": "pkgs/firefox-addons", - "lastModified": 1725783932, - "narHash": "sha256-ZrDE5yqkgiv0F34w1QFz1oZnNnReW0PEA6vjO6gx4Uc=", + "lastModified": 1725940994, + "narHash": "sha256-PCj5WMvCMg2g8gBNf3izt4rPu5b5Mi/7zxmXHit3N3U=", "owner": "rycee", "repo": "nur-expressions", - "rev": "58ac93a2ade218ea5e4dae38246030c7342b1eb4", + "rev": "93857a3619db67e72f5012ce3cb001e402b86dbe", "type": "gitlab" }, "original": { @@ -23,6 +23,44 @@ "type": "gitlab" } }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1717312683, + "narHash": "sha256-FrlieJH50AuvagamEvWMIE6D2OAnERuDboFDYAED/dE=", + "owner": "nix-community", + "repo": "flake-compat", + "rev": "38fd3954cf65ce6faf3d0d45cd26059e059f07ea", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-parts": { + "inputs": { + "nixpkgs-lib": [ + "nixos-cosmic", + "nix-update", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719994518, + "narHash": "sha256-pQMhCCHyQGRzdfAkdJ4cIWiw+JNuWsTX7f0ZYSyz0VY=", + "owner": "hercules-ci", + "repo": "flake-parts", + "rev": "9227223f6d922fee3c7b190b2cc238a99527bbb7", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "flake-parts", + "type": "github" + } + }, "flake-utils": { "locked": { "lastModified": 1629284811, @@ -63,11 +101,11 @@ ] }, "locked": { - "lastModified": 1725781935, - "narHash": "sha256-o6LRtdpgBTzev9n243Ktu3rn0/qsv0frFyJwU6vJsdE=", + "lastModified": 1725948275, + "narHash": "sha256-4QOPemDQ9VRLQaAdWuvdDBhh+lEUOAnSMHhdr4nS1mk=", "owner": "nix-community", "repo": "home-manager", - "rev": "ec4c6928bbacc89cf10e9c959a7a47cbaad95344", + "rev": "e5fa72bad0c6f533e8d558182529ee2acc9454fe", "type": "github" }, "original": { @@ -98,13 +136,60 @@ "type": "github" } }, + "nix-update": { + "inputs": { + "flake-parts": "flake-parts", + "nixpkgs": [ + "nixos-cosmic", + "nixpkgs" + ], + "treefmt-nix": "treefmt-nix" + }, + "locked": { + "lastModified": 1725635983, + "narHash": "sha256-haSfwdurfltqQ/7YEmDcmWLnWwvAgelIHnXsHG34P1k=", + "owner": "lilyinstarlight", + "repo": "nix-update", + "rev": "ed54a7546affb3f8c9c3e10a6fa6fdb21756ec8f", + "type": "github" + }, + "original": { + "owner": "lilyinstarlight", + "repo": "nix-update", + "type": "github" + } + }, + "nixos-cosmic": { + "inputs": { + "flake-compat": "flake-compat", + "nix-update": "nix-update", + "nixpkgs": [ + "nixpkgs" + ], + "nixpkgs-stable": "nixpkgs-stable", + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1725932078, + "narHash": "sha256-IATccCX01KHY3QDYmpCMu70WRWxJH4V7z9vp71RlSAs=", + "owner": "lilyinstarlight", + "repo": "nixos-cosmic", + "rev": "0452cc841e9b30160ae48db636164fb7a6d6bb72", + "type": "github" + }, + "original": { + "owner": "lilyinstarlight", + "repo": "nixos-cosmic", + "type": "github" + } + }, "nixos-hardware": { "locked": { - "lastModified": 1725716377, - "narHash": "sha256-7NzW9O/cAw7iWzRfh7Oo/SuSudL4a1YTKS6yoh3tMck=", + "lastModified": 1725885300, + "narHash": "sha256-5RLEnou1/GJQl+Wd+Bxaj7QY7FFQ9wjnFq1VNEaxTmc=", "owner": "nixos", "repo": "nixos-hardware", - "rev": "04a1cda0c1725094a4db703cccbb956b7558f5a6", + "rev": "166dee4f88a7e3ba1b7a243edb1aca822f00680e", "type": "github" }, "original": { @@ -132,11 +217,27 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1725693463, - "narHash": "sha256-ZPzhebbWBOr0zRWW10FfqfbJlan3G96/h3uqhiFqmwg=", + "lastModified": 1725826545, + "narHash": "sha256-L64N1rpLlXdc94H+F6scnrbuEu+utC03cDDVvvJGOME=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "f4c846aee8e1e29062aa8514d5e0ab270f4ec2f9", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-24.05", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs-stable_2": { + "locked": { + "lastModified": 1725826545, + "narHash": "sha256-L64N1rpLlXdc94H+F6scnrbuEu+utC03cDDVvvJGOME=", "owner": "nixos", "repo": "nixpkgs", - "rev": "68e7dce0a6532e876980764167ad158174402c6f", + "rev": "f4c846aee8e1e29062aa8514d5e0ab270f4ec2f9", "type": "github" }, "original": { @@ -158,7 +259,7 @@ "nixpkgs" ], "systems": "systems_2", - "treefmt-nix": "treefmt-nix" + "treefmt-nix": "treefmt-nix_2" }, "locked": { "lastModified": 1723343306, @@ -178,13 +279,35 @@ "inputs": { "firefox-addons": "firefox-addons", "home-manager": "home-manager", + "nixos-cosmic": "nixos-cosmic", "nixos-hardware": "nixos-hardware", "nixpkgs": "nixpkgs", - "nixpkgs-stable": "nixpkgs-stable", + "nixpkgs-stable": "nixpkgs-stable_2", "system_tools": "system_tools", "systems": "systems_3" } }, + "rust-overlay": { + "inputs": { + "nixpkgs": [ + "nixos-cosmic", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1725848835, + "narHash": "sha256-u4lCr+tOEWhsFiww5G04U5jUNzaQJi0/ZMIDGiLeT14=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "2ef910a6276a2f34513d18f2f826a8dea72c3b3f", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "system_tools": { "inputs": { "flake-utils": "flake-utils_2", @@ -252,6 +375,28 @@ } }, "treefmt-nix": { + "inputs": { + "nixpkgs": [ + "nixos-cosmic", + "nix-update", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1719887753, + "narHash": "sha256-p0B2r98UtZzRDM5miGRafL4h7TwGRC4DII+XXHDHqek=", + "owner": "numtide", + "repo": "treefmt-nix", + "rev": "bdb6355009562d8f9313d9460c0d3860f525bc6c", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "treefmt-nix", + "type": "github" + } + }, + "treefmt-nix_2": { "inputs": { "nixpkgs": [ "system_tools", diff --git a/flake.nix b/flake.nix index 02267ba..4a39a94 100644 --- a/flake.nix +++ b/flake.nix @@ -34,6 +34,11 @@ url = "github:RichieCahill/system_tools"; inputs.nixpkgs.follows = "nixpkgs"; }; + + nixos-cosmic = { + url = "github:lilyinstarlight/nixos-cosmic"; + inputs.nixpkgs.follows = "nixpkgs"; + }; }; outputs = { @@ -41,6 +46,7 @@ nixpkgs, home-manager, systems, + nixos-cosmic, ... } @ inputs: let inherit (self) outputs; @@ -65,6 +71,10 @@ modules = [./systems/bob]; specialArgs = {inherit inputs outputs;}; }; + jeeves = lib.nixosSystem { + modules = [./systems/jeeves]; + specialArgs = {inherit inputs outputs;}; + }; }; }; } diff --git a/systems/common/global/ssh.nix b/systems/common/global/ssh.nix index 3b3ae8f..40a7cf5 100644 --- a/systems/common/global/ssh.nix +++ b/systems/common/global/ssh.nix @@ -33,7 +33,7 @@ MaxSessions = lib.mkDefault 2; PasswordAuthentication = false; PermitEmptyPasswords = "no"; - PermitRootLogin = lib.mkForce "no"; + PermitRootLogin = lib.mkDefault "no"; TcpKeepAlive = "no"; X11Forwarding = lib.mkDefault false; KexAlgorithms = [ diff --git a/systems/jeeves/arch_mirror.nix b/systems/jeeves/arch_mirror.nix new file mode 100644 index 0000000..b7d1e6a --- /dev/null +++ b/systems/jeeves/arch_mirror.nix @@ -0,0 +1,29 @@ +{ inputs, pkgs, ... }: +let + vars = import ./vars.nix; +in +{ + virtualisation.oci-containers.containers.arch_mirror = { + image = "ubuntu/apache2:latest"; + volumes = [ + "${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/" + "${vars.media_mirror}:/data" + ]; + ports = [ "800:80" ]; + extraOptions = [ "--network=web" ]; + autoStart = true; + }; + + systemd.services.sync_mirror = { + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "validates startup"; + path = [ pkgs.rsync ]; + serviceConfig = { + Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/"; + Type = "simple"; + ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror"; + }; + }; +} diff --git a/systems/jeeves/default.nix b/systems/jeeves/default.nix new file mode 100644 index 0000000..fcbdaf8 --- /dev/null +++ b/systems/jeeves/default.nix @@ -0,0 +1,122 @@ +{ pkgs, ... }: +let + vars = import ./vars.nix; +in +{ + imports = [ + ../../users/richie + ../common/global + ../common/optional/syncthing_base.nix + ../common/optional/systemd-boot.nix + ../common/optional/zerotier.nix + ./arch_mirror.nix + # ./docker + ./hardware.nix + ./networking.nix + ./programs.nix + ./services.nix + ]; + + boot.zfs.extraPools = [ + "media" + "storage" + "torrenting" + ]; + + + # services.openssh.settings.PermitRootLogin = "yes"; + + services = { + openssh.ports = [ 629 ]; + + plex = { + enable = true; + dataDir = vars.media_plex; + }; + + smartd.enable = true; + + sysstat.enable = true; + + syncthing.guiAddress = "192.168.90.40:8384"; + syncthing.settings.folders = { + "notes" = { + id = "l62ul-lpweo"; # cspell:disable-line + path = vars.media_notes; + devices = [ + "bob" + "phone" + "rhapsody-in-green" + ]; + fsWatcherEnabled = true; + }; + "books" = { + id = "6uppx-vadmy"; # cspell:disable-line + path = "${vars.storage_syncthing}/books"; + devices = [ + "bob" + "phone" + "rhapsody-in-green" + ]; + fsWatcherEnabled = true; + }; + "important" = { + id = "4ckma-gtshs"; # cspell:disable-line + path = "${vars.storage_syncthing}/important"; + devices = [ + "bob" + "phone" + "rhapsody-in-green" + ]; + fsWatcherEnabled = true; + }; + "music" = { + id = "vprc5-3azqc"; # cspell:disable-line + path = "${vars.storage_syncthing}/music"; + devices = [ + "bob" + "phone" + "rhapsody-in-green" + ]; + fsWatcherEnabled = true; + }; + "projects" = { + id = "vyma6-lqqrz"; # cspell:disable-line + path = "${vars.storage_syncthing}/projects"; + devices = [ + "bob" + "rhapsody-in-green" + ]; + fsWatcherEnabled = true; + }; + }; + + zfs = { + trim.enable = true; + autoScrub.enable = true; + }; + }; + systemd = { + services."snapshot_manager" = { + description = "ZFS Snapshot Manager"; + requires = [ "zfs-import.target" ]; + after = [ "zfs-import.target" ]; + serviceConfig = { + Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs"; + Type = "oneshot"; + ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'"; + }; + }; + timers."snapshot_manager" = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "15m"; + OnUnitActiveSec = "15m"; + Unit = "snapshot_manager.service"; + }; + }; + }; + + + system.stateVersion = "24.05"; +} diff --git a/systems/jeeves/docker/default.nix b/systems/jeeves/docker/default.nix new file mode 100644 index 0000000..e384ee5 --- /dev/null +++ b/systems/jeeves/docker/default.nix @@ -0,0 +1,11 @@ +{ lib, ... }: +{ + imports = + let + files = builtins.attrNames (builtins.readDir ./.); + nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files; + in + map (file: ./. + "/${file}") nixFiles; + + virtualisation.oci-containers.backend = "docker"; +} diff --git a/systems/jeeves/docker/filebrowser.nix b/systems/jeeves/docker/filebrowser.nix new file mode 100644 index 0000000..0ff75fa --- /dev/null +++ b/systems/jeeves/docker/filebrowser.nix @@ -0,0 +1,15 @@ +let + vars = import ../vars.nix; +in +{ + virtualisation.oci-containers.containers.filebrowser = { + image = "hurlenko/filebrowser:latest"; + extraOptions = [ "--network=web" ]; + volumes = [ + "/zfs:/data" + "${vars.media_docker_configs}/filebrowser:/config" + ]; + autoStart = true; + user = "1000:users"; + }; +} diff --git a/systems/jeeves/docker/haproxy.cfg b/systems/jeeves/docker/haproxy.cfg new file mode 100644 index 0000000..6b663c8 --- /dev/null +++ b/systems/jeeves/docker/haproxy.cfg @@ -0,0 +1,68 @@ +global + log stdout format raw local0 + # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners + stats timeout 30s + +defaults + log global + mode http + retries 3 + maxconn 2000 + timeout connect 5s + timeout client 50s + timeout server 50s + timeout http-request 10s + timeout http-keep-alive 2s + timeout queue 5s + timeout tunnel 2m + timeout client-fin 1s + timeout server-fin 1s + + +#Application Setup +frontend ContentSwitching + bind *:80 + bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem + mode http + # tmmworkshop.com + acl host_mirror hdr(host) -i mirror.tmmworkshop.com + acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com + acl host_grafana hdr(host) -i grafana.tmmworkshop.com + acl host_filebrowser hdr(host) -i filebrowser.tmmworkshop.com + acl host_uptime_kuma hdr(host) -i uptimekuma-jeeves.tmmworkshop.com + acl host_overseerr hdr(host) -i overseerr.tmmworkshop.com + + use_backend mirror_nodes if host_mirror + use_backend dndrules_nodes if host_dndrules + use_backend grafana_nodes if host_grafana + use_backend filebrowser_nodes if host_filebrowser + use_backend uptime_kuma_nodes if host_uptime_kuma + use_backend overseerr_nodes if host_overseerr + +backend mirror_nodes + mode http + server server arch_mirror:80 + +backend mirror_rsync + mode http + server server arch_mirror:873 + +backend grafana_nodes + mode http + server server grafana:3000 + +backend dndrules_nodes + mode http + server server dnd_file_server:80 + +backend filebrowser_nodes + mode http + server server filebrowser:8080 + +backend uptime_kuma_nodes + mode http + server server uptime_kuma:3001 + +backend overseerr_nodes + mode http + server server overseerr:5055 diff --git a/systems/jeeves/docker/internal.nix b/systems/jeeves/docker/internal.nix new file mode 100644 index 0000000..4e8cb96 --- /dev/null +++ b/systems/jeeves/docker/internal.nix @@ -0,0 +1,145 @@ +{ config, ... }: +let + vars = import ../vars.nix; +in +{ + virtualisation.oci-containers.containers = { + qbit = { + image = "ghcr.io/linuxserver/qbittorrent:latest"; + ports = [ + "6881:6881" + "6881:6881/udp" + "8082:8082" + "29432:29432" + ]; + volumes = [ + "${vars.media_docker_configs}/qbit:/config" + "${vars.torrenting_qbit}:/data" + ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + WEBUI_PORT = "8082"; + }; + autoStart = true; + }; + qbitvpn = { + image = "binhex/arch-qbittorrentvpn:latest"; + extraOptions = [ "--cap-add=NET_ADMIN" ]; + ports = [ + "6882:6881" + "6882:6881/udp" + "8081:8081" + "8118:8118" + ]; + volumes = [ + "${vars.media_docker_configs}/qbitvpn:/config" + "${vars.torrenting_qbitvpn}:/data" + "/etc/localtime:/etc/localtime:ro" + ]; + environment = { + WEBUI_PORT = "8081"; + PUID = "600"; + PGID = "100"; + VPN_ENABLED = "yes"; + VPN_CLIENT = "openvpn"; + STRICT_PORT_FORWARD = "yes"; + ENABLE_PRIVOXY = "yes"; + LAN_NETWORK = "192.168.90.0/24"; + NAME_SERVERS = "1.1.1.1,1.0.0.1"; + UMASK = "000"; + DEBUG = "false"; + DELUGE_DAEMON_LOG_LEVEL = "debug"; + DELUGE_WEB_LOG_LEVEL = "debug"; + }; + # environmentFiles = [ config.sops.secrets."docker/qbit_vpn".path ]; + autoStart = true; + }; + bazarr = { + image = "ghcr.io/linuxserver/bazarr:latest"; + ports = [ "6767:6767" ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + }; + volumes = [ + "${vars.media_docker_configs}/bazarr:/config" + "${vars.storage_plex}/movies:/movies" + "${vars.storage_plex}/tv:/tv" + ]; + autoStart = true; + }; + prowlarr = { + image = "ghcr.io/linuxserver/prowlarr:latest"; + ports = [ "9696:9696" ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + }; + volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ]; + autoStart = true; + }; + radarr = { + image = "ghcr.io/linuxserver/radarr:latest"; + ports = [ "7878:7878" ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + }; + volumes = [ + "${vars.media_docker_configs}/radarr:/config" + "${vars.storage_plex}/movies:/movies" + "${vars.torrenting_qbitvpn}:/data" + ]; + autoStart = true; + }; + sonarr = { + image = "ghcr.io/linuxserver/sonarr:latest"; + ports = [ "8989:8989" ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + }; + volumes = [ + "${vars.media_docker_configs}/sonarr:/config" + "${vars.storage_plex}/tv:/tv" + "${vars.torrenting_qbitvpn}:/data" + ]; + autoStart = true; + }; + overseerr = { + image = "ghcr.io/linuxserver/overseerr"; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + }; + volumes = [ "${vars.media_docker_configs}/overseerr:/config" ]; + dependsOn = [ + "radarr" + "sonarr" + ]; + extraOptions = [ "--network=web" ]; + autoStart = true; + }; + whisper = { + image = "ghcr.io/linuxserver/faster-whisper:latest"; + ports = [ "10300:10300" ]; + environment = { + PUID = "600"; + PGID = "100"; + TZ = "America/New_York"; + WHISPER_MODEL = "tiny-int8"; + WHISPER_LANG = "en"; + WHISPER_BEAM = "1"; + }; + volumes = [ "${vars.media_docker_configs}/whisper:/config" ]; + autoStart = true; + }; + }; +} diff --git a/systems/jeeves/docker/postgresql.nix b/systems/jeeves/docker/postgresql.nix new file mode 100644 index 0000000..9298f16 --- /dev/null +++ b/systems/jeeves/docker/postgresql.nix @@ -0,0 +1,33 @@ +{ config, ... }: +let + vars = import ../vars.nix; +in +{ + users = { + users.postgres = { + isSystemUser = true; + group = "postgres"; + uid = 999; + }; + groups.postgres = { + gid = 999; + }; + }; + + virtualisation.oci-containers.containers = { + postgres = { + image = "postgres:16"; + ports = [ "5432:5432" ]; + volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ]; + environment = { + POSTGRES_USER = "admin"; + POSTGRES_DB = "archive"; + POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256"; + }; + # environmentFiles = [ config.sops.secrets."docker/postgres".path ]; + autoStart = true; + user = "postgres:postgres"; + }; + }; + +} diff --git a/systems/jeeves/docker/uptime_kuma.nix b/systems/jeeves/docker/uptime_kuma.nix new file mode 100644 index 0000000..484c0ad --- /dev/null +++ b/systems/jeeves/docker/uptime_kuma.nix @@ -0,0 +1,16 @@ +let + vars = import ../vars.nix; +in +{ + virtualisation.oci-containers.containers = { + uptime_kuma = { + image = "louislam/uptime-kuma:latest"; + volumes = [ + "${vars.media_docker_configs}/uptime_kuma:/app/data" + "/var/run/docker.sock:/var/run/docker.sock" + ]; + extraOptions = [ "--network=web" ]; + autoStart = true; + }; + }; +} diff --git a/systems/jeeves/docker/web.nix b/systems/jeeves/docker/web.nix new file mode 100644 index 0000000..2d68bf6 --- /dev/null +++ b/systems/jeeves/docker/web.nix @@ -0,0 +1,57 @@ +{ config, ... }: +let + vars = import ../vars.nix; +in +{ + virtualisation.oci-containers.containers = { + grafana = { + image = "grafana/grafana-enterprise:latest"; + volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ]; + user = "600:600"; + extraOptions = [ "--network=web" ]; + autoStart = true; + }; + dnd_file_server = { + image = "ubuntu/apache2:latest"; + volumes = [ + "${../../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/" + "${vars.storage_main}/Table_Top/:/data" + ]; + extraOptions = [ "--network=web" ]; + autoStart = true; + }; + haproxy = { + image = "haproxy:latest"; + user = "600:600"; + environment = { + TZ = "Etc/EST"; + }; + volumes = [ + # "${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem" + "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg" + ]; + dependsOn = [ + "arch_mirror" + "dnd_file_server" + "filebrowser" + "grafana" + "overseerr" + "uptime_kuma" + ]; + extraOptions = [ "--network=web" ]; + autoStart = true; + }; + cloud_flare_tunnel = { + image = "cloudflare/cloudflared:latest"; + user = "600:600"; + cmd = [ + "tunnel" + "run" + ]; + # environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ]; + dependsOn = [ "haproxy" ]; + extraOptions = [ "--network=web" ]; + autoStart = true; + }; + }; +} diff --git a/systems/jeeves/hardware.nix b/systems/jeeves/hardware.nix new file mode 100644 index 0000000..03a543f --- /dev/null +++ b/systems/jeeves/hardware.nix @@ -0,0 +1,62 @@ +{ config, lib, modulesPath, ... }: + +{ + imports =[ (modulesPath + "/installer/scan/not-detected.nix") ]; + + boot = { + initrd = { + availableKernelModules = [ + "ahci" + "mpt3sas" + "nvme" + "sd_mod" + "sr_mod" + "usb_storage" + "usbhid" + "xhci_pci" + ]; + kernelModules = [ ]; + luks.devices = { + "luks-root-pool-wwn-0x500a0751e6c3c01e-part2".device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part2"; + "luks-root-pool-wwn-0x500a0751e6c3c01c-part2".device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01c-part2"; + }; + }; + kernelModules = [ "kvm-amd" ]; + extraModulePackages = [ ]; + }; + + fileSystems = { + "/" = lib.mkDefault { + device = "root_pool/root"; + fsType = "zfs"; + }; + + "/home" = { + device = "root_pool/home"; + fsType = "zfs"; + }; + + "/var" = { + device = "root_pool/var"; + fsType = "zfs"; + }; + + "/boot" = { + device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part1"; + fsType = "vfat"; + options = [ + "fmask=0077" + "dmask=0077" + ]; + }; + }; + + swapDevices = [ ]; + + networking.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + + +} diff --git a/systems/jeeves/networking.nix b/systems/jeeves/networking.nix new file mode 100644 index 0000000..d2908b6 --- /dev/null +++ b/systems/jeeves/networking.nix @@ -0,0 +1,41 @@ +{ + networking = { + hostName = "jeeves"; + hostId = "0e15ce35"; + firewall.enable = false; + }; + + systemd.network = { + enable = true; + networks = { + "10-1GB_Primary" = { + matchConfig.Name = "enp98s0f0"; + DHCP = "yes"; + }; + }; + networks = { + "10-1GB_Secondary" = { + matchConfig.Name = "enp98s0f1"; + DHCP = "yes"; + }; + }; + networks = { + "10-10GB_Primary" = { + matchConfig.Name = "enp97s0f0np0"; + DHCP = "yes"; + linkConfig.RequiredForOnline = "routable"; + }; + }; + networks = { + "10-10GB_Secondary" = { + matchConfig.Name = "enp97s0f1np1"; + DHCP = "yes"; + }; + }; + }; + + services.zerotierone = { + enable = true; + joinNetworks = [ "e4da7455b2ae64ca" ]; + }; +} diff --git a/systems/jeeves/programs.nix b/systems/jeeves/programs.nix new file mode 100644 index 0000000..54d4b13 --- /dev/null +++ b/systems/jeeves/programs.nix @@ -0,0 +1,7 @@ +{ pkgs, ... }: +{ + environment.systemPackages = with pkgs; [ + filebot + docker-compose + ]; +} diff --git a/systems/jeeves/services.nix b/systems/jeeves/services.nix new file mode 100644 index 0000000..81a6ae7 --- /dev/null +++ b/systems/jeeves/services.nix @@ -0,0 +1,47 @@ +{ + inputs, + pkgs, + ... +}: +{ + systemd = { + services = { + plex_permission = { + description = "maintains /zfs/storage/plex permissions"; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.bash}/bin/bash ${./scripts/plex_permission.sh}"; + }; + }; + startup_validation = { + requires = [ "network-online.target" ]; + after = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + description = "validates startup"; + path = [ pkgs.zfs ]; + serviceConfig = { + # EnvironmentFile = config.sops.secrets."server-validation/webhook".path; + Type = "oneshot"; + ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeeves"; + }; + }; + }; + timers = { + plex_permission = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "1h"; + OnCalendar = "daily 03:00"; + Unit = "plex_permission.service"; + }; + }; + startup_validation = { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnBootSec = "10min"; + Unit = "startup_validation.service"; + }; + }; + }; + }; +} diff --git a/systems/jeeves/vars.nix b/systems/jeeves/vars.nix new file mode 100644 index 0000000..707170f --- /dev/null +++ b/systems/jeeves/vars.nix @@ -0,0 +1,23 @@ +let + zfs_media = "/zfs/media"; + zfs_storage = "/zfs/storage"; + zfs_torrenting = "/zfs/torrenting"; +in +{ + inherit zfs_media zfs_storage zfs_torrenting; + # media + media_database = "${zfs_media}/syncthing/database"; + media_docker = "${zfs_media}/docker"; + media_docker_configs = "${zfs_media}/docker/configs"; + media_mirror = "${zfs_media}/mirror"; + media_notes = "${zfs_media}/notes"; + media_plex = "${zfs_media}/plex/"; + media_scripts = "${zfs_media}/scripts"; + # storage + storage_main = "${zfs_storage}/main"; + storage_plex = "${zfs_storage}/plex"; + storage_syncthing = "${zfs_storage}/syncthing"; + # torrenting + torrenting_qbit = "${zfs_torrenting}/qbit"; + torrenting_qbitvpn = "${zfs_torrenting}/qbitvpn"; +} diff --git a/users/richie/home/cli/zsh.nix b/users/richie/home/cli/zsh.nix index dbca1af..540fd92 100644 --- a/users/richie/home/cli/zsh.nix +++ b/users/richie/home/cli/zsh.nix @@ -28,6 +28,7 @@ "rspace" = "'for f in *\ *; do mv \"$f\" \"\${f// /_}\"; done'"; "rebuild" = "sudo nixos-rebuild switch --flake /home/richie/projects/dotfiles#$HOST"; + "nix-test" = "nixos-rebuild test --flake /home/richie/projects/dotfiles"; }; }; } diff --git a/users/richie/home/programs.nix b/users/richie/home/programs.nix index 537f3b4..4580fbe 100644 --- a/users/richie/home/programs.nix +++ b/users/richie/home/programs.nix @@ -11,7 +11,6 @@ neofetch rar ripgrep - sops starship tmux zoxide diff --git a/users/richie/systems/jeeves.nix b/users/richie/systems/jeeves.nix new file mode 100644 index 0000000..6bbef61 --- /dev/null +++ b/users/richie/systems/jeeves.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ../home/global.nix + ]; +}