adding jeeves

systems/common/global/ssh.nix

@@ -33,7 +33,7 @@
         MaxSessions = lib.mkDefault 2;
         PasswordAuthentication = false;
         PermitEmptyPasswords = "no";
-        PermitRootLogin = lib.mkForce "no";
+        PermitRootLogin = lib.mkDefault "no";
         TcpKeepAlive = "no";
         X11Forwarding = lib.mkDefault false;
         KexAlgorithms = [

systems/jeeves/arch_mirror.nix

@@ -0,0 +1,29 @@
+{ inputs, pkgs, ... }:
+let
+  vars = import ./vars.nix;
+in
+{
+  virtualisation.oci-containers.containers.arch_mirror = {
+    image = "ubuntu/apache2:latest";
+    volumes = [
+      "${../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
+      "${vars.media_mirror}:/data"
+    ];
+    ports = [ "800:80" ];
+    extraOptions = [ "--network=web" ];
+    autoStart = true;
+  };
+
+  systemd.services.sync_mirror = {
+    requires = [ "network-online.target" ];
+    after = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+    description = "validates startup";
+    path = [ pkgs.rsync ];
+    serviceConfig = {
+      Environment = "MIRROR_DIR=${vars.media_mirror}/archlinux/";
+      Type = "simple";
+      ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/sync_mirror";
+    };
+  };
+}

systems/jeeves/default.nix

@@ -0,0 +1,122 @@
+{ pkgs, ... }:
+let
+  vars = import ./vars.nix;
+in
+{
+  imports = [
+    ../../users/richie
+    ../common/global
+    ../common/optional/syncthing_base.nix
+    ../common/optional/systemd-boot.nix
+    ../common/optional/zerotier.nix
+    ./arch_mirror.nix
+    # ./docker
+    ./hardware.nix
+    ./networking.nix
+    ./programs.nix
+    ./services.nix
+  ];
+
+  boot.zfs.extraPools = [
+    "media"
+    "storage"
+    "torrenting"
+  ];
+
+
+  # services.openssh.settings.PermitRootLogin = "yes";
+
+  services = {
+    openssh.ports = [ 629 ];
+
+    plex = {
+      enable = true;
+      dataDir = vars.media_plex;
+    };
+
+    smartd.enable = true;
+
+    sysstat.enable = true;
+
+    syncthing.guiAddress = "192.168.90.40:8384";
+    syncthing.settings.folders = {
+      "notes" = {
+        id = "l62ul-lpweo"; # cspell:disable-line
+        path = vars.media_notes;
+        devices = [
+          "bob"
+          "phone"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "books" = {
+        id = "6uppx-vadmy"; # cspell:disable-line
+        path = "${vars.storage_syncthing}/books";
+        devices = [
+          "bob"
+          "phone"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "important" = {
+        id = "4ckma-gtshs"; # cspell:disable-line
+        path = "${vars.storage_syncthing}/important";
+        devices = [
+          "bob"
+          "phone"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "music" = {
+        id = "vprc5-3azqc"; # cspell:disable-line
+        path = "${vars.storage_syncthing}/music";
+        devices = [
+          "bob"
+          "phone"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+      "projects" = {
+        id = "vyma6-lqqrz"; # cspell:disable-line
+        path = "${vars.storage_syncthing}/projects";
+        devices = [
+          "bob"
+          "rhapsody-in-green"
+        ];
+        fsWatcherEnabled = true;
+      };
+    };
+
+    zfs = {
+      trim.enable = true;
+      autoScrub.enable = true;
+    };
+  };
+  systemd = {
+    services."snapshot_manager" = {
+      description = "ZFS Snapshot Manager";
+      requires = [ "zfs-import.target" ];
+      after = [ "zfs-import.target" ];
+      serviceConfig = {
+        Environment = "ZFS_BIN=${pkgs.zfs}/bin/zfs";
+        Type = "oneshot";
+        ExecStart = "${pkgs.python3}/bin/python3 ${vars.media_scripts}/ZFS/snapshot_manager.py --config-file='${./snapshot_config.toml}'";
+      };
+    };
+    timers."snapshot_manager" = {
+      wantedBy = [ "timers.target" ];
+      timerConfig = {
+        OnBootSec = "15m";
+        OnUnitActiveSec = "15m";
+        Unit = "snapshot_manager.service";
+      };
+    };
+  };
+
+
+  system.stateVersion = "24.05";
+}

systems/jeeves/docker/default.nix

@@ -0,0 +1,11 @@
+{ lib, ... }:
+{
+  imports =
+    let
+      files = builtins.attrNames (builtins.readDir ./.);
+      nixFiles = builtins.filter (name: lib.hasSuffix ".nix" name && name != "default.nix") files;
+    in
+    map (file: ./. + "/${file}") nixFiles;
+
+  virtualisation.oci-containers.backend = "docker";
+}

systems/jeeves/docker/filebrowser.nix

@@ -0,0 +1,15 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers.filebrowser = {
+    image = "hurlenko/filebrowser:latest";
+    extraOptions = [ "--network=web" ];
+    volumes = [
+      "/zfs:/data"
+      "${vars.media_docker_configs}/filebrowser:/config"
+    ];
+    autoStart = true;
+    user = "1000:users";
+  };
+}

systems/jeeves/docker/haproxy.cfg

@@ -0,0 +1,68 @@
+global
+  log stdout format raw local0
+  # stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
+  stats timeout 30s
+
+defaults
+  log global
+  mode http
+  retries 3
+  maxconn 2000
+  timeout connect 5s
+  timeout client 50s
+  timeout server 50s
+  timeout http-request 10s
+  timeout http-keep-alive 2s
+  timeout queue 5s
+  timeout tunnel 2m
+  timeout client-fin 1s
+  timeout server-fin 1s
+
+
+#Application Setup
+frontend ContentSwitching
+  bind *:80
+  bind *:443 ssl crt /etc/ssl/certs/cloudflare.pem
+  mode  http
+  # tmmworkshop.com
+  acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
+  acl host_dndrules hdr(host) -i dndrules.tmmworkshop.com
+  acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
+  acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
+  acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
+  acl host_overseerr  hdr(host) -i overseerr.tmmworkshop.com
+
+  use_backend mirror_nodes   if host_mirror
+  use_backend dndrules_nodes if host_dndrules
+  use_backend grafana_nodes  if host_grafana
+  use_backend filebrowser_nodes  if host_filebrowser
+  use_backend uptime_kuma_nodes  if host_uptime_kuma
+  use_backend overseerr_nodes  if host_overseerr
+
+backend mirror_nodes
+  mode http
+  server server arch_mirror:80
+
+backend mirror_rsync
+  mode http
+  server server arch_mirror:873
+
+backend grafana_nodes
+  mode http
+  server server grafana:3000
+
+backend dndrules_nodes
+  mode http
+  server server dnd_file_server:80
+
+backend filebrowser_nodes
+  mode http
+  server server filebrowser:8080
+
+backend uptime_kuma_nodes
+  mode http
+  server server uptime_kuma:3001
+
+backend overseerr_nodes
+  mode http
+  server server overseerr:5055

systems/jeeves/docker/internal.nix

@@ -0,0 +1,145 @@
+{ config, ... }:
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers = {
+    qbit = {
+      image = "ghcr.io/linuxserver/qbittorrent:latest";
+      ports = [
+        "6881:6881"
+        "6881:6881/udp"
+        "8082:8082"
+        "29432:29432"
+      ];
+      volumes = [
+        "${vars.media_docker_configs}/qbit:/config"
+        "${vars.torrenting_qbit}:/data"
+      ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+        WEBUI_PORT = "8082";
+      };
+      autoStart = true;
+    };
+    qbitvpn = {
+      image = "binhex/arch-qbittorrentvpn:latest";
+      extraOptions = [ "--cap-add=NET_ADMIN" ];
+      ports = [
+        "6882:6881"
+        "6882:6881/udp"
+        "8081:8081"
+        "8118:8118"
+      ];
+      volumes = [
+        "${vars.media_docker_configs}/qbitvpn:/config"
+        "${vars.torrenting_qbitvpn}:/data"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      environment = {
+        WEBUI_PORT = "8081";
+        PUID = "600";
+        PGID = "100";
+        VPN_ENABLED = "yes";
+        VPN_CLIENT = "openvpn";
+        STRICT_PORT_FORWARD = "yes";
+        ENABLE_PRIVOXY = "yes";
+        LAN_NETWORK = "192.168.90.0/24";
+        NAME_SERVERS = "1.1.1.1,1.0.0.1";
+        UMASK = "000";
+        DEBUG = "false";
+        DELUGE_DAEMON_LOG_LEVEL = "debug";
+        DELUGE_WEB_LOG_LEVEL = "debug";
+      };
+      # environmentFiles = [ config.sops.secrets."docker/qbit_vpn".path ];
+      autoStart = true;
+    };
+    bazarr = {
+      image = "ghcr.io/linuxserver/bazarr:latest";
+      ports = [ "6767:6767" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.media_docker_configs}/bazarr:/config"
+        "${vars.storage_plex}/movies:/movies"
+        "${vars.storage_plex}/tv:/tv"
+      ];
+      autoStart = true;
+    };
+    prowlarr = {
+      image = "ghcr.io/linuxserver/prowlarr:latest";
+      ports = [ "9696:9696" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
+      autoStart = true;
+    };
+    radarr = {
+      image = "ghcr.io/linuxserver/radarr:latest";
+      ports = [ "7878:7878" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.media_docker_configs}/radarr:/config"
+        "${vars.storage_plex}/movies:/movies"
+        "${vars.torrenting_qbitvpn}:/data"
+      ];
+      autoStart = true;
+    };
+    sonarr = {
+      image = "ghcr.io/linuxserver/sonarr:latest";
+      ports = [ "8989:8989" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [
+        "${vars.media_docker_configs}/sonarr:/config"
+        "${vars.storage_plex}/tv:/tv"
+        "${vars.torrenting_qbitvpn}:/data"
+      ];
+      autoStart = true;
+    };
+    overseerr = {
+      image = "ghcr.io/linuxserver/overseerr";
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+      };
+      volumes = [ "${vars.media_docker_configs}/overseerr:/config" ];
+      dependsOn = [
+        "radarr"
+        "sonarr"
+      ];
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+    whisper = {
+      image = "ghcr.io/linuxserver/faster-whisper:latest";
+      ports = [ "10300:10300" ];
+      environment = {
+        PUID = "600";
+        PGID = "100";
+        TZ = "America/New_York";
+        WHISPER_MODEL = "tiny-int8";
+        WHISPER_LANG = "en";
+        WHISPER_BEAM = "1";
+      };
+      volumes = [ "${vars.media_docker_configs}/whisper:/config" ];
+      autoStart = true;
+    };
+  };
+}

systems/jeeves/docker/postgresql.nix

@@ -0,0 +1,33 @@
+{ config, ... }:
+let
+  vars = import ../vars.nix;
+in
+{
+  users = {
+    users.postgres = {
+      isSystemUser = true;
+      group = "postgres";
+      uid = 999;
+    };
+    groups.postgres = {
+      gid = 999;
+    };
+  };
+
+  virtualisation.oci-containers.containers = {
+    postgres = {
+      image = "postgres:16";
+      ports = [ "5432:5432" ];
+      volumes = [ "${vars.media_database}/postgres:/var/lib/postgresql/data" ];
+      environment = {
+        POSTGRES_USER = "admin";
+        POSTGRES_DB = "archive";
+        POSTGRES_INITDB_ARGS = "--auth-host=scram-sha-256";
+      };
+      # environmentFiles = [ config.sops.secrets."docker/postgres".path ];
+      autoStart = true;
+      user = "postgres:postgres";
+    };
+  };
+
+}

systems/jeeves/docker/uptime_kuma.nix

@@ -0,0 +1,16 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers = {
+    uptime_kuma = {
+      image = "louislam/uptime-kuma:latest";
+      volumes = [
+        "${vars.media_docker_configs}/uptime_kuma:/app/data"
+        "/var/run/docker.sock:/var/run/docker.sock"
+      ];
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+  };
+}

systems/jeeves/docker/web.nix

@@ -0,0 +1,57 @@
+{ config, ... }:
+let
+  vars = import ../vars.nix;
+in
+{
+  virtualisation.oci-containers.containers = {
+    grafana = {
+      image = "grafana/grafana-enterprise:latest";
+      volumes = [ "${vars.media_docker_configs}/grafana:/var/lib/grafana" ];
+      user = "600:600";
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+    dnd_file_server = {
+      image = "ubuntu/apache2:latest";
+      volumes = [
+        "${../../../users/richie/global/docker_templates}/file_server/sites/:/etc/apache2/sites-enabled/"
+        "${vars.storage_main}/Table_Top/:/data"
+      ];
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+    haproxy = {
+      image = "haproxy:latest";
+      user = "600:600";
+      environment = {
+        TZ = "Etc/EST";
+      };
+      volumes = [
+        # "${config.sops.secrets."docker/haproxy_cert".path}:/etc/ssl/certs/cloudflare.pem"
+        "${./haproxy.cfg}:/usr/local/etc/haproxy/haproxy.cfg"
+      ];
+      dependsOn = [
+        "arch_mirror"
+        "dnd_file_server"
+        "filebrowser"
+        "grafana"
+        "overseerr"
+        "uptime_kuma"
+      ];
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+    cloud_flare_tunnel = {
+      image = "cloudflare/cloudflared:latest";
+      user = "600:600";
+      cmd = [
+        "tunnel"
+        "run"
+      ];
+      # environmentFiles = [ config.sops.secrets."docker/cloud_flare_tunnel".path ];
+      dependsOn = [ "haproxy" ];
+      extraOptions = [ "--network=web" ];
+      autoStart = true;
+    };
+  };
+}

systems/jeeves/hardware.nix

@@ -0,0 +1,62 @@
+{ config, lib,  modulesPath, ... }:
+
+{
+  imports =[ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "ahci"
+        "mpt3sas"
+        "nvme"
+        "sd_mod"
+        "sr_mod"
+        "usb_storage"
+        "usbhid"
+        "xhci_pci"
+      ];
+      kernelModules = [ ];
+      luks.devices = {
+        "luks-root-pool-wwn-0x500a0751e6c3c01e-part2".device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part2";
+        "luks-root-pool-wwn-0x500a0751e6c3c01c-part2".device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01c-part2";
+      };
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = lib.mkDefault {
+      device = "root_pool/root";
+      fsType = "zfs";
+    };
+
+    "/home" = {
+      device = "root_pool/home";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "root_pool/var";
+      fsType = "zfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-id/wwn-0x500a0751e6c3c01e-part1";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+
+
+}

systems/jeeves/networking.nix

@@ -0,0 +1,41 @@
+{
+  networking = {
+    hostName = "jeeves";
+    hostId = "0e15ce35";
+    firewall.enable = false;
+  };
+
+  systemd.network = {
+    enable = true;
+    networks = {
+      "10-1GB_Primary" = {
+        matchConfig.Name = "enp98s0f0";
+        DHCP = "yes";
+      };
+    };
+    networks = {
+      "10-1GB_Secondary" = {
+        matchConfig.Name = "enp98s0f1";
+        DHCP = "yes";
+      };
+    };
+    networks = {
+      "10-10GB_Primary" = {
+        matchConfig.Name = "enp97s0f0np0";
+        DHCP = "yes";
+        linkConfig.RequiredForOnline = "routable";
+      };
+    };
+    networks = {
+      "10-10GB_Secondary" = {
+        matchConfig.Name = "enp97s0f1np1";
+        DHCP = "yes";
+      };
+    };
+  };
+
+  services.zerotierone = {
+    enable = true;
+    joinNetworks = [ "e4da7455b2ae64ca" ];
+  };
+}

systems/jeeves/programs.nix

@@ -0,0 +1,7 @@
+{ pkgs, ... }:
+{
+  environment.systemPackages = with pkgs; [
+    filebot
+    docker-compose
+  ];
+}

systems/jeeves/services.nix

@@ -0,0 +1,47 @@
+{
+  inputs,
+  pkgs,
+  ...
+}:
+{
+  systemd = {
+    services = {
+      plex_permission = {
+        description = "maintains /zfs/storage/plex permissions";
+        serviceConfig = {
+          Type = "oneshot";
+          ExecStart = "${pkgs.bash}/bin/bash ${./scripts/plex_permission.sh}";
+        };
+      };
+      startup_validation = {
+        requires = [ "network-online.target" ];
+        after = [ "network-online.target" ];
+        wantedBy = [ "multi-user.target" ];
+        description = "validates startup";
+        path = [ pkgs.zfs ];
+        serviceConfig = {
+          # EnvironmentFile = config.sops.secrets."server-validation/webhook".path;
+          Type = "oneshot";
+          ExecStart = "${inputs.system_tools.packages.x86_64-linux.default}/bin/validate_jeeves";
+        };
+      };
+    };
+    timers = {
+      plex_permission = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "1h";
+          OnCalendar = "daily 03:00";
+          Unit = "plex_permission.service";
+        };
+      };
+      startup_validation = {
+        wantedBy = [ "timers.target" ];
+        timerConfig = {
+          OnBootSec = "10min";
+          Unit = "startup_validation.service";
+        };
+      };
+    };
+  };
+}

systems/jeeves/vars.nix

@@ -0,0 +1,23 @@
+let
+  zfs_media = "/zfs/media";
+  zfs_storage = "/zfs/storage";
+  zfs_torrenting = "/zfs/torrenting";
+in
+{
+  inherit zfs_media zfs_storage zfs_torrenting;
+  # media
+  media_database = "${zfs_media}/syncthing/database";
+  media_docker = "${zfs_media}/docker";
+  media_docker_configs = "${zfs_media}/docker/configs";
+  media_mirror = "${zfs_media}/mirror";
+  media_notes = "${zfs_media}/notes";
+  media_plex = "${zfs_media}/plex/";
+  media_scripts = "${zfs_media}/scripts";
+  # storage
+  storage_main = "${zfs_storage}/main";
+  storage_plex = "${zfs_storage}/plex";
+  storage_syncthing = "${zfs_storage}/syncthing";
+  # torrenting
+  torrenting_qbit = "${zfs_torrenting}/qbit";
+  torrenting_qbitvpn = "${zfs_torrenting}/qbitvpn";
+}