bootstrapping

systems/bob/default.nix

@@ -16,8 +16,9 @@
 
   networking = {
     hostName = "bob";
-    networkmanager.enable = true;
     hostId = "7c678a41";
+    firewall.enable = true;
+    networkmanager.enable = true;
   };
 
   hardware = {

systems/jeeves/default.nix

@@ -35,6 +35,7 @@ in
     plex = {
       enable = true;
       dataDir = vars.media_plex;
+      openFirewall = true;
     };
 
     smartd.enable = true;

systems/jeeves/docker/haproxy.cfg

@@ -30,6 +30,7 @@ frontend ContentSwitching
   acl host_filebrowser  hdr(host) -i filebrowser.tmmworkshop.com
   acl host_grafana  hdr(host) -i grafana.tmmworkshop.com
   acl host_mirror   hdr(host) -i mirror.tmmworkshop.com
+  acl host_photoprism  hdr(host) -i photoprism.tmmworkshop.com
   acl host_uptime_kuma  hdr(host) -i uptimekuma-jeeves.tmmworkshop.com
 
   use_backend audiobookshelf_nodes if host_audiobookshelf
@@ -37,15 +38,16 @@ frontend ContentSwitching
   use_backend filebrowser_nodes  if host_filebrowser
   use_backend grafana_nodes  if host_grafana
   use_backend mirror_nodes   if host_mirror
+  use_backend photoprism_nodes  if host_photoprism
   use_backend uptime_kuma_nodes  if host_uptime_kuma
 
-backend mirror_nodes
+backend audiobookshelf_nodes
   mode http
-  server server arch_mirror:80
+  server server audiobookshelf:80
 
-backend mirror_rsync
+backend cache_nodes
   mode http
-  server server arch_mirror:873
+  server server 192.168.90.40:5000
 
 backend grafana_nodes
   mode http
@@ -55,14 +57,15 @@ backend filebrowser_nodes
   mode http
   server server filebrowser:8080
 
+backend mirror_nodes
+  mode http
+  server server arch_mirror:80
+
+backend photoprism_nodes
+  mode http
+  server server photoprism:2342
+
 backend uptime_kuma_nodes
   mode http
   server server uptime_kuma:3001
 
-backend cache_nodes
-  mode http
-  server server 192.168.90.40:5000
-
-backend audiobookshelf_nodes
-  mode http
-  server server audiobookshelf:80

systems/jeeves/docker/internal.nix

@@ -1,85 +0,0 @@
-let
-  vars = import ../vars.nix;
-in
-{
-  virtualisation.oci-containers.containers = {
-    qbit = {
-      image = "ghcr.io/linuxserver/qbittorrent:latest";
-      ports = [
-        "6881:6881"
-        "6881:6881/udp"
-        "8082:8082"
-        "29432:29432"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbit:/config"
-        "${vars.torrenting_qbit}:/data"
-      ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-        WEBUI_PORT = "8082";
-      };
-      autoStart = true;
-    };
-    qbitvpn = {
-      image = "binhex/arch-qbittorrentvpn:latest";
-      extraOptions = [ "--cap-add=NET_ADMIN" ];
-      ports = [
-        "6882:6881"
-        "6882:6881/udp"
-        "8081:8081"
-        "8118:8118"
-      ];
-      volumes = [
-        "${vars.media_docker_configs}/qbitvpn:/config"
-        "${vars.torrenting_qbitvpn}:/data"
-        "/etc/localtime:/etc/localtime:ro"
-      ];
-      environment = {
-        WEBUI_PORT = "8081";
-        PUID = "600";
-        PGID = "100";
-        VPN_ENABLED = "yes";
-        VPN_CLIENT = "openvpn";
-        STRICT_PORT_FORWARD = "yes";
-        ENABLE_PRIVOXY = "yes";
-        LAN_NETWORK = "192.168.90.0/24";
-        NAME_SERVERS = "1.1.1.1,1.0.0.1";
-        UMASK = "000";
-        DEBUG = "false";
-        DELUGE_DAEMON_LOG_LEVEL = "debug";
-        DELUGE_WEB_LOG_LEVEL = "debug";
-      };
-      environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"];
-      autoStart = true;
-    };
-    prowlarr = {
-      image = "ghcr.io/linuxserver/prowlarr:latest";
-      ports = [ "9696:9696" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
-      autoStart = true;
-    };
-    sonarr = {
-      image = "ghcr.io/linuxserver/sonarr:latest";
-      ports = [ "8989:8989" ];
-      environment = {
-        PUID = "600";
-        PGID = "100";
-        TZ = "America/New_York";
-      };
-      volumes = [
-        "${vars.media_docker_configs}/sonarr:/config"
-        "${vars.storage_plex}/tv:/tv"
-        "${vars.torrenting_qbitvpn}:/data"
-      ];
-      autoStart = true;
-    };
-  };
-}

systems/jeeves/docker/photoprism.nix

@@ -2,75 +2,53 @@ let
   vars = import ../vars.nix;
 in
 {
-
+  virtualisation.oci-containers.containers.photoprism = {
-
+    image = "photoprism/photoprism:latest";
-  virtualisation.oci-containers.containers = {
+    volumes = [ 
-    photoprism = {
+      "${vars.media_docker_configs}/photoprism:/photoprism/storage"
-      image = "photoprism/photoprism:latest";
+      "${vars.storage_photos}/originals:/photoprism/originals"
-      ports = [ "2342:2342" ];
+      "${vars.storage_photos}/import:/photoprism/import"
-      volumes = [ 
+    ];
-        "${vars.media_docker_configs}/photoprism:/photoprism/storage"
+    environment = {
-        "${vars.storage_photos}/originals:/photoprism/originals"
+      PHOTOPRISM_ADMIN_USER="admin";
-        "${vars.storage_photos}/import:/photoprism/import"
+      PHOTOPRISM_AUTH_MODE="password";
-      ];
+      PHOTOPRISM_DISABLE_TLS="false";
-      environment = {
+      PHOTOPRISM_DEFAULT_TLS="true";
-        PHOTOPRISM_ADMIN_USER="admin";
+      PHOTOPRISM_ORIGINALS_LIMIT="30000";
-        PHOTOPRISM_AUTH_MODE="password";
+      PHOTOPRISM_HTTP_COMPRESSION="gzip";
-        PHOTOPRISM_DISABLE_TLS="false";
+      PHOTOPRISM_LOG_LEVEL="info";
-        PHOTOPRISM_DEFAULT_TLS="true";
+      PHOTOPRISM_READONLY="false";
-        PHOTOPRISM_ORIGINALS_LIMIT="30000";
+      PHOTOPRISM_EXPERIMENTAL="false";
-        PHOTOPRISM_HTTP_COMPRESSION="gzip";
+      PHOTOPRISM_DISABLE_CHOWN="false";
-        PHOTOPRISM_LOG_LEVEL="info";
+      PHOTOPRISM_DISABLE_WEBDAV="false";
-        PHOTOPRISM_READONLY="false";
+      PHOTOPRISM_DISABLE_SETTINGS="false";
-        PHOTOPRISM_EXPERIMENTAL="false";
+      PHOTOPRISM_DISABLE_TENSORFLOW="false";
-        PHOTOPRISM_DISABLE_CHOWN="false";
+      PHOTOPRISM_DISABLE_FACES="false";
-        PHOTOPRISM_DISABLE_WEBDAV="false";
+      PHOTOPRISM_DISABLE_CLASSIFICATION="false";
-        PHOTOPRISM_DISABLE_SETTINGS="false";
+      PHOTOPRISM_DISABLE_VECTORS="false";
-        PHOTOPRISM_DISABLE_TENSORFLOW="false";
+      PHOTOPRISM_DISABLE_RAW="false";
-        PHOTOPRISM_DISABLE_FACES="false";
+      PHOTOPRISM_RAW_PRESETS="false";
-        PHOTOPRISM_DISABLE_CLASSIFICATION="false";
+      PHOTOPRISM_SIDECAR_YAML="true";
-        PHOTOPRISM_DISABLE_VECTORS="false";
+      PHOTOPRISM_BACKUP_ALBUMS="true";
-        PHOTOPRISM_DISABLE_RAW="false";
+      PHOTOPRISM_BACKUP_DATABASE="true";
-        PHOTOPRISM_RAW_PRESETS="false";
+      PHOTOPRISM_BACKUP_SCHEDULE="daily";
-        PHOTOPRISM_SIDECAR_YAML="true";
+      PHOTOPRISM_INDEX_SCHEDULE="";
-        PHOTOPRISM_BACKUP_ALBUMS="true";
+      PHOTOPRISM_AUTO_INDEX="300";
-        PHOTOPRISM_BACKUP_DATABASE="true";
+      PHOTOPRISM_AUTO_IMPORT= "-1";
-        PHOTOPRISM_BACKUP_SCHEDULE="daily";
+      PHOTOPRISM_DETECT_NSFW="false";
-        PHOTOPRISM_INDEX_SCHEDULE="";
+      PHOTOPRISM_UPLOAD_NSFW="true";
-        PHOTOPRISM_AUTO_INDEX="300";
+      PHOTOPRISM_DATABASE_DRIVER="sqlite";
-        PHOTOPRISM_AUTO_IMPORT= "-1";
+      PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App";
-        PHOTOPRISM_DETECT_NSFW="false";
+      PHOTOPRISM_SITE_DESCRIPTION="";
-        PHOTOPRISM_UPLOAD_NSFW="true";
+      PHOTOPRISM_SITE_AUTHOR="";
-        PHOTOPRISM_DATABASE_DRIVER="mysql";
+      PHOTOPRISM_UID="600";
-        PHOTOPRISM_DATABASE_SERVER="photoprism_mariadb:3306";
+      PHOTOPRISM_GID="600";
-        PHOTOPRISM_DATABASE_NAME="photoprism";
+      # PHOTOPRISM_UMASK: 0000
-        PHOTOPRISM_DATABASE_USER="photoprism";
-        PHOTOPRISM_SITE_CAPTION="AI-Powered Photos App";
-        PHOTOPRISM_SITE_DESCRIPTION="";
-        PHOTOPRISM_SITE_AUTHOR="";
-        PHOTOPRISM_UID="600";
-        PHOTOPRISM_GID="600";
-        # PHOTOPRISM_UMASK: 0000
-      };
-      environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
-      autoStart = true;
-      dependsOn = [ "photoprism_mariadb" ];
-      extraOptions = [ "--network=web" ];
-    };
-    photoprism_mariadb = {
-      image = "mariadb:11";
-      volumes = [ "${vars.media_database}/photoprism_mariadb:/var/lib/photoprism_mariadb" ];
-      environment = {
-        MARIADB_AUTO_UPGRADE = "1";
-        MARIADB_INITDB_SKIP_TZINFO = "1";
-        MARIADB_DATABASE = "photoprism";
-        MARIADB_USER = "photoprism";
-      };
-      environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
-      cmd = [ "--innodb-buffer-pool-size=512M" "--transaction-isolation=READ-COMMITTED" "--character-set-server=utf8mb4" "--collation-server=utf8mb4_unicode_ci" "--max-connections=512" "--innodb-rollback-on-timeout=OFF" "--innodb-lock-wait-timeout=120" ];
-      autoStart = true;
-      extraOptions = [ "--network=web" ];
     };
+    environmentFiles = ["${vars.storage_secrets}/docker/photoprism"];
+    autoStart = true;
+    dependsOn = [ "photoprism_mariadb" ];
+    extraOptions = [ "--network=web" ];
   };
 }
 

systems/jeeves/docker/prowlarr.nix

@@ -0,0 +1,19 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 9696 ];
+  };
+  virtualisation.oci-containers.containers.prowlarr = {
+    image = "ghcr.io/linuxserver/prowlarr:latest";
+    ports = [ "9696:9696" ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+    };
+    volumes = [ "${vars.media_docker_configs}/prowlarr:/config" ];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/qbit.nix

@@ -0,0 +1,29 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 6881 8082 29432 ]; 
+    allowedUDPPorts = [ 6881 ];
+  };
+  virtualisation.oci-containers.containers.qbit = {
+    image = "ghcr.io/linuxserver/qbittorrent:latest";
+    ports = [
+      "6881:6881"
+      "6881:6881/udp"
+      "8082:8082"
+      "29432:29432"
+    ];
+    volumes = [
+      "${vars.media_docker_configs}/qbit:/config"
+      "${vars.torrenting_qbit}:/data"
+    ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+      WEBUI_PORT = "8082";
+    };
+    autoStart = true;
+  };
+}

systems/jeeves/docker/qbitvpn.nix

@@ -0,0 +1,41 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ 6882 8081 8118 ];
+    allowedUDPPorts = [ 6882 ];
+  };
+  virtualisation.oci-containers.containers.qbitvpn = {
+    image = "binhex/arch-qbittorrentvpn:latest";
+    extraOptions = [ "--cap-add=NET_ADMIN" ];
+    ports = [
+      "6882:6881"
+      "6882:6881/udp"
+      "8081:8081"
+      "8118:8118"
+    ];
+    volumes = [
+      "${vars.media_docker_configs}/qbitvpn:/config"
+      "${vars.torrenting_qbitvpn}:/data"
+      "/etc/localtime:/etc/localtime:ro"
+    ];
+    environment = {
+      WEBUI_PORT = "8081";
+      PUID = "600";
+      PGID = "100";
+      VPN_ENABLED = "yes";
+      VPN_CLIENT = "openvpn";
+      STRICT_PORT_FORWARD = "yes";
+      ENABLE_PRIVOXY = "yes";
+      LAN_NETWORK = "192.168.90.0/24";
+      NAME_SERVERS = "1.1.1.1,1.0.0.1";
+      UMASK = "000";
+      DEBUG = "false";
+      DELUGE_DAEMON_LOG_LEVEL = "debug";
+      DELUGE_WEB_LOG_LEVEL = "debug";
+    };
+    environmentFiles = ["${vars.storage_secrets}/docker/qbitvpn"];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/sonarr.nix

@@ -0,0 +1,21 @@
+let
+  vars = import ../vars.nix;
+in
+{
+  networking.firewall.allowedTCPPorts = [ 9696 8989 ];
+  virtualisation.oci-containers.containers.sonarr = {
+    image = "ghcr.io/linuxserver/sonarr:latest";
+    ports = [ "8989:8989" ];
+    environment = {
+      PUID = "600";
+      PGID = "100";
+      TZ = "America/New_York";
+    };
+    volumes = [
+      "${vars.media_docker_configs}/sonarr:/config"
+      "${vars.storage_plex}/tv:/tv"
+      "${vars.torrenting_qbitvpn}:/data"
+    ];
+    autoStart = true;
+  };
+}

systems/jeeves/docker/web.nix

@@ -5,7 +5,6 @@ in
   virtualisation.oci-containers.containers = {
     audiobookshelf = {
       image = "ghcr.io/advplyr/audiobookshelf:latest";
-      ports = [ "13378:80" ];
       volumes = [
         "${vars.media_docker_configs}/audiobookshelf:/config"
         "${vars.media_docker_configs}/audiobookshelf:/metadata"

systems/jeeves/networking.nix

@@ -2,7 +2,7 @@
   networking = {
     hostName = "jeeves";
     hostId = "0e15ce35";
-    firewall.enable = false;
+    firewall.enable = true;
     useNetworkd = true;
   };
 

systems/rhapsody-in-green/default.nix

@@ -15,8 +15,9 @@
 
   networking = {
     hostName = "rhapsody-in-green";
-    networkmanager.enable = true;
     hostId = "6404140d";
+    firewall.enable = true;
+    networkmanager.enable = true;
   };
 
   hardware = {

systems/router/default.nix

@@ -0,0 +1,147 @@
+# https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8cdf4faddeaaa0347661ffc2ec7cf/router2023-part2/main.md
+# https://francis.begyn.be/blog/nixos-home-router
+{
+  imports = [
+    ../../users/richie
+    ../../common/global
+    ../../common/optional/zerotier.nix
+    ./docker
+    ./hardware.nix
+  ];
+
+  boot.kernel = {
+    sysctl = {
+      "net.ipv4.conf.all.forwarding" = true;
+      "net.ipv6.conf.all.forwarding" = false;
+    };
+  };
+  systemd.network = {
+    wait-online.anyInterface = true;
+    networks = {
+      "30-lan0" = {
+        matchConfig.Name = "lan0";
+        linkConfig.RequiredForOnline = "enslaved";
+        networkConfig = {
+          ConfigureWithoutCarrier = true;
+        };
+      };
+      # lan1 and lan2 look analogical
+      "30-lan3" = {
+        matchConfig.Name = "lan3";
+        linkConfig.RequiredForOnline = "enslaved";
+        networkConfig = {
+          ConfigureWithoutCarrier = true;
+        };
+      };
+      "10-wan" = {
+        matchConfig.Name = "wan";
+        networkConfig = {
+          # start a DHCP Client for IPv4 Addressing/Routing
+          DHCP = "ipv4";
+          DNSOverTLS = true;
+          DNSSEC = true;
+          IPv6PrivacyExtensions = false;
+          IPForward = true;
+        };
+        # make routing on this interface a dependency for network-online.target
+        linkConfig.RequiredForOnline = "routable";
+      };
+    };
+  };
+
+  networking = {
+    hostName = "surfer";
+    useNetworkd = true;
+    useDHCP = false;
+
+    # No local firewall.
+    nat.enable = false;
+    firewall.enable = false;
+
+    nftables = {
+      enable = true;
+      ruleset = ''
+        table inet filter {
+          chain input {
+            type filter hook input priority 0; policy drop;
+
+            iifname { "br-lan" } accept comment "Allow local network to access the router"
+            iifname "wan" ct state { established, related } accept comment "Allow established traffic"
+            iifname "wan" icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
+            iifname "wan" counter drop comment "Drop all other unsolicited traffic from wan"
+            iifname "lo" accept comment "Accept everything from loopback interface"
+          }
+          chain forward {
+            type filter hook forward priority filter; policy drop;
+
+            iifname { "br-lan" } oifname { "wan" } accept comment "Allow trusted LAN to WAN"
+            iifname { "wan" } oifname { "br-lan" } ct state { established, related } accept comment "Allow established back to LANs"
+          }
+        }
+
+        table ip nat {
+          chain postrouting {
+            type nat hook postrouting priority 100; policy accept;
+            oifname "wan" masquerade
+          }
+        }
+      '';
+    };
+  };
+
+  services.dnsmasq = {
+    enable = true;
+    settings = {
+      # upstream DNS servers
+      server = [ "9.9.9.9" "8.8.8.8" "1.1.1.1" ];
+      # sensible behaviours
+      domain-needed = true;
+      bogus-priv = true;
+      no-resolv = true;
+
+      # Cache dns queries.
+      cache-size = 1000;
+
+      dhcp-range = [ "br-lan,192.168.10.50,192.168.10.254,24h" ];
+      interface = "br-lan";
+      dhcp-host = "192.168.10.1";
+
+      # local domains
+      local = "/lan/";
+      domain = "lan";
+      expand-hosts = true;
+
+      # don't use /etc/hosts as this would advertise surfer as localhost
+      no-hosts = true;
+      address = "/surfer.lan/192.168.10.1";
+    };
+  };
+
+  boot.kernel = {
+    sysctl = {
+      "net.ipv4.conf.default.rp_filter" = 1;
+      "net.ipv4.conf.wan.rp_filter" = 1;
+      "net.ipv4.conf.br-lan.rp_filter" = 0;
+    };
+  };
+
+  services = {
+    openssh.ports = [ 629 ];
+
+    smartd.enable = true;
+
+    snapshot_manager = {
+      enable = true;
+      path = ./snapshot_config.toml;
+    };
+
+    sysstat.enable = true;
+
+    zfs = {
+      trim.enable = true;
+      autoScrub.enable = true;
+    };
+  };
+
+  system.stateVersion = "24.05";
+}

systems/router/hardware.nix

@@ -0,0 +1,67 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "nvme"
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+      luks.devices."luks-root-pool-nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2" = {
+        device = "/dev/disk/by-id/nvme-Samsung_SSD_990_PRO_with_Heatsink_1TB_S73JNJ0X114418B-part2";
+        bypassWorkqueues = true;
+        allowDiscards = true;
+      };
+    };
+    kernelModules = [ "kvm-amd" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = lib.mkDefault {
+      device = "root_pool/root";
+      fsType = "zfs";
+    };
+
+    "/home" = {
+      device = "root_pool/home";
+      fsType = "zfs";
+    };
+
+    "/var" = {
+      device = "root_pool/var";
+      fsType = "zfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-uuid/609D-FF29";
+      fsType = "vfat";
+      options = [
+        "fmask=0077"
+        "dmask=0077"
+      ];
+    };
+  };
+
+  swapDevices = [ ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}