new beginning

2024-06-30 23:27:40 +02:00
commit ec1513fbf3
52 changed files with 5459 additions and 0 deletions
--- a/nixos/celestia/configuration.nix
+++ b/nixos/celestia/configuration.nix
@ -0,0 +1,435 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: let
+  makeVirtualHost = {
+    subdomain,
+    port,
+  }: {
+    name = "${subdomain}.fuckwit.dev";
+    value = {
+      forceSSL = true;
+      useACMEHost = "fuckwit.dev";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  makeVirtualHosts = sites: builtins.listToAttrs (builtins.map makeVirtualHost sites);
+
+  disks = [
+    "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL232MW7"
+    "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22L00W"
+    "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL23J3P2"
+    "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22LCB4"
+    "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22PG6W"
+    "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL20KVKP"
+  ];
+in {
+  sops.defaultSopsFile = ./secrets.yaml;
+  sops.secrets."acme.env" = {};
+  sops.secrets."tailscale-auth-key" = {};
+
+  imports = [
+    ./hardware-configuration.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+  boot.kernelParams = [
+    "initcall_blacklist=acpi_cpufreq_init"
+    "amd_pstate=passive"
+    "libata.force=noncq"
+  ];
+  boot.kernelModules = ["amd-pstate"];
+
+  system.stateVersion = "23.11"; # Did you read the comment?
+  networking = {
+    hostName = "celestia";
+
+    interfaces.enp5s0f0 = {
+      useDHCP = false;
+      ipv4.addresses = [
+        {
+          address = "10.1.1.11";
+          prefixLength = 24;
+        }
+      ];
+    };
+
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [22 111 443 2049 4000 4001 4002 20048];
+      allowedUDPPorts = [53 111 2049 4000 4001 4002 20048];
+    };
+  };
+  time.timeZone = "Europe/Berlin";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+
+  environment.systemPackages = with pkgs; [
+    vim
+    wget
+    htop
+    bash
+    zfs
+    lm_sensors
+    ffmpeg
+  ];
+
+  users.users."root".openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL"
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi"
+    "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDl3vLxNpinilTJp1rGsSYlVi+hIa+oECtge1i8bwz33AAAACHNzaDptYWlu"
+  ];
+
+  users.groups.nas.gid = 2000;
+  users.users.nginx.extraGroups = ["acme"];
+
+  environment = {
+    etc = {
+      "sysconfig/lm_sensors".text = ''
+        HWMON_MODULES="nct6775"
+      '';
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "acme@fuckwit.dev";
+      dnsProvider = "cloudflare";
+      environmentFile = config.sops.secrets."acme.env".path;
+      dnsPropagationCheck = true;
+    };
+
+    certs."fuckwit.dev" = {
+      extraDomainNames = ["*.fuckwit.dev"];
+    };
+  };
+
+  services = {
+    tailscale = {
+      enable = true;
+      openFirewall = true;
+      useRoutingFeatures = "both";
+      extraUpFlags = ["--advertise-routes=192.168.1.11/32"];
+      authKeyFile = config.sops.secrets."tailscale-auth-key".path;
+    };
+
+    dnscrypt-proxy2 = {
+      enable = true;
+      settings = {
+        listen_addresses = ["0.0.0.0:53"];
+        ipv6_servers = false;
+        dnscrypt_servers = true;
+        cloaking_rules = "/var/lib/dnscrypt-proxy/cloaking";
+
+        sources.dnscry-pt-resolvers = {
+          urls = ["https://www.dnscry.pt/resolvers.md"];
+          minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ";
+          cache_file = "/var/lib/dnscrypt-proxy/dnscry.pt-resolvers.md";
+          refresh_delay = 72;
+          prefix = "dnscry.pt-";
+        };
+      };
+    };
+
+    openssh = {
+      enable = true;
+      settings = {
+        PermitRootLogin = "yes";
+      };
+    };
+
+    nfs.server = {
+      enable = true;
+      lockdPort = 4001;
+      mountdPort = 4002;
+      statdPort = 4000;
+      extraNfsdConfig = '''';
+    };
+
+    samba = {
+      enable = true;
+      openFirewall = true;
+      extraConfig = "map to guest = bad user";
+      shares = {
+        dump = {
+          path = "/tank/dump";
+          browsable = "yes";
+          public = "yes";
+          "guest only" = "yes";
+          writable = "yes";
+          "force create mode" = "0666";
+          "force directory mode" = "0777";
+        };
+        video = {
+          path = "/tank/video";
+          browsable = "yes";
+          public = "yes";
+          "guest only" = "yes";
+          writable = "yes";
+          "force create mode" = "0666";
+          "force directory mode" = "0777";
+        };
+      };
+    };
+
+    zfs = {
+      autoScrub.enable = true;
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts = makeVirtualHosts [
+        {
+          subdomain = "jdownloader";
+          port = 8000;
+        }
+        {
+          subdomain = "jellyfin";
+          port = 8096;
+        }
+        {
+          subdomain = "sonarr";
+          port = 8989;
+        }
+        {
+          subdomain = "radarr";
+          port = 7878;
+        }
+        {
+          subdomain = "lidarr";
+          port = 8686;
+        }
+        {
+          subdomain = "paperless";
+          port = 28981;
+        }
+        {
+          subdomain = "homepage";
+          port = 8082;
+        }
+      ];
+    };
+
+    paperless = {
+      enable = true;
+      mediaDir = "/tank/documents";
+      consumptionDir = "/tank/dump/paperless_consume";
+      consumptionDirIsPublic = true;
+
+      settings = {
+        PAPERLESS_URL = "https://paperless.fuckwit.dev";
+        PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [
+          ".DS_STORE/*"
+          "desktop.ini"
+        ];
+
+        PAPERLESS_OCR_LANGUAGE = "deu+eng";
+        PAPERLESS_OCR_USER_ARGS = builtins.toJSON {
+          optimize = 1;
+          pdfa_image_compression = "lossless";
+        };
+      };
+    };
+
+    lidarr = {
+      enable = true;
+      group = "nas";
+      dataDir = "/var/lib/lidarr";
+    };
+
+    radarr = {
+      enable = true;
+      group = "nas";
+      dataDir = "/var/lib/radarr";
+    };
+
+    sonarr = {
+      enable = true;
+      group = "nas";
+      dataDir = "/var/lib/sonarr";
+      # package = pkgs.sonarr.override {
+      #   version = "4.0.0.748";
+      #   src = lib.fetchurl {
+      #     url = "https://download.sonarr.tv/v4/main/${version}/Sonarr.main.${version}.linux-x64.tar.gz";
+      #     hash = "";
+      #   };
+      # };
+    };
+
+    jellyfin.enable = true;
+
+    homepage-dashboard = {
+      enable = true;
+
+      settings = {
+        title = "Homelab";
+        theme = "dark";
+
+        layout = [
+          {
+            Media = {
+              style = "row";
+              columns = 4;
+            };
+          }
+        ];
+      };
+
+      widgets = [
+        {
+          resources = {
+            cpu = true;
+            memory = true;
+            disk = "/tank";
+          };
+        }
+        {
+          search = {
+            provider = "duckduckgo";
+            target = "_blank";
+          };
+        }
+      ];
+
+      services = [
+        {
+          Media = [
+            {
+              Jellyfin = {
+                icon = "jellyfin.png";
+                href = "https://jellyfin.fuckwit.dev";
+                siteMonitor = "https://jellyfin.fuckwit.dev";
+                description = "Media library";
+                widget = {
+                  type = "jellyfin";
+                  url = "https://jellyfin.fuckwit.dev";
+                  key = "d6e4766cda6c412cb4a96626c0f0b51a";
+                  enableBlocks = true;
+                  enableNowPlaying = false;
+                };
+              };
+            }
+            {
+              Radarr = {
+                icon = "radarr.png";
+                href = "https://radarr.fuckwit.dev";
+                siteMonitor = "https://radarr.fuckwit.dev";
+                description = "Media library";
+                widget = {
+                  type = "radarr";
+                  url = "https://radarr.fuckwit.dev";
+                  key = "01d93b03f6c64a0f9786598b611e58f9";
+                };
+              };
+            }
+            {
+              Sonarr = {
+                icon = "sonarr.png";
+                href = "https://sonarr.fuckwit.dev";
+                siteMonitor = "https://sonarr.fuckwit.dev";
+                description = "Media library";
+                widget = {
+                  type = "sonarr";
+                  url = "https://sonarr.fuckwit.dev";
+                  key = "c6be6b2d78104a97a2c7df560b27bb5c";
+                };
+              };
+            }
+            {
+              Lidarr = {
+                icon = "lidarr.png";
+                href = "https://lidarr.fuckwit.dev";
+                siteMonitor = "https://lidarr.fuckwit.dev";
+                description = "Media library";
+                widget = {
+                  type = "lidarr";
+                  url = "https://lidarr.fuckwit.dev";
+                  key = "e95e25ccd6f04ffe8e8ad0ff488231a8";
+                };
+              };
+            }
+          ];
+        }
+      ];
+    };
+  };
+
+  hardware = {
+    fancontrol = {
+      enable = true;
+      config = ''
+        # Configuration file generated by pwmconfig, changes will be lost
+        INTERVAL=10
+        DEVPATH=hwmon0=devices/platform/nct6775.656
+        DEVNAME=hwmon0=nct6779
+        FCTEMPS=hwmon0/pwm5=hwmon0/temp2_input hwmon0/pwm3=hwmon0/temp2_input
+        FCFANS=hwmon0/pwm5=hwmon0/fan5_input hwmon0/pwm3=hwmon0/fan3_input
+        MINTEMP=hwmon0/pwm5=40 hwmon0/pwm3=40
+        MAXTEMP=hwmon0/pwm5=80 hwmon0/pwm3=80
+        MINSTART=hwmon0/pwm5=150 hwmon0/pwm3=150
+        MINSTOP=hwmon0/pwm5=0 hwmon0/pwm3=0
+        MAXPWM=hwmon0/pwm5=150 hwmon0/pwm3=150
+      '';
+    };
+  };
+
+  virtualisation = {
+    podman = {
+      enable = true;
+    };
+
+    oci-containers = {
+      backend = "podman";
+
+      containers = {
+        jdownloader = {
+          image = "docker.io/jlesage/jdownloader-2:latest";
+          autoStart = true;
+          ports = ["0.0.0.0:8000:5800"];
+          volumes = [
+            "jdownloader_config:/config"
+            "/tank/dump:/output"
+          ];
+        };
+      };
+    };
+  };
+
+  powerManagement = {
+    enable = true;
+    powerUpCommands = lib.strings.concatMapStringsSep "\n" (disk: "${pkgs.hdparm}/sbin/hdparm -S 241 " + disk) disks;
+  };
+
+  systemd.services = let
+    ensure-perms = path: user: group: {
+      enable = true;
+      description = "Ensures permissionsions and ownership of files in ${path}";
+      wantedBy = ["multi-user.target"];
+
+      script = ''
+        while read -r evt file; do
+          ${pkgs.coreutils}/bin/chown ${user}:${group} "$file"
+          ${pkgs.coreutils}/bin/chmod 755 "$file"
+        done < <(${pkgs.inotify-tools}/bin/inotifywait -e create,move -m -r --format '%e %w%f' ${path})
+      '';
+    };
+  in {
+    dnscrypt-proxy2.serviceConfig = {
+      StateDirectory = "dnscrypt-proxy";
+    };
+
+    ensure-radarr-perms = ensure-perms "/tank/video/movie" "radarr" "nas";
+    ensure-sonarr-perms = ensure-perms "/tank/video/series" "sonarr" "nas";
+    ensure-lidarr-perms = ensure-perms "/tank/audio" "lidarr" "nas";
+  };
+}
--- a/nixos/celestia/hardware-configuration.nix
+++ b/nixos/celestia/hardware-configuration.nix
@ -0,0 +1,58 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
+
+  boot.initrd = {
+    availableKernelModules = ["xhci_pci" "ahci" "usbhid" "uas"];
+    kernelModules = [];
+  };
+  boot.kernelModules = ["kvm-amd" "nct6775" "coretemp"];
+  boot.extraModulePackages = [];
+  boot.supportedFilesystems = ["zfs"];
+  boot.zfs = {
+    forceImportRoot = false;
+    extraPools = ["tank"];
+  };
+  boot.kernelPackages = config.boot.zfs.package.latestCompatibleLinuxPackages;
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/3652c231-d679-42dd-80f1-e9afccb4ca13";
+    fsType = "ext4";
+  };
+
+  boot.initrd.luks.devices = {
+    cryptroot = {
+      device = "/dev/disk/by-uuid/6eafb3a6-a7b0-442f-b88c-a3f7021cf0e7";
+      allowDiscards = true;
+      keyFileSize = 4096;
+      keyFile = "/dev/disk/by-id/usb-Generic_Flash_Disk_D5A325A0-0:0";
+    };
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/7F60-62AA";
+    fsType = "vfat";
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  networking.hostId = "c1309b62";
+  # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/nixos/celestia/secrets.yaml
+++ b/nixos/celestia/secrets.yaml
@ -0,0 +1,34 @@
+acme.env: ENC[AES256_GCM,data:VgSJO2Q32csfN0DEH6kTsaN0z/hRa0fRHLUleju+gqBPjoQmZGIQjlLKHzj1Ys3zS591iVRkeYExBGyCPakPIJo=,iv:sOIPofteCvO4Na+z8qw7EjfJ6CEr83kYaonhUCgFwA4=,tag:RhHGyTrmdY4f8QkQ0DhhJw==,type:str]
+tailscale-auth-key: ENC[AES256_GCM,data:Rvq2wL9civCoH6acKk3lYIXbVAME+kUmeuQYOTl+rvdb5bFoI5i688qI58ceF47PGKi1jeXe46SkJGJe0iY=,iv:b0kavSFEG40Jxa3yAjttarN5N3nOLEbZYqP3LOXvBrU=,tag:cpgYzoX9L6+1IHnmjfZfQg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1vadwmwh8ckfal7j83gwrwn9324gqufwgkxskznhp9v867amndcwqgp2w6t
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkNWVpTlR4VXFGTDBzVmVx
+            RVdUaGE4T2ZrY2x6K1d5aXlPTGFsLzBUYkJFCjB2MDJPU3Fzd1I3Q0lOdmJ6UEYr
+            SHkyYlBCREVkRDgyVWV2WU1GMnBXTmMKLS0tICt1VTJkYU1wZDltSHJ0ZHN3L2sr
+            K0RaVVNSczZBcDNtaXhGem5iQnlVTDAK+XogkPQD2xYQ7sW8DwAXaaLA/ftw6vZM
+            wsNs0uun9dgGjZIXcU6AIsrJeUiWBl5zgc6CCd/ad/3QxpmKj1p9Mg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-04-21T19:42:27Z"
+    mac: ENC[AES256_GCM,data:1LZ/jcx2yOW5OgWYmGlu8ySpOLrvLTmyAc8CrK6gKDeoc/VN5RuRapwkGD6XfgDaUvMCccgcRpyL5QDPPdRw6zzwpW4Ce1hreOoC1zV23TNDuAbn1G+gFjlJ2l5IEY6EZeNoWsOC2ID16HRwls1Bau1+hcWKefFYNVjE3+3l16U=,iv:9FFP84Be7UzfuLz/FnFtvOXmudccMq1jFDGXJUN0t48=,tag:U9SOsMUbHm8hzZnS3yK1Lg==,type:str]
+    pgp:
+        - created_at: "2024-01-25T08:00:56Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DMGJRmcuHhnsSAQdASY7ZScb03Yf6R2hOwAhAiIhQIFuplUnWKePZ/x9tpSEw
+            fkoLDAvuFVVcZnYZ6wqoyhdpNI0XBcH7MIVkcTggVQ/qN2YhkkTpHlXtAmG2c0ML
+            1GYBCQIQso1f3sQcwGH9HwjhaZsj+mBO8U81kKZHFlfLXB7C52KPkqekzM9xvkhM
+            eB7+STUrQExBai7k1Um/RB4DcgE6L6127S5zIGDCxiK/9wKbZ5JOMv9K+J/G89ZD
+            q8Y7oXwCRl8=
+            =pbvo
+            -----END PGP MESSAGE-----
+          fp: 5FA64909521A5C85992F26E0F819AEFF941BB849
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1