{ config, lib, pkgs, ... }: let makeVirtualHost = { subdomain, port, }: { name = "${subdomain}.fuckwit.dev"; value = { forceSSL = true; enableACME = true; acmeRoot = null; locations."/" = { proxyPass = "http://127.0.0.1:${builtins.toString port}"; proxyWebsockets = true; }; }; }; makeVirtualHosts = sites: builtins.listToAttrs (builtins.map makeVirtualHost sites); disks = [ "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL232MW7" "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22L00W" "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL23J3P2" "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22LCB4" "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL22PG6W" "/dev/disk/by-id/ata-ST14000NM000G-2KG103_ZL20KVKP" ]; in { sops.defaultSopsFile = ./secrets.yaml; sops.secrets."acme.env" = {}; imports = [ ./hardware-configuration.nix ]; boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; boot.kernelParams = [ "initcall_blacklist=acpi_cpufreq_init" "amd_pstate=passive" "libata.force=noncq" ]; boot.kernelModules = ["amd-pstate"]; system.stateVersion = "23.11"; # Did you read the comment? networking = { hostName = "celestia"; interfaces.enp5s0f0 = { useDHCP = false; ipv4.addresses = [ { address = "10.1.1.11"; prefixLength = 24; } ]; }; firewall = { enable = true; allowedTCPPorts = [22 111 443 2049 4000 4001 4002 20048]; allowedUDPPorts = [53 111 2049 4000 4001 4002 20048]; }; }; time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "en_US.UTF-8"; environment.systemPackages = with pkgs; [ vim wget htop bash zfs lm_sensors ffmpeg ]; users.users."root".openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP8zNAXScQ4FoWNxF4+ALJXMSi3EbpqZP5pO9kfg9t8o patrick@NBG1-DC3-PC20-2017-10-24" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPflDQOANGhgtfo2psRwSFtY5ETHX/bsDmqrho3iX9jt root@arschlinux" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP6oGHBFD3wo16buPtdYDat911gydOw2oFj80fTXL1xo batzi@DESKTOP-8A2VTHL" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICK3otGMe8umxxJX5BbbBQ/+PQg37Puh0qjH8IILL95T patrick@mi" "sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIDl3vLxNpinilTJp1rGsSYlVi+hIa+oECtge1i8bwz33AAAACHNzaDptYWlu" ]; users.groups.nas.gid = 2000; environment = { etc = { "sysconfig/lm_sensors".text = '' HWMON_MODULES="nct6775" ''; }; }; systemd.services.dnscrypt-proxy2.serviceConfig = { StateDirectory = "dnscrypt-proxy"; }; security.acme = { acceptTerms = true; defaults = { email = "acme@fuckwit.dev"; dnsProvider = "cloudflare"; environmentFile = config.sops.secrets."acme.env".path; dnsPropagationCheck = true; }; }; services = { dnscrypt-proxy2 = { enable = true; settings = { listen_addresses = ["0.0.0.0:53"]; ipv6_servers = false; dnscrypt_servers = true; cloaking_rules = "/var/lib/dnscrypt-proxy/cloaking"; sources.dnscry-pt-resolvers = { urls = ["https://www.dnscry.pt/resolvers.md"]; minisign_key = "RWQM31Nwkqh01x88SvrBL8djp1NH56Rb4mKLHz16K7qsXgEomnDv6ziQ"; cache_file = "/var/lib/dnscrypt-proxy/dnscry.pt-resolvers.md"; refresh_delay = 72; prefix = "dnscry.pt-"; }; }; }; openssh = { enable = true; settings = { PermitRootLogin = "yes"; }; }; nfs.server = { enable = true; lockdPort = 4001; mountdPort = 4002; statdPort = 4000; extraNfsdConfig = ''''; }; samba = { enable = true; openFirewall = true; extraConfig = "map to guest = bad user"; shares = { dump = { path = "/tank/dump"; browsable = "yes"; public = "yes"; "guest only" = "yes"; writable = "yes"; "force create mode" = "0666"; "force directory mode" = "0777"; }; video = { path = "/tank/video"; browsable = "yes"; public = "yes"; "guest only" = "yes"; writable = "yes"; "force create mode" = "0666"; "force directory mode" = "0777"; }; }; }; zfs = { autoScrub.enable = true; }; nginx = { enable = true; virtualHosts = makeVirtualHosts [ { subdomain = "jdownloader"; port = 8000; } { subdomain = "jellyfin"; port = 8096; } { subdomain = "sonarr"; port = 8989; } { subdomain = "radarr"; port = 7878; } { subdomain = "lidarr"; port = 8686; } { subdomain = "paperless"; port = 28981; } ]; }; paperless = { enable = true; mediaDir = "/tank/documents"; consumptionDir = "/tank/dump/paperless_consume"; consumptionDirIsPublic = true; extraConfig = { PAPERLESS_URL = "https://paperless.fuckwit.dev"; PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [ ".DS_STORE/*" "desktop.ini" ]; PAPERLESS_OCR_LANGUAGE = "deu+eng"; PAPERLESS_OCR_USER_ARGS = builtins.toJSON { optimize = 1; pdfa_image_compression = "lossless"; }; }; }; lidarr = { enable = true; group = "nas"; dataDir = "/var/lib/lidarr"; }; radarr = { enable = true; group = "nas"; dataDir = "/var/lib/radarr"; }; sonarr = { enable = true; group = "nas"; dataDir = "/var/lib/sonarr"; # package = pkgs.sonarr.override { # version = "4.0.0.748"; # src = lib.fetchurl { # url = "https://download.sonarr.tv/v4/main/${version}/Sonarr.main.${version}.linux-x64.tar.gz"; # hash = ""; # }; # }; }; jellyfin.enable = true; }; hardware = { fancontrol = { enable = true; config = '' # Configuration file generated by pwmconfig, changes will be lost INTERVAL=10 DEVPATH=hwmon0=devices/platform/nct6775.656 DEVNAME=hwmon0=nct6779 FCTEMPS=hwmon0/pwm5=hwmon0/temp2_input hwmon0/pwm3=hwmon0/temp2_input FCFANS=hwmon0/pwm5=hwmon0/fan5_input hwmon0/pwm3=hwmon0/fan3_input MINTEMP=hwmon0/pwm5=40 hwmon0/pwm3=40 MAXTEMP=hwmon0/pwm5=80 hwmon0/pwm3=80 MINSTART=hwmon0/pwm5=150 hwmon0/pwm3=150 MINSTOP=hwmon0/pwm5=0 hwmon0/pwm3=0 MAXPWM=hwmon0/pwm5=150 hwmon0/pwm3=150 ''; }; }; virtualisation = { podman = { enable = true; }; oci-containers = { backend = "podman"; containers = { jdownloader = { image = "docker.io/jlesage/jdownloader-2:latest"; autoStart = true; ports = ["0.0.0.0:8000:5800"]; volumes = [ "jdownloader_config:/config" "/tank/dump:/output" ]; }; }; }; }; powerManagement = { enable = true; powerUpCommands = lib.strings.concatMapStringsSep "\n" (disk: "${pkgs.hdparm}/sbin/hdparm -S 241 " + disk) disks; }; }