yorick
/
dotfiles
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
dotfiles/nixos/machines/frumar/default.nix

236 lines
6.5 KiB
Nix
Raw Blame History

{ config, pkgs, lib, ... }: {
imports = [
./fractal.nix
../../roles/server.nix
../../roles/homeserver.nix
./paperless.nix
./media.nix
./home-automation.nix
];
system.stateVersion = "15.09";
networking.hostId = "0702dbe9";
nixpkgs.overlays = [ (self: super: {
openjdk8-bootstrap = super.openjdk8-bootstrap.override {
gtkSupport = false;
};
}) ];
security.y-selfsigned.enable = true;
services.nginx = {
enable = true;
virtualHosts."unifi.yori.cc" = {
onlySSL = true;
useACMEHost = "wildcard.yori.cc";
locations."/" = {
proxyPass = "https://[::1]:8443";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_verify off;
proxy_ssl_session_reuse on;
'';
};
};
virtualHosts."priv.yori.cc" = let
oauth2Block = ''
auth_request /oauth2/auth;
error_page 401 = /oauth2/sign_in;
# pass information via X-User and X-Email headers to backend,
# requires running with --set-xauthrequest flag
auth_request_set $user $upstream_http_x_auth_request_user;
auth_request_set $email $upstream_http_x_auth_request_email;
proxy_set_header X-User $user;
proxy_set_header X-Email $email;
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
'';
in {
onlySSL = true;
useACMEHost = "wildcard.yori.cc";
locations."/".proxyPass = "http://127.0.0.1:4000";
locations."/sonarr" = {
proxyPass = "http://127.0.0.1:8989";
extraConfig = oauth2Block;
};
locations."/radarr" = {
proxyPass = "http://127.0.0.1:7878";
extraConfig = oauth2Block;
};
locations."/marvin-tracker/" = {
proxyPass = "http://[::1]:4001/";
# handles auth using arg
};
};
virtualHosts."frumar.yori.cc" = {
enableACME = lib.mkForce false;
inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
};
};
boot.supportedFilesystems = [ "zfs" ];
services.iperf3 = {
enable = true;
openFirewall = true;
};
services.unifi = {
enable = true;
openFirewall = true;
jrePackage = pkgs.jre8_headless;
unifiPackage = pkgs.unifiStable;
};
services.victoriametrics = {
enable = true;
retentionPeriod = 12;
};
services.prometheus = {
enable = true;
extraFlags = [ "--web.enable-admin-api" ];
# victoriametrics
remoteWrite = [{ url = "http://127.0.0.1:8428/api/v1/write"; }];
scrapeConfigs = [{
job_name = "node";
static_configs = [{ targets = [ "localhost:9100" ]; }];
}];
exporters.node.enable = true;
};
services.yorick.paperless = {
enable = true;
openFirewall = true;
scanner_ip = "192.168.2.49";
};
boot.zfs.requestEncryptionCredentials = false;
networking.firewall = {
interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ]; # grafana and prometheus via pennyworth
# mqtt
allowedTCPPorts = [ 1883 ];
# mqtt
allowedUDPPorts = [ 1883 ];
};
services.rabbitmq = {
enable = true;
plugins = [ "rabbitmq_mqtt" "rabbitmq_management" ];
};
services.grafana = {
enable = true;
settings = {
server.http_addr = "0.0.0.0";
server.domain = "grafana.yori.cc";
server.root_url = "https://grafana.yori.cc/";
"auth.basic".enabled = false;
"auth.google" = {
enabled = true;
allow_sign_up = false;
};
auth.disable_login_form = true;
};
};
age.secrets = {
acme-transip-key = {
file = ../../../secrets/transip-key.age;
mode = "770";
group = "acme";
};
frumar-mail-pass.file = ../../../secrets/frumar-mail-pass.age;
grafana.file = ../../../secrets/grafana.env.age;
oauth2-proxy.file = ../../../secrets/oauth2-proxy.age;
};
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
services.zfs.autoScrub = {
enable = true;
interval = "*-*-01 02:00:00"; # monthly + 2 hours
};
services.znapzend = {
enable = true;
pure = true;
features = {
zfsGetType = true;
sendRaw = true;
};
zetup = {
"frumar-new" = {
plan = "1w=>6h,1m=>1w,1y=>1m,2y=>6m,50y=>1y";
};
"frumar-new/plexmedia" = {
plan = "1w=>6h,1m=>1w,1y=>1m,2y=>6m,50y=>1y";
};
"ssdpool/root" = {
plan = "2d=>1d";
};
"ssdpool/root/var" = {
plan = "1w=>1d";
destinations.frumar-new = {
dataset = "frumar-new/backup/ssdpool-root-var";
plan = "1w=>1d,1m=>1w,1y=>1m,10y=>6m,50y=>1y";
};
};
};
};
users.users.yorick.packages = with pkgs; [
borgbackup
bup
fzf
git-annex
magic-wormhole
python3
ranger
jq
unzip
];
security.acme.certs."wildcard.yori.cc" = {
domain = "*.yori.cc";
dnsProvider = "transip";
reloadServices = [ "nginx.service" ];
};
users.users.nginx.extraGroups = [ "acme" ];
systemd.services."acme-wildcard.yori.cc".environment = {
TRANSIP_ACCOUNT_NAME = "yorickvp";
TRANSIP_PRIVATE_KEY_PATH = config.age.secrets.acme-transip-key.path;
};
programs.msmtp = {
enable = true;
accounts.default = {
auth = true;
tls = true;
from = "frumar@yori.cc";
host = "pennyworth.yori.cc";
user = "frumar@yori.cc";
passwordeval = "${pkgs.coreutils}/bin/cat ${config.age.secrets.frumar-mail-pass.path}";
};
};
services.smartd = {
enable = true;
notifications.mail = {
enable = true;
sender = "frumar@yori.cc";
recipient = "yorickvanpelt@gmail.com";
};
};
services.zfs.zed.settings = {
ZED_EMAIL_ADDR = [ "yorickvanpelt@gmail.com" ];
ZED_EMAIL_PROG = "/run/wrappers/bin/sendmail";
ZED_EMAIL_OPTS = "@ADDRESS@";
ZED_NOTIFY_INTERVAL_SECS = 3600;
ZED_NOTIFY_VERBOSE = true;
ZED_SCRUB_AFTER_RESILVER = true;
};
services.oauth2_proxy = {
enable = true;
email.addresses = "yorickvanpelt@gmail.com";
redirectURL = "https://priv.yori.cc/oauth2/callback";
reverseProxy = true;
keyFile = config.age.secrets.oauth2-proxy.path;
setXauthrequest = true;
nginx.virtualHosts = [ "priv.yori.cc" ];
extraConfig.whitelist-domain = ["priv.yori.cc"];
};
services.dashy = {
enable = true;
host = "127.0.0.1";
configFile = "${../../../dashy.yaml}";
};
services.yorick.marvin-tracker.enable = true;
}
Reference in New Issue View Git Blame Copy Permalink