feat(servers): add nos machine config

2024-03-02 02:59:40 -05:00 · 2024-03-02 02:59:40 -05:00 · 557dab9321
commit 557dab9321
parent 1470111ab2
13 changed files with 163 additions and 88 deletions
--- a/common/nix-on-droid.nix
+++ b/common/nix-on-droid.nix
@ -57,18 +57,15 @@
          # Desktop
          pc = "ssh -t matt@100.64.0.6 'tmux -2u new -At phone'";

-          # Misc Nix servers
+          # NAS
+          nos = "ssh -t matt@100.64.0.4 'tmux -2u new -At phone'";
+
+          # Experimenting server
          servivi = "ssh -t matt@100.64.0.7 'tmux -2u new -At phone'";

          # Cluster nodes
          thingone = "ssh -t matt@100.64.0.8 'tmux -2u new -At phone'";
          thingtwo = "ssh -t matt@100.64.0.9 'tmux -2u new -At phone'";
-
-          # Proxmox
-          pve = "ssh -t matt@100.64.0.4 'tmux -2u new -At phone'";
-
-          # Proxmox LXC instances
-          jelly = "mosh matt@100.64.0.4 -- ssh -t matt@10.0.0.123 'tmux -2u new -At phone'";
        };
      }
    ];
--- a/devices/cluster/modules/caddy.nix
+++ b/devices/cluster/modules/caddy.nix
@ -8,8 +8,6 @@
  inherit (config.sops) secrets;

  caddy = caddy-plugins.packages.${pkgs.system}.default;
-
-  clusterIP = config.services.pcsd.virtualIps.caddy-vip.ip;
 in {
  imports = [caddy-plugins.nixosModules.default];

@ -32,9 +30,8 @@ in {
    package = caddy;

    virtualHosts = let
-      dockerIP = "10.0.0.122";
-      jellyIP = "10.0.0.123";
-      servivi = "10.0.0.249";
+      clusterIP = config.services.pcsd.virtualIps.caddy-vip.ip;
+      nosIP = "10.0.0.121";
    in {
      "nelim.org" = {
        serverAliases = ["*.nelim.org"];
@ -47,17 +44,17 @@ in {

        subDomains = {
          # Misc one-liners
-          vault.reverseProxy = "${servivi}:8781";
-          hauk.reverseProxy = "${servivi}:3003";
+          vault.reverseProxy = "${nosIP}:8781";
+          hauk.reverseProxy = "${nosIP}:3003";
          headscale.reverseProxy = "${clusterIP}:8085";
-          jelly.reverseProxy = "${jellyIP}:80";
+          jelly.reverseProxy = "${nosIP}:8097";

          # Resume builder
-          resume.reverseProxy = "${servivi}:3060";
-          resauth.reverseProxy = "${servivi}:3100";
+          resume.reverseProxy = "${nosIP}:3060";
+          resauth.reverseProxy = "${nosIP}:3100";

          # Nextcloud & Co
-          office.reverseProxy = "http://${servivi}:8055";
+          office.reverseProxy = "http://${nosIP}:8055";
          nextcloud = {
            subDomainName = "cloud";
            extraConfig = ''
@ -66,81 +63,81 @@ in {
              redir /.well-known/webfinger /index.php/.well-known/webfinger 301
              redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo 301
            '';
-            reverseProxy = "${servivi}:8042";
+            reverseProxy = "${nosIP}:8042";
          };

          forgejo = {
            subDomainName = "git";
-            reverseProxy = "${servivi}:3000";
+            reverseProxy = "${nosIP}:3000";
          };

          nix-binary-cache = {
            subDomainName = "cache";
-            reverseProxy = "${servivi}:5000";
+            reverseProxy = "${nosIP}:5000";
          };

          calibre = {
            subDomainName = "books";
-            reverseProxy = "${servivi}:8083";
+            reverseProxy = "${nosIP}:8083";
          };

          immich = {
            subDomainName = "photos";
-            reverseProxy = "${servivi}:2283";
+            reverseProxy = "${nosIP}:2283";
          };

          # FreshRSS & Co
-          drss.reverseProxy = "${servivi}:3007";
+          drss.reverseProxy = "${nosIP}:3007";
          freshrss = {
            subDomainName = "rss";
-            reverseProxy = "${servivi}:2800";
+            reverseProxy = "${nosIP}:2800";
          };

          jellyseer = {
            subDomainName = "seerr";
-            reverseProxy = "${servivi}:5055";
+            reverseProxy = "${nosIP}:5055";
          };

          gameyfin = {
            subDomainName = "games";
-            reverseProxy = "${servivi}:8074";
+            reverseProxy = "${nosIP}:8074";
          };

-          wgui.reverseProxy = "${servivi}:51821";
+          wgui.reverseProxy = "${nosIP}:51821";

          lan = {
-            reverseProxy = "${servivi}:3020";
+            reverseProxy = "${nosIP}:3020";
            extraConfig = ''
              redir /index.html /
            '';

            subDirectories = {
-              bazarr.reverseProxy = "${servivi}:6767";
+              bazarr.reverseProxy = "${nosIP}:6767";
              bazarr-french = {
                subDirName = "bafrr";
-                reverseProxy = "${servivi}:6766";
+                reverseProxy = "${nosIP}:6766";
              };

-              prowlarr.reverseProxy = "${servivi}:9696";
-              radarr.reverseProxy = "${servivi}:7878";
-              sabnzbd.reverseProxy = "${servivi}:8382";
-              sonarr.reverseProxy = "${servivi}:8989";
+              prowlarr.reverseProxy = "${nosIP}:9696";
+              radarr.reverseProxy = "${nosIP}:7878";
+              sabnzbd.reverseProxy = "${nosIP}:8382";
+              sonarr.reverseProxy = "${nosIP}:8989";

              calibre = {
                experimental = true;
-                reverseProxy = "${servivi}:8580";
+                reverseProxy = "${nosIP}:8580";
              };

              qbittorent = {
                subDirName = "qbt";
                experimental = true;
-                reverseProxy = "${servivi}:8080";
+                reverseProxy = "${nosIP}:8080";
              };

              vaultwarden = {
                subDirName = "vault";
                experimental = true;
-                reverseProxy = "${servivi}:8780";
+                reverseProxy = "${nosIP}:8780";
              };
            };
          };
@ -149,12 +146,12 @@ in {
          joal.extraConfig = ''
            route {
              rewrite * /joal/ui{uri}
-              reverse_proxy * ${servivi}:5656
+              reverse_proxy * ${nosIP}:5656
            }
          '';
          joalws.extraConfig = ''
            route {
-              reverse_proxy ${servivi}:5656
+              reverse_proxy ${nosIP}:5656
            }
          '';
        };
--- a/devices/nos/default.nix
+++ b/devices/nos/default.nix
@ -1,9 +1,50 @@
-# WIP
-{...}: {
+{config, ...}: let
+  inherit (config.vars) mainUser hostName;
+in {
  imports = [
+    ./hardware-configuration.nix
+
+    ../../modules/kmscon.nix
+    ../../modules/sshd.nix
+    ../../modules/tailscale.nix
+
    ./modules/arion
    ./modules/jellyfin
    ./modules/mergerfs.nix
    ./modules/qbittorrent
+    ./modules/snapraid.nix
  ];
+
+  vars = {
+    mainUser = "matt";
+    hostName = "nos";
+    #promptMainColor = "?";
+  };
+
+  users.users.${mainUser} = {
+      isNormalUser = true;
+      extraGroups = [
+        "wheel"
+        "adm"
+      ];
+  };
+
+  home-manager.users.${mainUser} = {
+    imports = [];
+
+    # No touchy
+    home.stateVersion = "24.05";
+  };
+
+  networking = {
+    inherit hostName;
+    resolvconf.enable = true;
+    firewall.enable = false;
+  };
+
+  # Set your time zone.
+  time.timeZone = "America/Montreal";
+
+  # No touchy
+  system.stateVersion = "24.05";
 }
--- a/devices/nos/hardware-configuration.nix
+++ b/devices/nos/hardware-configuration.nix
@ -0,0 +1,55 @@
+{
+  config,
+  modulesPath,
+  ...
+}: {
+  nixpkgs.hostPlatform = "x86_64-linux";
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
+
+  boot = {
+    kernelModules = ["kvm-intel"];
+
+    initrd.availableKernelModules = [
+      "xhci_pci"
+      "ahci"
+      "nvme"
+      "usbhid"
+      "usb_storage"
+      "sd_mod"
+    ];
+
+    loader = {
+      efi.canTouchEfiVariables = true;
+      timeout = 2;
+
+      systemd-boot = {
+        enable = true;
+        consoleMode = "max";
+        configurationLimit = 30;
+      };
+    };
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXROOT";
+      fsType = "btrfs";
+    };
+
+    "/boot" = {
+      device = "/dev/disk/by-label/NIXBOOT";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/var/lib/swapfile";
+      size = 16 * 1024;
+    }
+  ];
+
+  zramSwap.enable = true;
+
+  hardware.cpu.intel.updateMicrocode = config.hardware.enableRedistributableFirmware;
+}
--- a/devices/nos/modules/arion/default.nix
+++ b/devices/nos/modules/arion/default.nix
@ -29,8 +29,8 @@ in {
    rwDataDir = configPath;
  };

-  services.borgbackup.configs.arion = {
-    paths = [configPath];
-    exclude = ["**/lineageos*"];
-  };
+  #services.borgbackup.configs.arion = {
+  #  paths = [configPath];
+  #  exclude = ["**/lineageos*"];
+  #};
 }
--- a/devices/nos/modules/jellyfin/jfa-go.nix
+++ b/devices/nos/modules/jellyfin/jfa-go.nix
@ -1,5 +1,8 @@
 {...}: {
-  systemd.services."arion-jfa-go".after = ["jellyfin.service"];
+  systemd.services."arion-jfa-go" = {
+    after = ["jellyfin.service"];
+    partOf = ["jellyfin.service"];
+  };

  arion.projects."jfa-go"."jfa-go" = {
    image = ./images/jfa-go.nix;
--- a/devices/nos/modules/jellyfin/nginx.conf
+++ b/devices/nos/modules/jellyfin/nginx.conf
@ -21,16 +21,13 @@ http {
 		## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc.
 		client_max_body_size 20M;

-		# use a variable to store the upstream proxy
-		set $jellyfin 10.0.0.249;
-
 		location = / {
 			return 302 https://$host/web/;
 		}

 		location / {
 			# Proxy main Jellyfin traffic
-			proxy_pass http://$jellyfin:8096;
+			proxy_pass http://localhost:8096;
 			proxy_set_header Host $host;
 			proxy_set_header X-Real-IP $remote_addr;
 			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -45,7 +42,7 @@ http {
 		# location block for /web - This is purely for aesthetics so /web/#!/ works instead of having to go to /web/index.html/#!/
 		location = /web/ {
 			# Proxy main Jellyfin traffic
-			proxy_pass http://$jellyfin:8096/web/index.html;
+			proxy_pass http://localhost:8096/web/index.html;
 			proxy_set_header Host $host;
 			proxy_set_header X-Real-IP $remote_addr;
 			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
@ -56,7 +53,7 @@ http {

 		location /socket {
 			# Proxy Jellyfin Websockets traffic
-			proxy_pass http://$jellyfin:8096;
+			proxy_pass http://localhost:8096;
 			proxy_http_version 1.1;
 			proxy_set_header Upgrade $http_upgrade;
 			proxy_set_header Connection "upgrade";
--- a/devices/nos/modules/mergerfs.nix
+++ b/devices/nos/modules/mergerfs.nix
@ -4,25 +4,6 @@ in {
  system.fsPackages = fsPkgs;
  environment.systemPackages = fsPkgs;

-  fileSystems."/data" = {
-    device = "//10.0.0.121/public";
-    fsType = "cifs";
-    options = [
-      "x-systemd.automount"
-      "noauto"
-      "x-systemd.idle-timeout=60"
-      "x-systemd.device-timeout=5s"
-      "x-systemd.mount-timeout=5s"
-      "uid=1000"
-      "gid=1000"
-      "credentials=${builtins.toFile "creds.txt" ''
-        username=root
-        domain=WORKGROUP
-      ''}"
-    ];
-  };
-
-  /*
  fileSystems = {
    "MergerFS Data" = {
      mountPoint = "/data";
@ -90,6 +71,11 @@ in {
      fsType = "ext4";
      device = "/dev/disk/by-id/ata-WDC_WD80EAZZ-00BKLB0_WD-CA1GN0GK-part1";
    };
+
+    "d8 8tb-6" = {
+      mountPoint = "/mnt/drives/8tb6";
+      fsType = "ext4";
+      device = "/dev/disk/by-id/ata-ST8000DM004-2U9188_ZR15JMHV-part1";
+    };
  };
-  */
 }
--- a/devices/nos/modules/snapraid.nix
+++ b/devices/nos/modules/snapraid.nix
@ -36,7 +36,7 @@ in {
      parityDrives);

    contentFiles =
-      ["/var/snapraid/content"]
+      ["/var/snapraid.content"]
      ++ map (fs: "${fs.mountPoint}/content") (attrValues dataDrives);

    exclude = [
--- a/devices/servivi/default.nix
+++ b/devices/servivi/default.nix
@ -11,9 +11,6 @@ in {
    ./modules/binary-cache.nix
    ./modules/minecraft.nix
    ./modules/nfs.nix
-
-    # WIP
-    ../nos
  ];

  vars = {
--- a/flake.lock
+++ b/flake.lock
@ -1343,11 +1343,11 @@
        "sops-nix": "sops-nix"
      },
      "locked": {
-        "lastModified": 1709273629,
-        "narHash": "sha256-VdU3WH3Pv8ai+/X9z1VucGra1YkZPEUjzcO/F/jhguw=",
+        "lastModified": 1709358901,
+        "narHash": "sha256-/6XBTAxSATwbCudcqnDyx0yM2ic8ctKxdkp5wvH1VIk=",
        "ref": "refs/heads/main",
-        "rev": "e0ab13ca6b37c5e87953a5616f5b0b0f837590c6",
-        "revCount": 53,
+        "rev": "d6f17af6dc95428212abb0219195bdab2498fb3a",
+        "revCount": 54,
        "type": "git",
        "url": "ssh://git@git.nelim.org/matt1432/nixos-secrets"
      },
--- a/flake.nix
+++ b/flake.nix
@ -38,6 +38,11 @@
      ];
      binto = mkNixOS [./devices/binto];

+      nos = mkNixOS [
+        ./devices/nos
+        secrets.nixosModules.nos
+      ];
+
      servivi = mkNixOS [
        ./devices/servivi
        secrets.nixosModules.servivi
--- a/modules/tailscale.nix
+++ b/modules/tailscale.nix
@ -23,18 +23,15 @@ in {
      # Desktop
      pc = "ssh -t matt@binto 'tmux -2u new -At ${hostName}'";

-      # Misc Nix servers
+      # NAS
+      nos = "ssh -t matt@nos 'tmux -2u new -At ${hostName}'";
+
+      # Experimenting server
      servivi = "ssh -t matt@servivi 'tmux -2u new -At ${hostName}'";

      # Cluster nodes
      thingone = "ssh -t matt@thingone 'tmux -2u new -At ${hostName}'";
      thingtwo = "ssh -t matt@thingtwo 'tmux -2u new -At ${hostName}'";
-
-      # Proxmox
-      pve = "ssh -t matt@pve 'tmux -2u new -At ${hostName}'";
-
-      # Proxmox LXC instances
-      jelly = "mosh matt@pve -- ssh -t matt@10.0.0.123 'tmux -2u new -At ${hostName}'";
    };
  };
 }