vps-arm-2024-06-21-21-12-49

2024-06-21 21:12:49 +02:00
parent d949a285c2
commit 2a0d9b1531
9 changed files with 317 additions and 44 deletions
--- a/configs/common.nix
+++ b/configs/common.nix
@ -107,6 +107,7 @@
    parallel
    pciutils
    ruby
+    progress
    unixtools.xxd
    unzip
    usbutils
@ -119,7 +120,7 @@
  };

  boot = {
-    tmp.useTmpfs = true;
+    tmp.useTmpfs = false;
    kernelParams = [ "quiet" ];
    consoleLogLevel = 0;
    kernel.sysctl = { "vm.max_map_count" = 262144; };
--- a/machine/vps-arm.nix
+++ b/machine/vps-arm.nix
@ -10,6 +10,13 @@ in
      ../configs/common.nix
      ../configs/docker.nix
      ../configs/user.nix
+
+      ../services/adguardhome.nix
+      ../services/frigate.nix
+      ../services/gitea.nix
+      ../services/nextcloud.nix
+      ../services/rustdesk-server.nix
+      ../services/uptime-kuma.nix
    ];

  boot.loader = {
@ -30,7 +37,7 @@ in
    interfaces.enp7s0 = {
      useDHCP = true;
      ipv6.addresses = [{
-        address = "2a0a:4cc0:1:124c::";
+        address = "2a0a:4cc0:1:124c::1";
        prefixLength = 64;
      }];
    };
@ -38,26 +45,16 @@ in
      allowPing = true;
      allowedTCPPorts = [
        80 # web
-        222 # SSH for gitea
+        # 222 # SSH for gitea
        443 # web
-        9898 # i2p
-        9899
-        18080
-        21114 #Rustdesk
-        21115 #Rustdesk
-        21116 #Rustdesk
-        21117 #Rustdesk
-        21118 #Rustdesk
-        21119 #Rustdesk
-        22000 # syncthing
+        # 9898 # i2p
      ];
      allowedUDPPorts = [
        80 # web
        443 # web
        3478 # headscale
-        9898 # i2p
-        21116 # Rustdesk
-        51820 # wireguard
+        # 9898 # i2p
+        # 51820 # wireguard
      ];
    };
  };
@ -66,8 +63,6 @@ in
    goaccess
    xd
    nyx
-    mkp224o
-    progress
    headscale
  ];

@ -81,6 +76,8 @@ in
    acceptTerms = true;
  };

+  # environment.etc."nextcloud-admin-pass".text = "PWD";
+
  services = {
    nginx = {
      enable = true;
@ -100,38 +97,24 @@ in
      '';

      virtualHosts = {
-        "git.v220240679185274666.nicesrv.de" = {
+        ${config.services.gitea.settings.server.DOMAIN} = {
          forceSSL = true;
          enableACME = true;
          locations = { "/" = { proxyPass = "http://127.0.0.1:3001/"; }; };
        };
-      };
-    };

-    postgresql = {
-      enable = true;
-      ensureDatabases = [ config.services.gitea.user ];
-      ensureUsers = [{
-        name = config.services.gitea.database.user;
-        ensureDBOwnership = true;
-        # ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
-      }];
-    };
-
-    gitea = {
-      enable = true;
-      appName = "My awesome Gitea server"; # Give the site a name
-      database = {
-        type = "postgres";
-        password = "REMOVED_OLD_PASSWORD_FROM_HISTORY";
-      };
-      settings = {
-        server = {
-          DOMAIN = "git.v220240679185274666.nicesrv.de";
-          ROOT_URL = "https://git.v220240679185274666.nicesrv.de/";
-          HTTP_PORT = 3001;
+        ${config.services.nextcloud.hostName} = {
+          forceSSL = true;
+          enableACME = true;
+        };
+
+        ${config.services.adguardhome.settings.tls.server_name} = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = { proxyPass = "https://127.0.0.1:3003/"; };
+          };
        };
-        service.DISABLE_REGISTRATION = true;
      };
    };

--- a/services/adguardhome.nix
+++ b/services/adguardhome.nix
@ -0,0 +1,62 @@
+{ config, pkgs, lib, ... }:
+{
+  services = {
+    adguardhome = {
+      enable = true;
+      # mutableSettings = true;
+      host = "127.0.0.1";
+      port = 3002;
+      settings = {
+        users = [{
+          name = "alex";
+          password = "$2a$10$g5byXeV9EsVAhUdmso5hv.MkeMi0XGKbEejzx0Y4xmucAg1BNGKoi";
+        }];
+        dns = {
+          bind_hots = [
+            "127.0.0.1"
+          ];
+          port = 54;
+          upstream_dns = [
+            # Example config with quad9
+            "9.9.9.9"
+            "149.112.112.112"
+            # Uncomment the following to use a local DNS service (e.g. Unbound)
+            # Additionally replace the address & port as needed
+            # "127.0.0.1:5335"
+          ];
+        };
+        filtering = {
+          protection_enabled = true;
+          filtering_enabled = true;
+
+          parental_enabled = false; # Parental control-based DNS requests filtering.
+          safe_search = {
+            enabled = false; # Enforcing "Safe search" option for search engines, when possible.
+          };
+        };
+        statistics = {
+          enabled = true;
+        };
+        tls = {
+          server_name = "dns.v220240679185274666.nicesrv.de";
+          enabled = true;
+          allow_unencrypted_doh = true;
+          port_dns_over_tls = 853;
+          port_dns_over_quic = 0;
+          port_https = 3003;
+          certificate_chain = "";
+          private_key = "";
+          certificate_path = "/var/lib/chain.pem";
+          private_key_path = "/var/lib/key.pem";
+        };
+        # The following notation uses map
+        # to not have to manually create {enabled = true; url = "";} for every filter
+        # This is,qq however, fully optional
+        filters = map (url: { enabled = true; url = url; }) [
+          "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
+          "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
+        ];
+      };
+    };
+  };
+}
--- a/services/frigate.nix
+++ b/services/frigate.nix
@ -0,0 +1,56 @@
+{ config, lib, pkgs, ... }:
+let
+  unstable = import <nixos-unstable> { config.allowUnfree = true; };
+in
+{
+  services = {
+    frigate = {
+      enable = true;
+      package = unstable.pkgs.frigate;
+      hostname = "100.64.0.7";
+
+      settings = {
+        logger = {
+          default = "info";
+          logs = {
+            "frigate.event" = "debug";
+          };
+        };
+
+        mqtt.enabled = false;
+
+        detectors.cpu1 = {
+          type = "cpu";
+          num_threads = 4;
+        };
+
+        # ffmpeg.hwaccel_args = "preset-vaapi";
+
+        cameras = {
+          home = {
+            ffmpeg.inputs = [{
+              path = "rtsp://admin:REMOVED@192.168.178.34:554/H.264";
+              # input_args = "preset-rtsp-restream";
+              # roles = [ "record" "detect" ];
+              roles = [ "record" ];
+            }];
+
+            record = {
+              enabled = true;
+              retain = {
+                days = 7;
+                mode = "all";
+              };
+              # events = {
+              #   retain = {
+              #     default = 14;
+              #   };
+              # };
+            };
+
+          };
+        };
+      };
+    };
+  };
+}
--- a/services/gitea.nix
+++ b/services/gitea.nix
@ -0,0 +1,35 @@
+{ config, lib, pkgs, ... }:
+{
+  services = {
+    postgresql = {
+      enable = true;
+      ensureDatabases = [
+        config.services.gitea.user
+      ];
+      ensureUsers = [
+        {
+          name = config.services.gitea.database.user;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    gitea = {
+      enable = true;
+      appName = "My awesome Gitea server"; # Give the site a name
+      database = {
+        type = "postgres";
+        password = "REMOVED_OLD_PASSWORD_FROM_HISTORY";
+      };
+      settings = {
+        server = {
+          DOMAIN = "git.v220240679185274666.nicesrv.de";
+          ROOT_URL = "https://git.v220240679185274666.nicesrv.de/";
+          HTTP_PORT = 3001;
+          HTTP_ADDR = "127.0.0.1";
+        };
+        service.DISABLE_REGISTRATION = true;
+      };
+    };
+  };
+}
--- a/services/headscale.nix
+++ b/services/headscale.nix
@ -0,0 +1,28 @@
+{ config, lib, pkgs, ... }:
+{
+  services = {
+    headscale = {
+      enable = true;
+      address = "127.0.0.1";
+      port = 8088;
+      # dns = { baseDomain = "example.com"; };
+      settings = {
+        logtail.enabled = false;
+        server_url = "https://headscale.szczepan.ski";
+        ip_prefixes = [
+          "100.64.0.0/10"
+        ];
+        dns_config = {
+          base_domain = "szczepan.ski";
+          magic_dns = true;
+          domains = [ "headscale.szczepan.ski" ];
+          nameservers = [
+            "1.1.1.1"
+            "9.9.9.9"
+          ];
+        };
+      };
+    };
+
+  };
+}
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+{
+  services = {
+    postgresql = {
+      enable = true;
+      ensureDatabases = [
+        config.services.nextcloud.config.dbname
+      ];
+      ensureUsers = [
+        {
+          name = config.services.nextcloud.config.dbuser;
+          ensureDBOwnership = true;
+          # ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+
+    nextcloud = {
+      enable = true;
+      hostName = "nextcloud.v220240679185274666.nicesrv.de";
+
+      # Need to manually increment with every major upgrade.
+      package = pkgs.nextcloud29;
+
+      # Let NixOS install and configure the database automatically.
+      database.createLocally = true;
+
+      # Let NixOS install and configure Redis caching automatically.
+      configureRedis = true;
+
+      # Increase the maximum file upload size to avoid problems uploading videos.
+      maxUploadSize = "16G";
+      https = true;
+
+      autoUpdateApps = {
+        enable = true; # Set what time makes sense for you
+        startAt = "05:00:00";
+      };
+
+      extraAppsEnable = true;
+      extraApps = with config.services.nextcloud.package.packages.apps; {
+        # List of apps we want to install and are already packaged in
+        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+        inherit
+          bookmarks
+          calendar
+          contacts
+          deck
+          end_to_end_encryption
+          mail
+          maps
+          memories
+          music
+          notes
+          notify_push
+          onlyoffice
+          phonetrack
+          previewgenerator
+          tasks
+          unroundedcorners;
+      };
+
+      settings = {
+        overwriteProtocol = "https";
+        default_phone_region = "DE";
+        log_type = "file";
+      };
+
+      config = {
+        dbtype = "pgsql";
+        adminuser = "alex";
+        adminpassFile = "/var/nextcloud-admin-pass";
+      };
+    };
+  };
+}
--- a/services/rustdesk-server.nix
+++ b/services/rustdesk-server.nix
@ -0,0 +1,10 @@
+{ config, lib, pkgs, ... }:
+{
+  services = {
+    rustdesk-server = {
+      enable = true;
+      openFirewall = true;
+      relayIP = "152.53.18.107";
+    };
+  };
+}
--- a/services/uptime-kuma.nix
+++ b/services/uptime-kuma.nix
@ -0,0 +1,22 @@
+{ config, lib, pkgs, ... }:
+{
+  services = {
+    uptime-kuma = {
+      enable = true;
+      settings = {
+        PORT = "4000";
+        HOST = "127.0.0.1";
+      };
+    };
+
+    nginx = {
+      virtualHosts = {
+        "uptime-kuma.v220240679185274666.nicesrv.de" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = { "/" = { proxyPass = "http://127.0.0.1:4000/"; }; };
+        };
+      };
+    };
+  };
+}