diff --git a/configs/common.nix b/configs/common.nix index d956505..a676938 100755 --- a/configs/common.nix +++ b/configs/common.nix @@ -107,6 +107,7 @@ parallel pciutils ruby + progress unixtools.xxd unzip usbutils @@ -119,7 +120,7 @@ }; boot = { - tmp.useTmpfs = true; + tmp.useTmpfs = false; kernelParams = [ "quiet" ]; consoleLogLevel = 0; kernel.sysctl = { "vm.max_map_count" = 262144; }; diff --git a/machine/vps-arm.nix b/machine/vps-arm.nix index 13467c0..d3f93f5 100755 --- a/machine/vps-arm.nix +++ b/machine/vps-arm.nix @@ -10,6 +10,13 @@ in ../configs/common.nix ../configs/docker.nix ../configs/user.nix + + ../services/adguardhome.nix + ../services/frigate.nix + ../services/gitea.nix + ../services/nextcloud.nix + ../services/rustdesk-server.nix + ../services/uptime-kuma.nix ]; boot.loader = { @@ -30,7 +37,7 @@ in interfaces.enp7s0 = { useDHCP = true; ipv6.addresses = [{ - address = "2a0a:4cc0:1:124c::"; + address = "2a0a:4cc0:1:124c::1"; prefixLength = 64; }]; }; @@ -38,26 +45,16 @@ in allowPing = true; allowedTCPPorts = [ 80 # web - 222 # SSH for gitea + # 222 # SSH for gitea 443 # web - 9898 # i2p - 9899 - 18080 - 21114 #Rustdesk - 21115 #Rustdesk - 21116 #Rustdesk - 21117 #Rustdesk - 21118 #Rustdesk - 21119 #Rustdesk - 22000 # syncthing + # 9898 # i2p ]; allowedUDPPorts = [ 80 # web 443 # web 3478 # headscale - 9898 # i2p - 21116 # Rustdesk - 51820 # wireguard + # 9898 # i2p + # 51820 # wireguard ]; }; }; @@ -66,8 +63,6 @@ in goaccess xd nyx - mkp224o - progress headscale ]; @@ -81,6 +76,8 @@ in acceptTerms = true; }; + # environment.etc."nextcloud-admin-pass".text = "PWD"; + services = { nginx = { enable = true; @@ -100,38 +97,24 @@ in ''; virtualHosts = { - "git.v220240679185274666.nicesrv.de" = { + ${config.services.gitea.settings.server.DOMAIN} = { forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://127.0.0.1:3001/"; }; }; }; - }; - }; - postgresql = { - enable = true; - ensureDatabases = [ config.services.gitea.user ]; - ensureUsers = [{ - name = config.services.gitea.database.user; - ensureDBOwnership = true; - # ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES"; - }]; - }; - - gitea = { - enable = true; - appName = "My awesome Gitea server"; # Give the site a name - database = { - type = "postgres"; - password = "REMOVED_OLD_PASSWORD_FROM_HISTORY"; - }; - settings = { - server = { - DOMAIN = "git.v220240679185274666.nicesrv.de"; - ROOT_URL = "https://git.v220240679185274666.nicesrv.de/"; - HTTP_PORT = 3001; + ${config.services.nextcloud.hostName} = { + forceSSL = true; + enableACME = true; + }; + + ${config.services.adguardhome.settings.tls.server_name} = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { proxyPass = "https://127.0.0.1:3003/"; }; + }; }; - service.DISABLE_REGISTRATION = true; }; }; diff --git a/services/adguardhome.nix b/services/adguardhome.nix new file mode 100644 index 0000000..95c03d7 --- /dev/null +++ b/services/adguardhome.nix @@ -0,0 +1,62 @@ +{ config, pkgs, lib, ... }: +{ + services = { + adguardhome = { + enable = true; + # mutableSettings = true; + host = "127.0.0.1"; + port = 3002; + settings = { + users = [{ + name = "alex"; + password = "$2a$10$g5byXeV9EsVAhUdmso5hv.MkeMi0XGKbEejzx0Y4xmucAg1BNGKoi"; + }]; + dns = { + bind_hots = [ + "127.0.0.1" + ]; + port = 54; + upstream_dns = [ + # Example config with quad9 + "9.9.9.9" + "149.112.112.112" + # Uncomment the following to use a local DNS service (e.g. Unbound) + # Additionally replace the address & port as needed + # "127.0.0.1:5335" + ]; + }; + filtering = { + protection_enabled = true; + filtering_enabled = true; + + parental_enabled = false; # Parental control-based DNS requests filtering. + safe_search = { + enabled = false; # Enforcing "Safe search" option for search engines, when possible. + }; + }; + statistics = { + enabled = true; + }; + tls = { + server_name = "dns.v220240679185274666.nicesrv.de"; + enabled = true; + allow_unencrypted_doh = true; + port_dns_over_tls = 853; + port_dns_over_quic = 0; + port_https = 3003; + certificate_chain = ""; + private_key = ""; + certificate_path = "/var/lib/chain.pem"; + private_key_path = "/var/lib/key.pem"; + }; + # The following notation uses map + # to not have to manually create {enabled = true; url = "";} for every filter + # This is,qq however, fully optional + filters = map (url: { enabled = true; url = url; }) [ + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites + "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist + ]; + }; + }; + }; +} diff --git a/services/frigate.nix b/services/frigate.nix new file mode 100644 index 0000000..c23f2c1 --- /dev/null +++ b/services/frigate.nix @@ -0,0 +1,56 @@ +{ config, lib, pkgs, ... }: +let + unstable = import { config.allowUnfree = true; }; +in +{ + services = { + frigate = { + enable = true; + package = unstable.pkgs.frigate; + hostname = "100.64.0.7"; + + settings = { + logger = { + default = "info"; + logs = { + "frigate.event" = "debug"; + }; + }; + + mqtt.enabled = false; + + detectors.cpu1 = { + type = "cpu"; + num_threads = 4; + }; + + # ffmpeg.hwaccel_args = "preset-vaapi"; + + cameras = { + home = { + ffmpeg.inputs = [{ + path = "rtsp://admin:REMOVED@192.168.178.34:554/H.264"; + # input_args = "preset-rtsp-restream"; + # roles = [ "record" "detect" ]; + roles = [ "record" ]; + }]; + + record = { + enabled = true; + retain = { + days = 7; + mode = "all"; + }; + # events = { + # retain = { + # default = 14; + # }; + # }; + }; + + }; + }; + }; + }; + }; +} diff --git a/services/gitea.nix b/services/gitea.nix new file mode 100644 index 0000000..51d1773 --- /dev/null +++ b/services/gitea.nix @@ -0,0 +1,35 @@ +{ config, lib, pkgs, ... }: +{ + services = { + postgresql = { + enable = true; + ensureDatabases = [ + config.services.gitea.user + ]; + ensureUsers = [ + { + name = config.services.gitea.database.user; + ensureDBOwnership = true; + } + ]; + }; + + gitea = { + enable = true; + appName = "My awesome Gitea server"; # Give the site a name + database = { + type = "postgres"; + password = "REMOVED_OLD_PASSWORD_FROM_HISTORY"; + }; + settings = { + server = { + DOMAIN = "git.v220240679185274666.nicesrv.de"; + ROOT_URL = "https://git.v220240679185274666.nicesrv.de/"; + HTTP_PORT = 3001; + HTTP_ADDR = "127.0.0.1"; + }; + service.DISABLE_REGISTRATION = true; + }; + }; + }; +} diff --git a/services/headscale.nix b/services/headscale.nix new file mode 100644 index 0000000..ce6fd06 --- /dev/null +++ b/services/headscale.nix @@ -0,0 +1,28 @@ +{ config, lib, pkgs, ... }: +{ + services = { + headscale = { + enable = true; + address = "127.0.0.1"; + port = 8088; + # dns = { baseDomain = "example.com"; }; + settings = { + logtail.enabled = false; + server_url = "https://headscale.szczepan.ski"; + ip_prefixes = [ + "100.64.0.0/10" + ]; + dns_config = { + base_domain = "szczepan.ski"; + magic_dns = true; + domains = [ "headscale.szczepan.ski" ]; + nameservers = [ + "1.1.1.1" + "9.9.9.9" + ]; + }; + }; + }; + + }; +} diff --git a/services/nextcloud.nix b/services/nextcloud.nix new file mode 100644 index 0000000..75c925b --- /dev/null +++ b/services/nextcloud.nix @@ -0,0 +1,76 @@ +{ config, lib, pkgs, ... }: +{ + services = { + postgresql = { + enable = true; + ensureDatabases = [ + config.services.nextcloud.config.dbname + ]; + ensureUsers = [ + { + name = config.services.nextcloud.config.dbuser; + ensureDBOwnership = true; + # ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES"; + } + ]; + }; + + nextcloud = { + enable = true; + hostName = "nextcloud.v220240679185274666.nicesrv.de"; + + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud29; + + # Let NixOS install and configure the database automatically. + database.createLocally = true; + + # Let NixOS install and configure Redis caching automatically. + configureRedis = true; + + # Increase the maximum file upload size to avoid problems uploading videos. + maxUploadSize = "16G"; + https = true; + + autoUpdateApps = { + enable = true; # Set what time makes sense for you + startAt = "05:00:00"; + }; + + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # List of apps we want to install and are already packaged in + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit + bookmarks + calendar + contacts + deck + end_to_end_encryption + mail + maps + memories + music + notes + notify_push + onlyoffice + phonetrack + previewgenerator + tasks + unroundedcorners; + }; + + settings = { + overwriteProtocol = "https"; + default_phone_region = "DE"; + log_type = "file"; + }; + + config = { + dbtype = "pgsql"; + adminuser = "alex"; + adminpassFile = "/var/nextcloud-admin-pass"; + }; + }; + }; +} diff --git a/services/rustdesk-server.nix b/services/rustdesk-server.nix new file mode 100644 index 0000000..f69f0d5 --- /dev/null +++ b/services/rustdesk-server.nix @@ -0,0 +1,10 @@ +{ config, lib, pkgs, ... }: +{ + services = { + rustdesk-server = { + enable = true; + openFirewall = true; + relayIP = "152.53.18.107"; + }; + }; +} diff --git a/services/uptime-kuma.nix b/services/uptime-kuma.nix new file mode 100644 index 0000000..4c9de97 --- /dev/null +++ b/services/uptime-kuma.nix @@ -0,0 +1,22 @@ +{ config, lib, pkgs, ... }: +{ + services = { + uptime-kuma = { + enable = true; + settings = { + PORT = "4000"; + HOST = "127.0.0.1"; + }; + }; + + nginx = { + virtualHosts = { + "uptime-kuma.v220240679185274666.nicesrv.de" = { + forceSSL = true; + enableACME = true; + locations = { "/" = { proxyPass = "http://127.0.0.1:4000/"; }; }; + }; + }; + }; + }; +}