MacBook.local-2024-12-09-06-28-39

configs/services/adguardhome.nix

@@ -0,0 +1,94 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  dns-domain = "dns.szczepan.ski";
+in {
+  security.acme.certs.${dns-domain}.postRun = ''
+    cp fullchain.pem /var/lib/AdGuardHome/chain.pem \
+      && cp key.pem /var/lib/AdGuardHome/key.pem \
+      && chown adguardhome:adguardhome /var/lib/AdGuardHome/chain.pem \
+      && chown adguardhome:adguardhome /var/lib/AdGuardHome/key.pem
+  '';
+
+  services = {
+    nginx = {
+      virtualHosts = {
+        ${dns-domain} = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {proxyPass = "https://127.0.0.1:3004/";};
+          };
+        };
+      };
+    };
+
+    adguardhome = {
+      enable = true;
+      mutableSettings = true;
+      host = "127.0.0.1";
+      port = 3002;
+      settings = {
+        users = [
+          {
+            name = "alex";
+            password = "$2y$10$UhKvi4oztTfULWlIKnQhveORKXpIKCqpawJ/skSBAH96Njn4YDhTC";
+          }
+        ];
+        dns = {
+          bind_hots = [
+            "0.0.0.0"
+          ];
+          port = 53;
+          upstream_dns = [
+            "https://dns.quad9.net/dns-query"
+            "sdns://AgcAAAAAAAAADTk0LjE0MC4xNC4xNDAgmjo09yfeubylEAPZzpw5-PJ92cUkKQHCurGkTmNaAhkNOTQuMTQwLjE0LjE0MAovZG5zLXF1ZXJ5"
+            "tls://one.one.one.one"
+            "tls://dns.google"
+          ];
+          cache_size = 4194304;
+          cache_ttl_min = 2400;
+          cache_ttl_max = 84600;
+        };
+        filtering = {
+          protection_enabled = true;
+          filtering_enabled = true;
+
+          parental_enabled = false; # Parental control-based DNS requests filtering.
+          safe_search = {
+            enabled = false; # Enforcing "Safe search" option for search engines, when possible.
+          };
+        };
+        statistics = {
+          enabled = true;
+        };
+        tls = {
+          server_name = dns-domain;
+          enabled = true;
+          allow_unencrypted_doh = false;
+          port_dns_over_tls = 853;
+          port_dns_over_quic = 0;
+          port_https = 3004;
+          certificate_chain = "";
+          private_key = "";
+          certificate_path = "/var/lib/AdGuardHome/chain.pem";
+          private_key_path = "/var/lib/AdGuardHome/key.pem";
+        };
+        # The following notation uses map
+        # to not have to manually create {enabled = true; url = "";} for every filter
+        # This is,qq however, fully optional
+        filters =
+          map (url: {
+            enabled = true;
+            url = url;
+          }) [
+            "https://adguardteam.github.io/HostlistsRegistry/assets/filter_9.txt" # The Big List of Hacked Malware Web Sites
+            "https://adguardteam.github.io/HostlistsRegistry/assets/filter_11.txt" # malicious url blocklist
+          ];
+      };
+    };
+  };
+}

configs/services/atuin.nix

@@ -0,0 +1,25 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    nginx = {
+      virtualHosts = {
+        "atuin.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {proxyPass = "http://127.0.0.1:8888/";};
+          };
+        };
+      };
+    };
+
+    atuin = {
+      enable = true;
+      openRegistration = true;
+    };
+  };
+}

configs/services/firefox-syncserver.nix

@@ -0,0 +1,38 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment = {
+    persistence."/persist" = {
+      directories = [
+        "/var/lib/mysql"
+      ];
+    };
+  };
+
+  users = {
+    groups.firefox-syncserver = {};
+    users.firefox-syncserver = {
+      isSystemUser = true;
+      group = "firefox-syncserver";
+      extraGroups = [config.users.groups.keys.name];
+    };
+  };
+
+  services = {
+    mysql.package = pkgs.mariadb;
+    firefox-syncserver = {
+      enable = true;
+      secrets = config.sops.secrets."syncserver-secrets".path;
+      logLevel = "trace";
+      singleNode = {
+        enable = true;
+        hostname = "firefox-sync.szczepan.ski";
+        enableTLS = true;
+        enableNginx = true;
+      };
+    };
+  };
+}

configs/services/frigate.nix

@@ -0,0 +1,96 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment = {
+    persistence."/persist" = {
+      directories = [
+        "/var/lib/frigate"
+      ];
+    };
+  };
+
+  services = {
+    nginx = {
+      virtualHosts = {
+        "frigate.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          basicAuthFile = config.sops.secrets.frigate-htpasswd.path;
+        };
+      };
+    };
+
+    frigate = {
+      enable = true;
+      package = pkgs.frigate;
+      hostname = "frigate.szczepan.ski";
+
+      settings = {
+        logger = {
+          default = "info";
+          logs = {
+            "frigate.event" = "debug";
+          };
+        };
+
+        mqtt.enabled = false;
+
+        detectors.cpu1 = {
+          type = "cpu";
+          num_threads = 4;
+        };
+
+        cameras = {
+          # home = {
+          #   ffmpeg.inputs = [{
+          #     path = "rtsp://admin:REMOVED@192.168.178.34:554/H.264";
+          #     # input_args = "preset-rtsp-restream";
+          #     # roles = [ "record" "detect" ];
+          #     roles = [ "record" ];
+          #   }];
+
+          #   record = {
+          #     enabled = true;
+          #     retain = {
+          #       days = 7;
+          #       mode = "all";
+          #     };
+          #     # events = {
+          #     #   retain = {
+          #     #     default = 14;
+          #     #   };
+          #     # };
+          #   };
+          # };
+
+          garage = {
+            ffmpeg.inputs = [
+              {
+                path = "rtsp://admin:REMOVED@192.168.178.42:554/H.264";
+                # input_args = "preset-rtsp-restream";
+                # roles = [ "record" "detect" ];
+                roles = ["record"];
+              }
+            ];
+
+            record = {
+              enabled = true;
+              retain = {
+                days = 7;
+                mode = "all";
+              };
+              events = {
+                retain = {
+                  default = 14;
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

configs/services/gitea.nix

@@ -0,0 +1,57 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment = {
+    persistence."/persist" = {
+      directories = [
+        "/var/lib/gitea"
+      ];
+    };
+  };
+
+  services = {
+    nginx = {
+      virtualHosts = {
+        ${config.services.gitea.settings.server.DOMAIN} = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {"/" = {proxyPass = "http://127.0.0.1:3001/";};};
+        };
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      ensureDatabases = [
+        config.services.gitea.user
+      ];
+      ensureUsers = [
+        {
+          name = config.services.gitea.database.user;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    gitea = {
+      enable = true;
+      appName = "My awesome Gitea server"; # Give the site a name
+      database = {
+        type = "postgres";
+        passwordFile = config.sops.secrets.gitea-password.path;
+      };
+      settings = {
+        server = {
+          DOMAIN = "git.szczepan.ski";
+          ROOT_URL = "https://git.szczepan.ski/";
+          HTTP_PORT = 3001;
+          HTTP_ADDR = "127.0.0.1";
+        };
+        service.DISABLE_REGISTRATION = true;
+      };
+    };
+  };
+}

configs/services/goaccess.nix

@@ -0,0 +1,61 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment = {
+    systemPackages = with pkgs; [
+      goaccess
+    ];
+    persistence."/persist" = {
+      directories = [
+        "/var/www/goaccess"
+      ];
+    };
+  };
+
+  services = {
+    nginx = {
+      virtualHosts = {
+        "goaccess.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          basicAuthFile = config.sops.secrets.goaccess-htpasswd.path;
+          locations = {
+            "/" = {root = "/var/www/goaccess";};
+            "/ws" = {
+              proxyPass = "http://127.0.0.1:7890/";
+              proxyWebsockets = true;
+            };
+          };
+        };
+      };
+    };
+  };
+
+  systemd = {
+    tmpfiles.settings = {
+      "goaccess" = {
+        "/var/www/goaccess" = {d.mode = "0755";};
+      };
+    };
+
+    services = {
+      # Limit stack size to reduce memory usage
+      fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
+
+      goaccess = {
+        description = "GoAccess real-time web log analysis";
+        after = ["network.target"];
+        wantedBy = ["multi-user.target"];
+        script = "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess - -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"";
+        # serviceConfig = {
+        #   StateDirectory = "/var/www/goaccess";
+        #   # ExecStart = "${pkgs.bash}/bin/bash -c "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"'";
+        #   # ExecStop = "/bin/kill -9 ${MAINPID}";
+        # };
+      };
+    };
+  };
+}

configs/services/headscale.nix

@@ -0,0 +1,74 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment = {
+    systemPackages = with pkgs; [headscale];
+    persistence."/persist" = {
+      directories = [
+        "/var/lib/headscale"
+      ];
+    };
+  };
+
+  services = {
+    nginx = {
+      virtualHosts = {
+        "headscale.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {
+              proxyPass = "http://127.0.0.1:8088/";
+              proxyWebsockets = true;
+            };
+          };
+        };
+      };
+    };
+
+    headscale = {
+      enable = true;
+      address = "127.0.0.1";
+      port = 8088;
+      # dns = { baseDomain = "example.com"; };
+      settings = {
+        logtail.enabled = false;
+        server_url = "https://headscale.szczepan.ski";
+        # ip_prefixes = [
+        #   "100.64.0.0/10"
+        #   "fd7a:115c:a1e0::/48"
+        # ];
+        # later
+        prefixes = {
+          v4 = "100.64.0.0/10";
+          v6 = "fd7a:115c:a1e0::/48";
+        };
+        dns = {
+          override_local_dns = true;
+          base_domain = "main.szczepan.ski";
+          magic_dns = true;
+          search_domains = ["main.szczepan.ski"];
+          nameservers.global = [
+            "100.64.0.2"
+            "127.0.0.1"
+          ];
+        };
+
+        derp = {
+          server = {
+            enabled = true;
+            region_id = 999;
+            region_code = "headscale";
+            region_name = "Headscale Embedded DERP";
+            stun_listen_addr = "0.0.0.0:3478";
+            ipv4 = "152.53.18.107";
+            ipv6 = "2a0a:4cc0:1:124c::1";
+          };
+        };
+      };
+    };
+  };
+}

configs/services/immich.nix

@@ -0,0 +1,46 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment = {
+    persistence."/persist" = {
+      directories = [
+        "/var/lib/immich"
+        "/var/lib/redis-immich"
+      ];
+    };
+  };
+
+  services = {
+    nginx = {
+      virtualHosts = {
+        "immich.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {"/" = {proxyPass = "http://[::1]:2283/";};};
+        };
+      };
+    };
+
+    # postgresql = {
+    #   enable = true;
+    #   ensureDatabases = [
+    #     config.services.nextcloud.config.dbname
+    #   ];
+    #   ensureUsers = [
+    #     {
+    #       name = config.services..config.dbuser;
+    #       ensureDBOwnership = true;
+    #       # ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
+    #     }
+    #   ];
+    # };
+
+    immich = {
+      enable = true;
+      settings.server.externalDomain = "https://immich.szczepan.ski";
+    };
+  };
+}

configs/services/nextcloud.nix

@@ -0,0 +1,118 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  environment = {
+    persistence."/persist" = {
+      directories = [
+        "/var/lib/nextcloud"
+        "/var/lib/postgresql"
+        "/var/lib/redis-nextcloud"
+      ];
+    };
+  };
+
+  services = {
+    nginx = {
+      virtualHosts = {
+        ${config.services.nextcloud.hostName} = {
+          forceSSL = true;
+          enableACME = true;
+        };
+      };
+    };
+
+    postgresql = {
+      enable = true;
+      ensureDatabases = [
+        config.services.nextcloud.config.dbname
+      ];
+      ensureUsers = [
+        {
+          name = config.services.nextcloud.config.dbuser;
+          ensureDBOwnership = true;
+          # ensurePermissions."DATABASE ${config.services.gitea.database.name}" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+
+    nextcloud = {
+      enable = true;
+      hostName = "nextcloud.szczepan.ski";
+
+      # Need to manually increment with every major upgrade.
+      package = pkgs.nextcloud30;
+
+      # Let NixOS install and configure the database automatically.
+      database.createLocally = true;
+
+      # Let NixOS install and configure Redis caching automatically.
+      configureRedis = true;
+
+      # Increase the maximum file upload size to avoid problems uploading videos.
+      maxUploadSize = "16G";
+      https = true;
+
+      autoUpdateApps = {
+        enable = true; # Set what time makes sense for you
+        startAt = "05:00:00";
+      };
+
+      extraAppsEnable = true;
+      extraApps = with config.services.nextcloud.package.packages.apps; {
+        # List of apps we want to install and are already packaged in
+        # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json
+        inherit
+          bookmarks
+          calendar
+          contacts
+          deck
+          end_to_end_encryption
+          mail
+          maps
+          memories
+          music
+          notes
+          notify_push
+          onlyoffice
+          phonetrack
+          previewgenerator
+          tasks
+          unroundedcorners
+          ;
+        # user_migration = pkgs.fetchNextcloudApp {
+        #   sha256 = "sha256-OwALAM/WPJ4gXHQado0njfJL+ciDsvfbPjqGWk23Pm8=";
+        #   url = "https://github.com/nextcloud-releases/user_migration/releases/download/v6.0.0/user_migration-v6.0.0.tar.gz";
+        #   license = "agpl3Plus";
+        # };
+      };
+
+      phpOptions = {
+        "opcache.interned_strings_buffer" = "64";
+      };
+
+      settings = {
+        overwriteProtocol = "https";
+        default_phone_region = "DE";
+        log_type = "file";
+        "memories.exiftool" = "${lib.getExe pkgs.exiftool}";
+        "memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
+        "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
+        "overwrite.cli.url" = "${config.services.nextcloud.hostName}";
+        "maintenance_window_start" = "1";
+      };
+
+      config = {
+        dbtype = "pgsql";
+        adminuser = "alex";
+        adminpassFile = config.sops.secrets.nextcloud-password.path;
+      };
+    };
+  };
+
+  systemd.services.nextcloud-cron = {
+    path = [pkgs.perl];
+  };
+}

configs/services/rustdesk-server.nix

@@ -0,0 +1,20 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    rustdesk-server = {
+      enable = true;
+      openFirewall = true;
+      signal = {
+        enable = true;
+        relayHosts = ["152.53.18.107"];
+      };
+      relay = {
+        enable = true;
+      };
+    };
+  };
+}

configs/services/uptime-kuma.nix

@@ -0,0 +1,26 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  services = {
+    uptime-kuma = {
+      enable = true;
+      settings = {
+        PORT = "4000";
+        HOST = "127.0.0.1";
+      };
+    };
+
+    nginx = {
+      virtualHosts = {
+        "uptime.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {"/" = {proxyPass = "http://127.0.0.1:4000/";};};
+        };
+      };
+    };
+  };
+}