From bfe63888a66110735695c48e3a6397d05e7054de Mon Sep 17 00:00:00 2001
From: Alexander Szczepanski <alexander@szczepan.ski>
Date: Wed, 10 Jul 2024 12:27:30 +0200
Subject: [PATCH] vps-arm-2024-07-10-12-27-30

---
 README.md              |  5 +++++
 configs/user.nix       |  3 ++-
 machine/vps-arm.nix    | 50 ++++++++++++++++++++++--------------------
 services/gitea.nix     | 14 ++++++++++--
 services/goaccess.nix  | 49 +++++++++++++++++++++++++++++++++++++++++
 services/headscale.nix | 18 +++++++++++++++
 services/nextcloud.nix | 29 +++++++++++++++++++++++-
 7 files changed, 140 insertions(+), 28 deletions(-)
 create mode 100644 README.md
 create mode 100644 services/goaccess.nix

diff --git a/README.md b/README.md
new file mode 100644
index 0000000..62b13fd
--- /dev/null
+++ b/README.md
@@ -0,0 +1,5 @@
+# Most stuff
+
+sudo nix-channel --add https://github.com/nix-community/home-manager/archive/release-24.05.tar.gz home-manager
+sudo nix-channel --update
+sudo nix-channel --add https://nixos.org/channels/nixos-unstable-small nixos-unstable
\ No newline at end of file
diff --git a/configs/user.nix b/configs/user.nix
index 21e761c..24be0ee 100755
--- a/configs/user.nix
+++ b/configs/user.nix
@@ -30,7 +30,8 @@ in {
       openssh.authorizedKeys.keys = [
         "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDPSzeNjfkz7/B/18TcJxxmNFUhvTKoieBcexdzebWH7oncvyBXNRJp8vAqSIVFLzz5UUFQNFuilggs8/N48U84acmFOxlbUmxlkf8KZgeB/G6uQ8ncQh6M1HNNPH+9apTURgfctr7eEZe9seLIEBISQLXB2Sf3F1ogfDj25S8kH9RM4wM1/jDFK5IecWHScKxwQPmCoXeGE1LEJq6nkQLXMDsWhSihtWouaTxSR0p7/wp/Rqt/hzLEWj8e3+qLMc5JrrdaWksupUCysme7CnSfGSzNUv9RKiRCTFofYPT9tbRn5JzdpQ55v22S6OvmmXUHjST1MOzI8MpVPZCCqd/ZQ1E+gErFiMwjG4sn/xxdPK9/jbQaXMjLklbKtR+C5090Ew2u2kj78jqGk/8COhF1MXh/9qjcG+C51uD1AS9d410kfjPwkaUt4U2KktDMQ942nWywrvIWM0Gt2kgDLYotsy/70q/aTJ8bvaCoWoDOGmpWcyNNBalz4OYYGI2Z0WHrVTs0FpzSk/XeQz0OLkmueoh5GDGd8zrfO6Nf5LWI17aWGRePTpQP5mJIg6jC3j8/QVrthEP6QyIIkZsnfsmvSiMWVfXqEy1BxVlu3T6aLffaj679KCsxY+mx5mTH2hwd4ZdbSI4F0GCIt+WGaFhHs2V3ZQitoEZuraRPEc4HGw== alexander@szczepan.ski"
         "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOYEaT0gH9yJM2Al0B+VGXdZB/b2qjZK7n01Weq0TcmQ alex@framework"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEgLFUQH6BNW/m7GdZjIoewTWSSGH7vD+OAKE/4rqksT alex@desktop"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN99h5reZdz9+DOyTRh8bPYWO+Dtv7TbkLbMdvi+Beio alex@desktop"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIkURF5v9vRyEPhsK80kUgYh1vsS0APL4XyH4F3Fpyic alex@macbook"
       ];
     };
   };
diff --git a/machine/vps-arm.nix b/machine/vps-arm.nix
index d3f93f5..34361e8 100755
--- a/machine/vps-arm.nix
+++ b/machine/vps-arm.nix
@@ -4,20 +4,21 @@ let
   unstable = import <nixos-unstable> { config.allowUnfree = true; };
 in
 {
-  imports =
-    [
-      /etc/nixos/hardware-configuration.nix
-      ../configs/common.nix
-      ../configs/docker.nix
-      ../configs/user.nix
+  imports = [
+    /etc/nixos/hardware-configuration.nix
+    ../configs/common.nix
+    ../configs/docker.nix
+    ../configs/user.nix
 
-      ../services/adguardhome.nix
-      ../services/frigate.nix
-      ../services/gitea.nix
-      ../services/nextcloud.nix
-      ../services/rustdesk-server.nix
-      ../services/uptime-kuma.nix
-    ];
+    ../services/adguardhome.nix
+    ../services/frigate.nix
+    ../services/gitea.nix
+    ../services/nextcloud.nix
+    ../services/rustdesk-server.nix
+    ../services/uptime-kuma.nix
+    ../services/headscale.nix
+    ../services/goaccess.nix
+  ];
 
   boot.loader = {
     systemd-boot.enable = true;
@@ -97,17 +98,6 @@ in
       '';
 
       virtualHosts = {
-        ${config.services.gitea.settings.server.DOMAIN} = {
-          forceSSL = true;
-          enableACME = true;
-          locations = { "/" = { proxyPass = "http://127.0.0.1:3001/"; }; };
-        };
-
-        ${config.services.nextcloud.hostName} = {
-          forceSSL = true;
-          enableACME = true;
-        };
-
         ${config.services.adguardhome.settings.tls.server_name} = {
           forceSSL = true;
           enableACME = true;
@@ -115,6 +105,18 @@ in
             "/" = { proxyPass = "https://127.0.0.1:3003/"; };
           };
         };
+
+        "homeassistant.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {
+              proxyPass = "http://mini.main.szczepan.ski:8123/";
+              proxyWebsockets = true;
+            };
+          };
+        };
+
       };
     };
 
diff --git a/services/gitea.nix b/services/gitea.nix
index 51d1773..74d0607 100644
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -1,6 +1,16 @@
 { config, lib, pkgs, ... }:
 {
   services = {
+    nginx = {
+      virtualHosts = {
+        ${config.services.gitea.settings.server.DOMAIN} = {
+          forceSSL = true;
+          enableACME = true;
+          locations = { "/" = { proxyPass = "http://127.0.0.1:3001/"; }; };
+        };
+      };
+    };
+
     postgresql = {
       enable = true;
       ensureDatabases = [
@@ -23,8 +33,8 @@
       };
       settings = {
         server = {
-          DOMAIN = "git.v220240679185274666.nicesrv.de";
-          ROOT_URL = "https://git.v220240679185274666.nicesrv.de/";
+          DOMAIN = "git.szczepan.ski";
+          ROOT_URL = "https://git.szczepan.ski/";
           HTTP_PORT = 3001;
           HTTP_ADDR = "127.0.0.1";
         };
diff --git a/services/goaccess.nix b/services/goaccess.nix
new file mode 100644
index 0000000..18f6427
--- /dev/null
+++ b/services/goaccess.nix
@@ -0,0 +1,49 @@
+{ config, lib, pkgs, ... }:
+let
+  secrets = import ../configs/secrets.nix;
+in
+{
+  services = {
+    nginx = {
+      virtualHosts = {
+        "goaccess.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          basicAuth = { alex = secrets.goaccess-password; };
+          locations = {
+            "/" = { root = "/var/www/goaccess"; };
+            "/ws" = {
+              proxyPass = "http://127.0.0.1:7890/";
+              proxyWebsockets = true;
+            };
+          };
+        };
+      };
+    };
+  };
+
+  systemd = {
+    tmpfiles.settings = {
+      "goaccess" = {
+        "/var/www/goaccess" = { d.mode = "0755"; };
+      };
+    };
+
+    services = {
+      # Limit stack size to reduce memory usage
+      fail2ban.serviceConfig.LimitSTACK = 256 * 1024;
+
+      goaccess = {
+        description = "GoAccess real-time web log analysis";
+        after = [ "network.target" ];
+        wantedBy = [ "multi-user.target" ];
+        script = "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess - -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"";
+        # serviceConfig = {
+        #   StateDirectory = "/var/www/goaccess";
+        #   # ExecStart = "${pkgs.bash}/bin/bash -c "${pkgs.gzip}/bin/zcat -f /var/log/nginx/access.* | ${pkgs.goaccess}/bin/goaccess -o /var/www/goaccess/index.html --log-format='%v %h %^[%d:%t %^]%^\"%r\" %s %b \"%R\" \"%u\"' --real-time-html --ws-url=wss://goaccess.szczepan.ski:443/ws --port 7890 --time-format \"%H:%M:%S\" --date-format \"%d/%b/%Y\"'";
+        #   # ExecStop = "/bin/kill -9 ${MAINPID}";
+        # };
+      };
+    };
+  };
+}
diff --git a/services/headscale.nix b/services/headscale.nix
index ce6fd06..68289c0 100644
--- a/services/headscale.nix
+++ b/services/headscale.nix
@@ -1,6 +1,24 @@
 { config, lib, pkgs, ... }:
 {
+  environment.systemPackages = with pkgs; [ headscale ];
+
   services = {
+    nginx = {
+      virtualHosts = {
+        # ${config.services.headscale.settings.dns_config.domains} = {
+        "headscale.szczepan.ski" = {
+          forceSSL = true;
+          enableACME = true;
+          locations = {
+            "/" = {
+              proxyPass = "http://127.0.0.1:8088/";
+              proxyWebsockets = true;
+            };
+          };
+        };
+      };
+    };
+
     headscale = {
       enable = true;
       address = "127.0.0.1";
diff --git a/services/nextcloud.nix b/services/nextcloud.nix
index 75c925b..892bb36 100644
--- a/services/nextcloud.nix
+++ b/services/nextcloud.nix
@@ -1,6 +1,15 @@
 { config, lib, pkgs, ... }:
 {
   services = {
+    nginx = {
+      virtualHosts = {
+        ${config.services.nextcloud.hostName} = {
+          forceSSL = true;
+          enableACME = true;
+        };
+      };
+    };
+
     postgresql = {
       enable = true;
       ensureDatabases = [
@@ -17,7 +26,7 @@
 
     nextcloud = {
       enable = true;
-      hostName = "nextcloud.v220240679185274666.nicesrv.de";
+      hostName = "nextcloud.szczepan.ski";
 
       # Need to manually increment with every major upgrade.
       package = pkgs.nextcloud29;
@@ -58,12 +67,26 @@
           previewgenerator
           tasks
           unroundedcorners;
+        # user_migration = pkgs.fetchNextcloudApp {
+        #   sha256 = "sha256-OwALAM/WPJ4gXHQado0njfJL+ciDsvfbPjqGWk23Pm8=";
+        #   url = "https://github.com/nextcloud-releases/user_migration/releases/download/v6.0.0/user_migration-v6.0.0.tar.gz";
+        #   license = "agpl3Plus";
+        # };
+      };
+
+      phpOptions = {
+        "opcache.interned_strings_buffer" = "64";
       };
 
       settings = {
         overwriteProtocol = "https";
         default_phone_region = "DE";
         log_type = "file";
+        "memories.exiftool" = "${lib.getExe pkgs.exiftool}";
+        "memories.vod.ffmpeg" = "${lib.getExe pkgs.ffmpeg-headless}";
+        "memories.vod.ffprobe" = "${pkgs.ffmpeg-headless}/bin/ffprobe";
+        "overwrite.cli.url" = "${config.services.nextcloud.hostName}";
+        "maintenance_window_start" = "1";
       };
 
       config = {
@@ -73,4 +96,8 @@
       };
     };
   };
+
+  systemd.services.nextcloud-cron = {
+    path = [ pkgs.perl ];
+  };
 }