diff --git a/hosts/architect/bazarr.nix b/hosts/architect/bazarr.nix index 8b5155d..2e68e67 100644 --- a/hosts/architect/bazarr.nix +++ b/hosts/architect/bazarr.nix @@ -5,7 +5,10 @@ let network = import ./network.nix; in { services = { - bazarr.enable = true; + bazarr = { + enable = true; + group = "media"; + }; nginx.virtualHosts.${domain} = { forceSSL = true; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index b060ee5..326fb37 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -23,15 +23,19 @@ in { ./matrix.nix ./fail2ban.nix ./dns.nix - # ./minecraft.nix + ./minecraft.nix ./prowlarr.nix ./plex.nix - # ./transmission.nix + ./transmission.nix ./githubrunner.nix ./libreddit.nix ./invidious.nix ./nitter.nix ./ccache.nix + ./lidarr.nix + ./navidrome.nix + ./jellyfin.nix + ./prosody.nix ]; time.timeZone = "Europe/Rome"; @@ -44,7 +48,12 @@ in { "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off" "nvme_core.default_ps_max_latency_us=5500" ]; - kernel.sysctl."net.ipv4.ip_forward" = 1; + + kernel.sysctl= { + "net.ipv4.ip_forward" = 1; + "fs.protected_regular" = 0; + }; + initrd = { availableKernelModules = [ "igc" "r8169" ]; network = { @@ -73,7 +82,7 @@ in { supportedFilesystems = [ "zfs" ]; zfs.requestEncryptionCredentials = true; - tmpOnTmpfsSize = "150%"; + tmpOnTmpfsSize = "80%"; }; networking = { @@ -97,7 +106,7 @@ in { ${network.dvr-lan} dvr.devs.giugl.io ${network.nas-lan} nas.devs.giugl.io - + 192.168.1.1 vodafone.station # Blacklist 0.0.0.0 metrics.plex.tv 0.0.0.0 analytics.plex.tv diff --git a/hosts/architect/firewall.nix b/hosts/architect/firewall.nix index 072548c..a709ec7 100644 --- a/hosts/architect/firewall.nix +++ b/hosts/architect/firewall.nix @@ -9,10 +9,12 @@ let 443 # https 8448 # matrix 10022 # gitea + 30303 51413 # transmission ]; open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ 1194 # wireguard + 30303 51413 # transmission ]; open_tcp_ports_vpn = lib.concatMapStringsSep "," (x: toString x) [ diff --git a/hosts/architect/hardware.nix b/hosts/architect/hardware.nix index 5055d70..a5a1d5e 100644 --- a/hosts/architect/hardware.nix +++ b/hosts/architect/hardware.nix @@ -44,7 +44,7 @@ swapDevices = [{ device = "/dev/sdc1"; - size = 100000; + size = 10000; }]; } diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index 21f88a2..ec4565e 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -1,6 +1,9 @@ { pkgs, ... }: -with import ./network.nix; { +let + network = import ./network.nix; + domain = "jellyfin.giugl.io"; +in { disabledModules = [ "services/misc/jellyfin.nix" ]; imports = [ ./modules/jellyfin.nix ]; @@ -10,9 +13,9 @@ with import ./network.nix; { package = pkgs.unstable.jellyfin; }; - nginx.virtualHosts.${mediadomain} = { - forceSSL = true; - enableACME = true; + nginx.virtualHosts.${domain} = { +# forceSSL = true; +# enableACME = true; locations."/" = { proxyPass = "http://localhost:8096"; extraConfig = '' @@ -25,8 +28,8 @@ with import ./network.nix; { }; networking.extraHosts = '' - ${architect-lan} ${mediadomain} - ${architect-wg} ${mediadomain} + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} ''; users.groups.media.members = [ "jellyfin" ]; diff --git a/hosts/architect/libreddit.nix b/hosts/architect/libreddit.nix index c6e1fb4..7d5572c 100644 --- a/hosts/architect/libreddit.nix +++ b/hosts/architect/libreddit.nix @@ -1,4 +1,4 @@ -{ lib, ... }: +{ lib, pkgs, ... }: let domain = "reddit.giugl.io"; diff --git a/hosts/architect/lidarr.nix b/hosts/architect/lidarr.nix new file mode 100644 index 0000000..9f9183d --- /dev/null +++ b/hosts/architect/lidarr.nix @@ -0,0 +1,34 @@ +{ lib, ... }: + +let + domain = "htlid.giugl.io"; + network = import ./network.nix; +in { + services = { + lidarr = { + enable = true; + group = "media"; + }; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:8686"; + extraConfig = '' + allow 10.0.0.0/24; + ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} + deny all; + deny 10.0.0.1; + ''; + }; + }; + }; + + networking.extraHosts = '' + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} + ''; + + users.groups.media.members = [ "lidarr" ]; +} diff --git a/hosts/architect/matrix.nix b/hosts/architect/matrix.nix index 696d0ee..1f263d2 100644 --- a/hosts/architect/matrix.nix +++ b/hosts/architect/matrix.nix @@ -12,11 +12,13 @@ in { database_name = "synapse"; public_baseurl = "https://${domain}"; registration_shared_secret = "runas!"; + url_preview_enabled = true; dynamic_thumbnails = true; + withJemalloc = true; # enable_registration = true; app_service_config_files = [ "/var/lib/matrix-synapse/discord-registration.yaml" - "/var/lib/matrix-synapse/telegram-registration.yaml" + # "/var/lib/matrix-synapse/telegram-registration.yaml" ]; extraConfig = '' auto_join_rooms: @@ -42,6 +44,33 @@ in { ]; turn_shared_secret = "69duck duck fuck420"; turn_user_lifetime = "1h"; + logConfig = '' + version: 1 + + # In systemd's journal, loglevel is implicitly stored, so let's omit it + # from the message text. + formatters: + journal_fmt: + format: '%(name)s: [%(request)s] %(message)s' + + filters: + context: + (): synapse.util.logcontext.LoggingContextFilter + request: "" + + handlers: + journal: + class: systemd.journal.JournalHandler + formatter: journal_fmt + filters: [context] + SYSLOG_IDENTIFIER: synapse + + root: + level: WARN + handlers: [journal] + + disable_existing_loggers: False + ''; }; postgresql = { @@ -92,19 +121,24 @@ in { }; # web client - "${webui_domain}" = { enableACME = true; forceSSL = true; - root = pkgs.element-web.override { + # root = pkgs.element-web.override { + # conf = { + # default_server_config."m.homeserver" = { + # "base_url" = "https://${domain}"; + # "server_name" = "${domain}"; + # }; + # }; + # }; + root = pkgs.unstable.cinny.override { conf = { - default_server_config."m.homeserver" = { - "base_url" = "https://${domain}"; - "server_name" = "${domain}"; - }; + homeserverList = [ "${domain}" ]; + defaultHomeserver = 0; }; - }; + }; }; }; diff --git a/hosts/architect/navidrome.nix b/hosts/architect/navidrome.nix new file mode 100644 index 0000000..58f3166 --- /dev/null +++ b/hosts/architect/navidrome.nix @@ -0,0 +1,53 @@ +{ lib, pkgs, ... }: + +let + domain = "music.giugl.io"; + network = import ./network.nix; +in { + services = { + navidrome = { + enable = true; + + settings = { + MusicFolder = "/media/Music"; + LastFM.enable = true; + LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; + LastFM.Secret = "d1296896126f4caae47407aecf080b25"; + Spotify.ID = "3900c029b4f34f3fb61d554dda64794d"; + Spotify.Secret = "d931ce5575a9401aa5ff8d37558cca0a"; + EnableGravatar = true; + LogLevel = "WARN"; + }; + }; + + nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:4533"; + # extraConfig = '' + # allow 10.0.0.0/24; + # ${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg} + # deny all; + # ''; + }; + }; + }; + + systemd.services."beets-rename" = { + enable = true; + serviceConfig = { + Type = "oneshot"; + ExecStart = + "${pkgs.findutils}/bin/find /media/Music -type d -mindepth 2 -maxdepth 2 -exec ${pkgs.beets}/bin/beet -c /media/config.conf import --flat -q {} \\;"; + }; + startAt = "daily"; + }; + + networking.extraHosts = '' + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} + ''; + + users.groups.media.members = [ "navidrome" ]; +} diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index b221803..ae670b5 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -44,6 +44,7 @@ rec { jacopo-wg = "10.3.0.28"; frznn-wg = "10.3.0.29"; ludo-wg = "10.3.0.30"; + parina-wg = "10.3.0.31"; eleonora-wg = "10.3.0.100"; angellane-wg = "10.3.0.200"; hotpottino-wg = "10.3.0.201"; @@ -52,10 +53,10 @@ rec { # groups gdevices-wg = - [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg ]; + [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; c2c-wg = [ ] ++ gdevices-wg; - towan-wg = [ shield-wg parisaphone-wg parisapc-wg ] ++ gdevices-wg + towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg ] ++ gdevices-wg ++ routers-wg; gamenet-wg = [ andrew-wg diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 43322a7..0767279 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -14,7 +14,7 @@ in { enable = true; hostName = "${domain}"; https = true; - package = pkgs.unstable.nextcloud22; + package = pkgs.unstable.nextcloud23; caching.redis = true; diff --git a/hosts/architect/nzbget.nix b/hosts/architect/nzbget.nix index 57c214f..8875098 100644 --- a/hosts/architect/nzbget.nix +++ b/hosts/architect/nzbget.nix @@ -5,7 +5,10 @@ let network = import ./network.nix; in { services = { - nzbget.enable = true; + nzbget = { + enable = true; + group = "media"; + }; nginx.virtualHosts.${domain} = { forceSSL = true; diff --git a/hosts/architect/prosody.nix b/hosts/architect/prosody.nix new file mode 100644 index 0000000..0a189d3 --- /dev/null +++ b/hosts/architect/prosody.nix @@ -0,0 +1,41 @@ +{ lib, config, ... }: + +let + domain = "xmpp.giugl.io"; + conference_domain = "conference.${domain}"; + upload_domain = "uploads.${domain}"; + network = import ./network.nix; +in { + services = { + prosody = { + enable = true; + virtualHosts = { + "${domain}" = { + domain = domain; + enabled = true; + ssl.key = "${config.security.acme.certs.${domain}.directory}/key.pem"; + ssl.cert = + "${config.security.acme.certs.${domain}.directory}/fullchain.pem"; + }; + }; + + muc = [{ domain = conference_domain; }]; + uploadHttp = { domain = upload_domain; }; + + admins = [ "giulio@${domain}" ]; + httpInterfaces = [ "wg0" ]; + httpsInterfaces = [ "wg0" ]; + }; + }; + + services.nginx.virtualHosts."${domain}".enableACME = true; + #services.nginx.virtualHosts."${conference_domain}".enableACME = true; + #services.nginx.virtualHosts."${upload_domain}".enableACME = true; + + networking.extraHosts = '' + ${network.architect-lan} ${domain} + ${network.architect-wg} ${domain} + ''; + + users.groups.acme.members = [ "prosody" ]; +} diff --git a/hosts/architect/radarr.nix b/hosts/architect/radarr.nix index e9d56d8..2f6e8ca 100644 --- a/hosts/architect/radarr.nix +++ b/hosts/architect/radarr.nix @@ -5,7 +5,10 @@ let network = import ./network.nix; in { services = { - radarr.enable = true; + radarr = { + enable = true; + group = "media"; + }; nginx.virtualHosts.${domain} = { forceSSL = true; diff --git a/hosts/architect/sonarr.nix b/hosts/architect/sonarr.nix index 679b171..2776fbe 100644 --- a/hosts/architect/sonarr.nix +++ b/hosts/architect/sonarr.nix @@ -5,7 +5,10 @@ let network = import ./network.nix; in { services = { - sonarr.enable = true; + sonarr = { + enable = true; + group = "media"; + }; nginx.virtualHosts.${domain} = { forceSSL = true; diff --git a/hosts/architect/transmission.nix b/hosts/architect/transmission.nix index 3444c90..50a7b1d 100644 --- a/hosts/architect/transmission.nix +++ b/hosts/architect/transmission.nix @@ -1,4 +1,4 @@ -{ lib, config }: +{ lib, config, ... }: let domain = "httra.giugl.io"; @@ -7,6 +7,7 @@ in { services = { transmission = { enable = true; + group = "media"; settings = { download-dir = "/media/transmission"; incomplete-dir = "/media/transmission/.incomplete"; @@ -15,7 +16,6 @@ in { speed-limit-up = 10; speed-limit-up-enabled = true; peer-port = 51413; - umask = 2; }; performanceNetParameters = true; }; diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 275b71a..3132611 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -31,6 +31,7 @@ with import ./network.nix; { ${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io ${frznn-wg} frznn.devs.giugl.io ${ludo-wg} ludo.devs.giugl.io + ${parina-wg} parina.devs.giugl.io ''; wireguard = { @@ -242,6 +243,12 @@ with import ./network.nix; { allowedIPs = [ ludo-wg ]; publicKey = "ecrxdzx7tQZwMPxZOjHUvxZT2xY79B6XEDIW+fhEtEM="; } + + { + # parina + allowedIPs = [ parina-wg ]; + publicKey = "7nubNnfGsg4/7KemMDn9r99mNK8RFU9uOFFqaYv6rUA="; + } ]; }; };