From 7bd60d982bb281ccfdca145512f0d0e7a460ad5b Mon Sep 17 00:00:00 2001 From: Giulio De Pasquale Date: Wed, 6 Jul 2022 20:34:12 +0200 Subject: [PATCH] mah boh --- flake.lock | 20 ++++++------- flake.nix | 12 ++------ hosts/architect/default.nix | 53 +++++++++++++++++---------------- hosts/architect/dns.nix | 9 ++++-- hosts/architect/docker.nix | 14 ++++----- hosts/architect/hardware.nix | 40 +++++++++++++------------ hosts/architect/jellyfin.nix | 2 +- hosts/architect/navidrome.nix | 55 ++++++++++++++++++++++++++++++----- hosts/architect/network.nix | 12 ++++---- hosts/architect/nextcloud.nix | 2 +- hosts/architect/nginx.nix | 4 ++- hosts/architect/wireguard.nix | 38 ++++++++++++------------ 12 files changed, 152 insertions(+), 109 deletions(-) diff --git a/flake.lock b/flake.lock index a6a789a..6751657 100644 --- a/flake.lock +++ b/flake.lock @@ -7,11 +7,11 @@ ] }, "locked": { - "lastModified": 1639871969, - "narHash": "sha256-6feWUnMygRzA9tzkrfAzpA5/NBYg75bkFxnqb1DtD7E=", + "lastModified": 1651519540, + "narHash": "sha256-3k6p8VsTwwRPQjE8rrMh+o2AZACZn/eeYJ7ivdQ/Iro=", "owner": "rycee", "repo": "home-manager", - "rev": "697cc8c68ed6a606296efbbe9614c32537078756", + "rev": "d93d56ab8c1c6aa575854a79b9d2f69d491db7d0", "type": "github" }, "original": { @@ -23,27 +23,27 @@ }, "nixos-unstable": { "locked": { - "lastModified": 1639699734, - "narHash": "sha256-tlX6WebGmiHb2Hmniff+ltYp+7dRfdsBxw9YczLsP60=", + "lastModified": 1657132020, + "narHash": "sha256-MkDlX9c9FxgHsCAbtJtk92BKk2GjosrNPEePmbh1A4I=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "03ec468b14067729a285c2c7cfa7b9434a04816c", + "rev": "2039758aae57dbd5f2f4a6e79daa85a69441b544", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-unstable", + "ref": "master", "repo": "nixpkgs", "type": "github" } }, "nixpkgs": { "locked": { - "lastModified": 1639794673, - "narHash": "sha256-bjauV0+Z4WmxeiHXecyiEOEwo+XysO6kx36beeatbl0=", + "lastModified": 1656782578, + "narHash": "sha256-1eMCBEqJplPotTo/SZ/t5HU6Sf2I8qKlZi9MX7jv9fw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "2627c4b795107ba94562626925f5a9a2bc62ebc6", + "rev": "573603b7fdb9feb0eb8efc16ee18a015c667ab1b", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index a3c2eab..b2feb00 100644 --- a/flake.nix +++ b/flake.nix @@ -1,15 +1,14 @@ { inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-21.11"; - nixos-unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; + nixos-unstable.url = "github:NixOS/nixpkgs/master"; home-manager = { url = "github:rycee/home-manager/release-21.11"; inputs.nixpkgs.follows = "nixpkgs"; }; - navidrome.url = "github:antifuchs/nixpkgs/fix-151550"; }; - outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager, navidrome}: + outputs = inputs@{ self, nixpkgs, nixos-unstable, home-manager}: let system = "x86_64-linux"; @@ -38,13 +37,6 @@ user = "giulio"; roles = [ ]; }]; - imports = [ - { - disabledModules = [ "services/audio/navidrome.nix" ]; - imports = - [ (navidrome + "/nixos/modules/services/audio/navidrome.nix") ]; - } - ]; }; gAluminum = host.mkHost { name = "gAluminum"; diff --git a/hosts/architect/default.nix b/hosts/architect/default.nix index 73227a3..aa702df 100644 --- a/hosts/architect/default.nix +++ b/hosts/architect/default.nix @@ -23,40 +23,29 @@ in { ./matrix.nix ./fail2ban.nix ./dns.nix - #./minecraft.nix + # ./minecraft.nix ./prowlarr.nix -# ./plex.nix - ./githubrunner.nix + # ./plex.nix + #./githubrunner.nix ./libreddit.nix ./invidious.nix ./nitter.nix ./ccache.nix ./lidarr.nix - ./navidrome.nix +# ./navidrome.nix ./jellyfin.nix ./prosody.nix ./deluge.nix -# ./calibre.nix + # ./calibre.nix ../../cachix.nix ./docker.nix ]; + nixpkgs.config.permittedInsecurePackages = [ "nodejs-12.22.12" ]; time.timeZone = "Europe/Rome"; system.stateVersion = "21.11"; # Did you read the comment? users.users.giulio.openssh.authorizedKeys.keys = pubkeys; - - services.fwupd.enable = true; boot = { - kernelParams = [ - "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off" - "nvme_core.default_ps_max_latency_us=5500" - ]; - - kernel.sysctl= { - "net.ipv4.ip_forward" = 1; - "fs.protected_regular" = 0; - }; - initrd = { availableKernelModules = [ "igc" "r8169" ]; network = { @@ -64,22 +53,33 @@ in { ssh = { enable = true; port = 22; - hostKeys = [ /boot/ssh_host_rsa_key ]; + hostKeys = [ /secrets/ssh_host_rsa_key ]; authorizedKeys = pubkeys; }; - postCommands = '' - zpool import backedpool - zpool import zpool + # postCommands = '' + # zpool import backedpool -f + # zpool import zpool -f - mkdir /mnt-root - echo "zfs load-key -ar; mount -t zfs zpool/nixos/root /mnt-root; zfs load-key -a; umount /mnt-root; rmdir /mnt-root; killall zfs" >> /root/.profile - ''; + # echo "zfs load-key -ar; killall zfs" >> /root/.profile + # ''; }; }; + }; + + services.fwupd.enable = true; + boot = { + kernelParams = [ + "ip=${network.architect-lan}::10.0.0.1:255.255.255.0::${network.wan-if}:off" + "nvme_core.default_ps_max_latency_us=5500" + "zfs_arc_max=1073741824" + "memmap=32M$0x4ca6f9478" + ]; + + kernel.sysctl = { "net.ipv4.ip_forward" = 1; }; loader = { - systemd-boot ={ + systemd-boot = { enable = true; memtest86.enable = true; }; @@ -150,6 +150,9 @@ in { enable = true; passwordAuthentication = false; challengeResponseAuthentication = false; + extraConfig = '' + MaxAuthTries 15 + ''; }; smartd.enable = true; }; diff --git a/hosts/architect/dns.nix b/hosts/architect/dns.nix index 5629e26..3122a3e 100644 --- a/hosts/architect/dns.nix +++ b/hosts/architect/dns.nix @@ -1,10 +1,15 @@ { config, pkgs, lib, ... }: +let + adguard_port = "5300"; + dnsproxy_port = "5353"; +in { services = { dnsmasq = { enable = true; - servers = [ "127.0.0.1#5300" ]; + # adguard port + servers = [ "127.0.0.1#${adguard_port}" ]; extraConfig = '' localise-queries min-cache-ttl=120 @@ -20,7 +25,7 @@ dnscrypt-proxy2 = { enable = true; settings = { - listen_addresses = [ "127.0.0.1:5353" ]; + listen_addresses = [ "127.0.0.1:${dnsproxy_port}" ]; ipv4_servers = true; ipv6_servers = false; block_ipv6 = true; diff --git a/hosts/architect/docker.nix b/hosts/architect/docker.nix index 6e294da..9d1a8f9 100644 --- a/hosts/architect/docker.nix +++ b/hosts/architect/docker.nix @@ -1,10 +1,10 @@ { - virtualisation.docker = { - enable = true; - extraOptions = '' - --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker - ''; - enableOnBoot = false; - }; +# virtualisation.docker = { +# enable = true; +# extraOptions = '' +# --dns 127.0.0.1 --dns 10.0.0.250 --data-root /docker +# ''; +# enableOnBoot = false; +# }; users.users.giulio.extraGroups = [ "docker" ]; } diff --git a/hosts/architect/hardware.nix b/hosts/architect/hardware.nix index a5a1d5e..be5ffa2 100644 --- a/hosts/architect/hardware.nix +++ b/hosts/architect/hardware.nix @@ -6,22 +6,22 @@ { imports = [ (modulesPath + "/installer/scan/not-detected.nix") ]; - boot.initrd.availableKernelModules = - [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ ]; boot.kernelModules = [ "kvm-amd" ]; boot.extraModulePackages = [ ]; fileSystems."/" = { - device = "zpool/nixos/root"; - fsType = "zfs"; + device = "/dev/disk/by-uuid/28ce6650-de21-4c1d-ae42-95d1e3507740"; + fsType = "ext4"; }; - fileSystems."/home" = { - device = "zpool/data/home"; - fsType = "zfs"; + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/B790-869D"; + fsType = "vfat"; }; + hardware.cpu.amd.updateMicrocode = + lib.mkDefault config.hardware.enableRedistributableFirmware; + fileSystems."/media" = { device = "datapool/media"; fsType = "zfs"; @@ -32,19 +32,21 @@ fsType = "zfs"; }; - fileSystems."/var/lib" = { + fileSystems."/services" = { device = "backedpool/services"; fsType = "zfs"; }; - - fileSystems."/boot" = { - device = "/dev/disk/by-uuid/AF19-5616"; - fsType = "vfat"; + boot = { + initrd.luks.devices = { + root = { + device = "/dev/disk/by-uuid/bdd5f111-ecec-48d8-861f-94083098c724"; + preLVM = true; + allowDiscards = true; + fallbackToPassword = true; + }; + }; + initrd.availableKernelModules = + [ "nvme" "xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" ]; + initrd.kernelModules = [ "dm-snapshot" ]; }; - - swapDevices = [{ - device = "/dev/sdc1"; - size = 10000; - }]; - } diff --git a/hosts/architect/jellyfin.nix b/hosts/architect/jellyfin.nix index b84ded5..90fd949 100644 --- a/hosts/architect/jellyfin.nix +++ b/hosts/architect/jellyfin.nix @@ -19,7 +19,7 @@ in { enableACME = true; extraConfig = '' # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. - add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; + #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; # Disable buffering when the nginx proxy gets very resource heavy upon streaming proxy_buffering off; ''; diff --git a/hosts/architect/navidrome.nix b/hosts/architect/navidrome.nix index 58f3166..2803c1a 100644 --- a/hosts/architect/navidrome.nix +++ b/hosts/architect/navidrome.nix @@ -3,13 +3,15 @@ let domain = "music.giugl.io"; network = import ./network.nix; + library_path = "/media/Music"; + beets_config = "/media/beets.conf"; in { services = { navidrome = { enable = true; settings = { - MusicFolder = "/media/Music"; + MusicFolder = library_path; LastFM.enable = true; LastFM.ApiKey = "5cef5cb5f9d31326b97d0f929ca9cf20"; LastFM.Secret = "d1296896126f4caae47407aecf080b25"; @@ -34,14 +36,51 @@ in { }; }; - systemd.services."beets-rename" = { - enable = true; - serviceConfig = { - Type = "oneshot"; - ExecStart = - "${pkgs.findutils}/bin/find /media/Music -type d -mindepth 2 -maxdepth 2 -exec ${pkgs.beets}/bin/beet -c /media/config.conf import --flat -q {} \\;"; + systemd.services = { + "beets-update" = { + enable = true; + # requires = [ "remove-badmp3.service" "remove-badflac.service" ]; + before = [ "beets-import.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.beets}/bin/beet -c ${beets_config} update"; + }; + }; + + "beets-import" = { + enable = true; + path = [ pkgs.imagemagick ]; + requires = [ "beets-update.service" ]; + after = [ "beets-update.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = + "${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}"; + }; + startAt = "daily"; + }; + + "remove-badmp3" = { + enable = true; + before = [ "beets-import.service" "beets-update.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = '' + ${pkgs.findutils}/bin/find ${library_path} -name "*.mp3" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.mp3val}/bin/mp3val "{}" | grep -Pi error 1>/dev/null && ${pkgs.busybox}/bin/rm "{}"' \; + ''; + }; + }; + + "remove-badflac" = { + enable = true; + before = [ "beets-import.service" "beets-update.service" ]; + serviceConfig = { + Type = "oneshot"; + ExecStart = '' + ${pkgs.findutils}/bin/find ${library_path} -name "*.flac" -type f -exec ${pkgs.bash}/bin/sh -c '${pkgs.flac}/bin/flac -st "{}" || ${pkgs.busybox}/bin/rm "{}"' \; + ''; + }; }; - startAt = "daily"; }; networking.extraHosts = '' diff --git a/hosts/architect/network.nix b/hosts/architect/network.nix index 45bb1ec..c3a8f9d 100644 --- a/hosts/architect/network.nix +++ b/hosts/architect/network.nix @@ -49,19 +49,19 @@ rec { parina-wg = "10.3.0.31"; nilo-wg = "10.3.0.32"; parina-ipad-wg = "10.3.0.33"; + kclvm-wg = "10.3.0.34"; eleonora-wg = "10.3.0.100"; - angellane-wg = "10.3.0.200"; + angellane-wg = "10.3.0.203"; hotpottino-wg = "10.3.0.201"; dodino-wg = "10.3.0.202"; - wolfsonhouse-wg = "10.3.0.203"; # groups gdevices-wg = - [ galuminum-wg oneplus-wg ipad-wg gbeast-wg peppiniell-wg padulino-wg wolfsonhouse-wg ]; - routers-wg = [ hotpottino-wg angellane-wg dodino-wg wolfsonhouse-wg ]; + [ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg; + routers-wg = [ hotpottino-wg angellane-wg dodino-wg ]; c2c-wg = [ ] ++ gdevices-wg; - towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] ++ gdevices-wg - ++ routers-wg; + towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] + ++ gdevices-wg ++ routers-wg; gamenet-wg = [ andrew-wg galuminum-wg diff --git a/hosts/architect/nextcloud.nix b/hosts/architect/nextcloud.nix index 0767279..3b80b14 100644 --- a/hosts/architect/nextcloud.nix +++ b/hosts/architect/nextcloud.nix @@ -14,7 +14,7 @@ in { enable = true; hostName = "${domain}"; https = true; - package = pkgs.unstable.nextcloud23; + package = pkgs.unstable.nextcloud24; caching.redis = true; diff --git a/hosts/architect/nginx.nix b/hosts/architect/nginx.nix index 0e26f37..e600db3 100644 --- a/hosts/architect/nginx.nix +++ b/hosts/architect/nginx.nix @@ -30,7 +30,9 @@ # }; # }; # }; + appendConfig = '' + worker_processes 24; + ''; }; - users.groups.acme.members = [ "nginx" ]; } diff --git a/hosts/architect/wireguard.nix b/hosts/architect/wireguard.nix index 7fbd70d..f8e089a 100644 --- a/hosts/architect/wireguard.nix +++ b/hosts/architect/wireguard.nix @@ -28,25 +28,25 @@ with import ./network.nix; { ${mikey-wg} mikey.devs.giugl.io ${andrew-wg} andrew.devs.giugl.io ${mikeylaptop-wg} mikeylaptop.devs.giugl.io - ${wolfsonhouse-wg} wolfsonhouse.devs.giugl.io ${frznn-wg} frznn.devs.giugl.io ${ludo-wg} ludo.devs.giugl.io ${parina-wg} parina.devs.giugl.io ${parina-ipad-wg} parinaipad.devs.giugl.io ${nilo-wg} nilo.devs.giugl.io + ${kclvm-wg} kclvm.devs.giugl.io ''; wireguard = { - interfaces.${proxy-if} = { - ips = [ "10.4.0.2/32" ]; - privateKeyFile = "/secrets/wireguard/proxy.key"; - peers = [{ - publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; - allowedIPs = [ "10.4.0.1/32" ]; - endpoint = "giugl.io:1195"; - persistentKeepalive = 21; - }]; - }; + # interfaces.${proxy-if} = { + # ips = [ "10.4.0.2/32" ]; + # privateKeyFile = "/secrets/wireguard/proxy.key"; + # peers = [{ + # publicKey = "WmJBpXpYebcmJEF8nVTKMqQK01KyBe42vzc38K66rVs="; + # allowedIPs = [ "10.4.0.1/32" ]; + # endpoint = "giugl.io:1195"; + # persistentKeepalive = 21; + # }]; + # }; interfaces.${vpn-if} = { listenPort = 1194; @@ -120,12 +120,6 @@ with import ./network.nix; { publicKey = "bzoW3Rx+7Un9hx/2opgBQJmmnZ/hgj1lQ2FnonCHjTc="; } - { - # angellane - allowedIPs = [ angellane-wg ]; - publicKey = "MZ+nZklHpBxTL7QN9QJpBBx7yOYRZLONfvqAnuk85x0="; - } - { # hotpottino allowedIPs = [ hotpottino-wg ]; @@ -199,8 +193,8 @@ with import ./network.nix; { } { - # wolfsonhouse - allowedIPs = [ wolfsonhouse-wg ]; + # angel-lane + allowedIPs = [ angellane-wg ]; publicKey = "UJRJcAOcnEjEB3o4K2I7gEM97SrhENEesZNf28z+EBQ="; } @@ -263,6 +257,12 @@ with import ./network.nix; { allowedIPs = [ parina-ipad-wg ]; publicKey = "ezkCzl2qC7Hd7rFKfqMa0JXDKRhVqy79H52rA06x7mU="; } + + { + # kcl vm + allowedIPs = [ kclvm-wg ]; + publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; + } ]; }; };