commit 237853b5906aa9ad147862ae37429750a83b989c Author: tootbrute Date: Sat Nov 8 14:18:13 2025 +0800 reinstall diff --git a/FUTURE-SERVER.md b/FUTURE-SERVER.md new file mode 100644 index 0000000..0cbf148 --- /dev/null +++ b/FUTURE-SERVER.md @@ -0,0 +1,27 @@ +# FUTURE SERVER +One day, I would like to move off of Yunohost and do this all by myself. + +Steps I would need to take. + +1. Backup Data +- all data is on ZFS mirrors, no action needed +- other configuration not important +2. Install NixOS +- install with zfs-on-root, encryption enabled +3. Import ZFS Pools +- /mnt/hermes +4. Install Reverse proxy +- caddy-dns-gandi on github +5. Setup services +- user docker or nixos services +- tailscale +- calibre-web +- jellyfin +- immich-photos +- nextcloud (*!) +- whoogle +6. Setup Backups +- zfs mirror pool (name?) + +# Other Considerations +- where to setup docker stuff? diff --git a/README.md b/README.md new file mode 100644 index 0000000..3d46cd1 --- /dev/null +++ b/README.md @@ -0,0 +1,49 @@ +# NixOS - Knossos + +My test system. + +## Goals +- Learn NixOS. +- Attempt to make basic media homelab, a la [Yunohost](https://yunohost.org/)[^1]...but declarative, reproducable +- Try to avoid Docker +- No flakes + +## Tasks +- [X] ZFS for root file system +- [X] Tailscale +- [X] VPS Caddy reverse proxy --> NixOS machine +- [X] Setup Jellyfin +- [X] Setup calibre-web +- [X] Setup Transmission +- [ ] Setup Nextcloud +- [ ] Setup systemwide auth system - LDAP? OAuth? OR don't do this + +## System Information +``` + ▗▄▄▄ ▗▄▄▄▄ ▄▄▄▖ tootbrute@knossos + ▜███▙ ▜███▙ ▟███▛ ------------- + ▜███▙ ▜███▙▟███▛ OS: NixOS 24.11 (Vicuna) x86_64 + ▜███▙ ▜██████▛ Host: 10115 (IdeaCenter Q190) + ▟█████████████████▙ ▜████▛ ▟▙ Kernel: Linux 6.6.84 + ▟███████████████████▙ ▜███▙ ▟██▙ Uptime: 20 hours, 42 mins + ▄▄▄▄▖ ▜███▙ ▟███▛ Packages: 621 (nix-system) + ▟███▛ ▜██▛ ▟███▛ Shell: bash 5.2.37 + ▟███▛ ▜▛ ▟███▛ Terminal: /dev/pts/0 +▟███████████▛ ▟██████████▙ CPU: Intel(R) Core(TM) i3-2365M (4) @ 1.40 GHz +▜██████████▛ ▟███████████▛ GPU: Intel 2nd Generation Core Processor Family Integrated Graphics Controller @ 1.00 GHz [Integrated] + ▟███▛ ▟▙ ▟███▛ Memory: 4.46 GiB / 7.66 GiB (58%) + ▟███▛ ▟██▙ ▟███▛ Swap: 0 B / 4.00 GiB (0%) + ▟███▛ ▜███▙ ▝▀▀▀▀ Disk (/): 2.00 MiB / 888.65 GiB (0%) - zfs + ▜██▛ ▜███▙ ▜██████████████████▛ Local IP (wlp3s0): 192.168.15.218/24 + ▜▛ ▟████▙ ▜████████████████▛ Locale: en_US.UTF-8 + ▟██████▙ ▜███▙ + ▟███▛▜███▙ ▜███▙ + ▟███▛ ▜███▙ ▜███▙ + ▝▀▀▀ ▀▀▀▀▘ ▀▀▀▘ +``` + +## Future Checklist when Moving to New Server +When I do eventually make a new server, or this server needs a whole reinstall. What steps will I need to do? +[Future Server Checklist](FUTURE-SERVER.md) + +[^1]: No shade on [Yunohost](https://yunohost.org/). It's a great project and got me into self-hosting. I just want to see if I can spread my wings and fly. Setting up a new Debian server from scratch is kinda annoying. I'd rather not do that again. diff --git a/TODO.txt b/TODO.txt new file mode 100644 index 0000000..9cde911 --- /dev/null +++ b/TODO.txt @@ -0,0 +1,5 @@ +nextcloud is removed ATM + +purge it from all parts of the system + +go back into GIT history and find nextcloud that worked diff --git a/VPS-caddy/Caddyfile b/VPS-caddy/Caddyfile new file mode 100644 index 0000000..97e1593 --- /dev/null +++ b/VPS-caddy/Caddyfile @@ -0,0 +1,30 @@ +{ + email youremail@email.com +} + + +*.home.mydomain.com { + + vars { + # IP address of My Tailscale Server + tailscale_ip 100.0.0.0 + } + + tls { + dns gandi APIKEYHERE + } + + @jellyfin host jellyfin.home.mydomain.com + handle @jellyfin { + reverse_proxy {vars.tailscale_ip}:8096 + } + @books host books.home.mydomain.com + handle @books { + reverse_proxy {vars.tailscale_ip}:8083 + } + # Fallback for otherwise unhandled domains + handle { + abort + } +} + diff --git a/VPS-caddy/DNS-settings b/VPS-caddy/DNS-settings new file mode 100644 index 0000000..fb0ee6c --- /dev/null +++ b/VPS-caddy/DNS-settings @@ -0,0 +1,20 @@ +# If your main domain is mydomain.com, the following settings will +# setup a wildcard setting so you can use *.home.mydomain.com for all your services. +# For example: jellyfin.home.mydomain.com / books.home.mydomain.com etc. + +``` +DNS SETTINGS +-------------------- +NAME TYPE TTL VALUE +-------------------- +* A 3600 183.11.113.0 + +# A record that makes all requests go to mydomain.com + +*.home A 183.11.113.0 + +# A record that setups a subdomain so immich.home.mydomain.com or jellyfin.home.mydomain.com can be used. +``` + +# I set this up on a subdomain so I can use the main domain for other servers. +# Maybe I have a server called ninja, I could setup another A record for *.ninja and have jellyfin.ninja.mydomain.com diff --git a/VPS-caddy/Dockerfile b/VPS-caddy/Dockerfile new file mode 100644 index 0000000..4bbd555 --- /dev/null +++ b/VPS-caddy/Dockerfile @@ -0,0 +1,8 @@ +FROM caddy:2.8.4-builder-alpine AS builder + +RUN xcaddy build \ +--with github.com/caddy-dns/gandi + +FROM caddy:2.8.4-alpine + +COPY --from=builder /usr/bin/caddy /usr/bin/caddy diff --git a/VPS-caddy/README.md b/VPS-caddy/README.md new file mode 100644 index 0000000..14d1cdd --- /dev/null +++ b/VPS-caddy/README.md @@ -0,0 +1,8 @@ +# Run Your Homelab Behind your VPS +https://blog.arkadi.one/p/run-your-homelab-behind-your-vps/ + +## Files in this directory: +- Dockerfile - to build a custom Caddy executable with gandi registrar module +- docker-compose.yml - to run Caddy +- Caddyfile - your caddy settings for a wildcard DNS +- DNS-settings - gives you an idea how to setup your DNS for wildcard certificates diff --git a/VPS-caddy/docker-compose.yml b/VPS-caddy/docker-compose.yml new file mode 100644 index 0000000..c0a04c7 --- /dev/null +++ b/VPS-caddy/docker-compose.yml @@ -0,0 +1,23 @@ +services: + caddy: + build: . + container_name: Caddy + cap_add: + - NET_ADMIN + ports: + - 80:80 + - 443:443 + - 443:443/udp + env_file: + - secrets.env + volumes: + # I don't like using Docker volumes + - ./Caddyfile:/etc/caddy/Caddyfile:ro + - ./data:/data + - ./config:/config + restart: unless-stopped + networks: + - caddy +networks: + caddy: + name: caddy diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..c796cbd --- /dev/null +++ b/configuration.nix @@ -0,0 +1,196 @@ +{ config, pkgs, ... }: +# NixOS Homelab +# =================== +# The goal of this build is to get a basic good setup in NixOS that +# does similiar things to something like Yunohost but in a +# declarative fashion. +# +# Comments or suggestions to https://fedi.arkadi.one/@tootbrute + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix +# ./services/jellyfin.nix +# ./services/calibre-web.nix +# ./services/glances.nix +# ./services/fail2ban.nix +# ./services/transmission.nix + # ./services/nextcloud.nix + ]; + # Bootloader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.useOSProber = true; + + # Nix settings + nix = { + settings = { + #experimental-features = [ "nix-command" "flakes" ]; + download-buffer-size = "4G"; + warn-dirty = false; + }; + # garbage collection + gc = { + automatic = true; + }; + optimise = { + automatic = true; + }; + }; + + # Networking + networking.hostName = "knossos"; # Define your hostname. + networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + networking.wireless.networks = { + # SSID with spaces and/or special characters + "Suntek_188" = { + psk = "0226203850"; + }; + }; + + # Enable networking + #networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Asia/Taipei"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "zh_TW.UTF-8"; + LC_IDENTIFICATION = "zh_TW.UTF-8"; + LC_MEASUREMENT = "zh_TW.UTF-8"; + LC_MONETARY = "zh_TW.UTF-8"; + LC_NAME = "zh_TW.UTF-8"; + LC_NUMERIC = "zh_TW.UTF-8"; + LC_PAPER = "zh_TW.UTF-8"; + LC_TELEPHONE = "zh_TW.UTF-8"; + LC_TIME = "zh_TW.UTF-8"; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.elias = { + isNormalUser = true; + description = "Tootbrute"; + extraGroups = [ "networkmanager" "wheel" "docker" "elias" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCbK2VQVSzh/e6qrq66iQnrXGET2JeQsyP+lKhUntlMqTiqMjUAT2cmjIOpspde/VsR60E88FjHpmy1dxrWtvldcLvUXmfjB2Id8zkj28gqPlLlMGyzQQ8M1hokVySFR3sBQESNsow67zg4zgdZESsNplSoxzrGg10Yowo3U6pLv6o/OjrfHeZaeFphEpgjQ+jdNkMS6sAPUKkzCg4zh+24M5cYNSvbXEv1OmSOUq4kZGL96xDt+Ke0rZnew/NBW7m5umh49q4Q0SPwbTf02UFMjAEPBKWREWvjBbreEN9AHytcaWk340bdX5UAsO1W8oA0qj1hrHrsEIw8n9WxoVzTDJrLW1zDFWWQ1L6xKoaawtcpDqg2lmcjaMIwEFvj7HSgn7/Y/UfTV5Gyhed968VqNlC4v4vEXQ5a44T5PFQLmo80PZ6xka4Rsa46n1vIFSdVu3JDr81s3U5pO3QxJMykUzY9Cs7jtQ/AeV9n4Bu6fm1gJzi2G/72SxJJ8OV4BU= elias@socrates" #acer at school + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfnE4JwpIyghoFYurZLjFkzc5G4l1FeS76yYITg9wUB elias@tux" #little hp - tux + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Q/NC0RHEUjx2WHrZPw0xnCjOCFv5uz53099lknZmG elias@fedora" #desktop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3Ihu9CsCL17FuHl6EqyMDT5BPjh8GlLTWHM+Y1D1I7 elias@bluenix" #bluenix + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv96m1nCz3D0lzjzeGa+n4m3krEyl7KZ0tstjIZdTkq elias@bluefin" #acer + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8zlxSVOTCnAgb4U5vkC3ietH3Jd9gLE+FA6UOZp64J elias@arkadi.one" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWN6eeLFbtRJDEebSjoI8FaDOA5bmIzbyTUvX/hPWdh elias@greynix" #asus - greynix + ]; + linger = true; + packages = with pkgs; []; + }; + + # SSH Login Message + users.motd = " + + || + || + || //` `||''|, .|''|, ('''' ('''' .|''|, ('''' + ||<< || || || || `'') `'') || || `'') + .|| \\. .|| ||. `|..|' `...' `...' `|..|' `...' + +"; + + # Disable sudo password for the wheel group + security.sudo.wheelNeedsPassword = false; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget + fastfetch + htop + btop + hollywood + curl + wget + restic + git + neovim + emacs + + tmux #like screen + wiper #like ncdu + systemctl-tui #systemd tui + + tcpdump #for wireguard test + + ]; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Tailscale + services.tailscale = { + enable = true; + #permitCertUid = "caddy"; + }; + + # Cron + services.cron.enable = true; + services.cron.systemCronJobs = [ + "00 * * * * root curl https://hc-ping.com/0bbb3afb-196a-4d12-894f-599099029cfc" + ]; + + # Docker + # maybe I don't need? haven't used Docker yet. Disabled for now + + virtualisation = { + docker = { + enable = true; + autoPrune = { + enable = true; + dates = "weekly"; + }; +# rootless = { +# enable = true; +# setSocketVariable = true; +# }; + }; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + networking.firewall = { + # enable the firewall + enable = true; + + # allow all ports from your Tailscale network + trustedInterfaces = [ "tailscale0" ]; + #or allow you to SSH in over the public internet + allowedTCPPorts = [ 22 80 443 ]; + + # allow the Tailscale UDP port through the firewall + allowedUDPPorts = [ config.services.tailscale.port ]; + + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? + +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..e382aeb --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,35 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "usbhid" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ "kvm-intel" ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/e1c4e287-e13f-4a78-b84f-560923c9693d"; + fsType = "ext4"; + }; + + swapDevices = + [ { device = "/dev/disk/by-uuid/5353a0ef-0aa8-4df7-a0a8-fa1aa146a32c"; } + ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/nix-upgrade.sh b/nix-upgrade.sh new file mode 100755 index 0000000..4f07418 --- /dev/null +++ b/nix-upgrade.sh @@ -0,0 +1,4 @@ +#!/run/current-system/sw/bin/bash + +sudo nixos-rebuild switch -I nixos-config=/home/elias/nixos-knossos/configuration.nix --upgrade + diff --git a/rebuild.sh b/rebuild.sh new file mode 100755 index 0000000..d8b87db --- /dev/null +++ b/rebuild.sh @@ -0,0 +1,3 @@ +#!/run/current-system/sw/bin/bash +sudo nixos-rebuild switch -I nixos-config=/home/elias/nixos-config/configuration.nix + diff --git a/services/ChatGPT-nextcloud.nix b/services/ChatGPT-nextcloud.nix new file mode 100644 index 0000000..1cb13bb --- /dev/null +++ b/services/ChatGPT-nextcloud.nix @@ -0,0 +1,56 @@ + # + # Nextcloud Service Configuration + # + services.nextcloud = { + enable = true; + # The hostname Nextcloud will use. This should be how you access it in your browser. + # If you don't have a domain, use your server's IP address. + hostName = "nextcloud.local"; # <--- IMPORTANT: Change to your actual domain or IP + + # Use the built-in web server (Apache in this case) provided by the Nextcloud module. + # This means you don't need to configure services.httpd or services.nginx separately. + inheritBuiltinWebserver = true; + + # Directory where Nextcloud will store user data. + # Ensure this path is on a persistent storage volume. + dataDir = "/var/lib/nextcloud/data"; # <--- IMPORTANT: Ensure this path is suitable for your setup + + # Database configuration: PostgreSQL is recommended for production. + database = { + type = "postgresql"; + createLocally = true; # NixOS will manage and create the PostgreSQL database + userName = "nextcloud"; # Database username for Nextcloud + # Securely store the database password in a file. + # You MUST create this file before rebuilding your system (see instructions below). + passwordFile = "/run/keys/nextcloud-db-password"; + }; + + # Nextcloud application-specific configuration options. + # These map directly to Nextcloud's config.php settings. + config = { + # The host Nextcloud will use for internal redirects. Should match hostName. + overwritehost = "nextcloud.local"; # <--- IMPORTANT: Adjust if using a different hostname/IP + + # List of trusted domains/IPs from which Nextcloud can be accessed. + # Add your server's IP address and any domain names you'll use. + trusted_domains = [ + "nextcloud.local" # <--- IMPORTANT: Add your domain or IP here + "192.168.1.100" # <--- IMPORTANT: Replace with your server's actual IP address + ]; + + # Configure local memory caching for performance. APCu is recommended. + memcache.local = "\\OC\\Memcache\\APCu"; + }; + + # PHP FPM options required by Nextcloud for optimal performance. + phpOptions = { + "opcache.enable" = true; + "opcache.interned_strings_buffer" = 8; + "opcache.max_accelerated_files" = 10000; + "opcache.memory_consumption" = 128; + "opcache.save_comments" = 1; + "opcache.revalidate_freq" = 1; + "apc.enable_cli" = 1; + }; + }; + diff --git a/services/calibre-web.nix b/services/calibre-web.nix new file mode 100644 index 0000000..ab540f9 --- /dev/null +++ b/services/calibre-web.nix @@ -0,0 +1,37 @@ +{ config, pkgs, ... }: +{ + + # Calibre-Web + # more options: https://mynixos.com/nixpkgs/options/services.calibre-web + services.calibre-web= { + enable = true; + listen = { + ip = "0.0.0.0"; + port = 8083; + }; + openFirewall = true; + options = { + enableBookUploading = true; + enableBookConversion = true; + # No " " around absolute path + # Make sure a calibre library .db file is in this folder + # Example file: https://github.com/janeczku/calibre-web/raw/master/library/metadata.db + calibreLibrary =/home/elias/books; + }; + }; + +#Using Caddy on VPS. Don't need this. +services.nginx.enable = false; + +# CACHE_DIRECTORY environment variable +# explanation: https://github.com/janeczku/calibre-web/issues/3343 +# https://github.com/janeczku/calibre-web/issues/3278 +systemd.services.calibre-web = { + environment = { + CACHE_DIR = "/var/cache/calibre-web"; + }; + serviceConfig = { + CacheDirectory = "calibre-web"; + }; + }; +} diff --git a/services/cryptpad.nix b/services/cryptpad.nix new file mode 100644 index 0000000..766f985 --- /dev/null +++ b/services/cryptpad.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: +{ + +# not finished + services.cryptpad= { + enable = true; + }; + +} diff --git a/services/fail2ban.nix b/services/fail2ban.nix new file mode 100644 index 0000000..144660d --- /dev/null +++ b/services/fail2ban.nix @@ -0,0 +1,21 @@ +{ config, pkgs, ... }: +{ + + services.fail2ban = { + enable = true; + # Ban IP after 5 failures + maxretry = 5; + ignoreIP = [ + # Whitelist some subnets + "100.0.0.0/8" "172.16.0.0/12" "192.168.0.0/16" + ]; + bantime = "24h"; # Ban IPs for one day on the first ban + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + #multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # Do not ban for more than 1 week + overalljails = true; # Calculate the bantime based on all the violations + }; + }; +} diff --git a/services/glances.nix b/services/glances.nix new file mode 100644 index 0000000..2ae1507 --- /dev/null +++ b/services/glances.nix @@ -0,0 +1,10 @@ +{ config, pkgs, ... }: +{ + + services.glances = { + enable = true; + port = 61208; + openFirewall = true; + }; + +} diff --git a/services/immich.nix b/services/immich.nix new file mode 100644 index 0000000..9cb86e9 --- /dev/null +++ b/services/immich.nix @@ -0,0 +1,9 @@ +{ config, pkgs, ... }: +{ + + services.immich = { + enable = true; + port = 2283; + }; + +} diff --git a/services/jellyfin.nix b/services/jellyfin.nix new file mode 100644 index 0000000..18cee76 --- /dev/null +++ b/services/jellyfin.nix @@ -0,0 +1,16 @@ +{ config, pkgs, ... }: +{ + + services.jellyfin = { + enable = true; + openFirewall = true; + dataDir = "/var/lib/jellyfin"; #default + }; + + environment.systemPackages = [ + pkgs.jellyfin + pkgs.jellyfin-web + pkgs.jellyfin-ffmpeg + ]; + +} diff --git a/services/nextcloud-reset.sh b/services/nextcloud-reset.sh new file mode 100755 index 0000000..5347d2c --- /dev/null +++ b/services/nextcloud-reset.sh @@ -0,0 +1,9 @@ +#!/run/current-system/sw/bin/bash +sudo systemctl stop postgresql +sudo systemctl stop nextcloud-setup +sudo systemctl stop nextcloud-cron +sudo systemctl stop phpfm-nextcloud +sudo systemctl stop redis-nextcloud +sudo rm -rf /var/lib/nextcloud +#sudo rm -rf /var/lib/postgresql +sudo rm -rf /var/lib/redis-nextcloud diff --git a/services/nextcloud.nix b/services/nextcloud.nix new file mode 100644 index 0000000..78f86aa --- /dev/null +++ b/services/nextcloud.nix @@ -0,0 +1,62 @@ +{ config, pkgs, ... }: +{ +# BASIC CONFIG +# user is root +environment.etc."nextcloud-admin-pass".text = "CHANGE_RIGHT_AWAY"; + +/* +services.nextcloud = { + enable = true; + hostName = "localhost"; + config.adminpassFile = "/etc/nextcloud-admin-pass"; +}; +*/ + + +services.nextcloud = { + enable = true; + configureRedis = true; + package = pkgs.nextcloud31; + hostName = "nextcloud.knossos"; +# datadir = "/var/lib/nextcloud/"; + settings = { + overwriteprotocol = "https"; + trusted_proxies = [ "localhost" "127.0.0.1" "100.82.24.89" ]; + trusted_domains = [ "nextcloud.knossos.arkadi.one" ]; + }; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + adminpassFile = "/etc/nextcloud-admin-pass"; + adminuser = "admin"; + }; +}; + + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + }; + + # ensure that postgres is running *before* running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + +# CALIBRE-WEB already disabled? + +# services.nginx.enable = true; +# services.nginx.virtualHosts."nextcloud.knossos" ={ +# listen = [ { addr = "127.0.0.1"; port = 8009; } ]; +# forceSSL = false; +# }; + +} diff --git a/services/nextcloud/lup-nextcloud.nix b/services/nextcloud/lup-nextcloud.nix new file mode 100644 index 0000000..aecf435 --- /dev/null +++ b/services/nextcloud/lup-nextcloud.nix @@ -0,0 +1,47 @@ +# nextcloud.nix +# from Linux Unplugged +{ config, pkgs, ... }: +{ + services.nextcloud = { + enable = true; + hostName = "nextcloud.knossos.arkadi.one"; + # Need to manually increment with every major upgrade. + package = pkgs.nextcloud30; + # Let NixOS install and configure the database automatically. + database.createLocally = true; + # Let NixOS install and configure Redis caching automatically. + configureRedis = true; + # Increase the maximum file upload size. + maxUploadSize = "16G"; + https = true; + autoUpdateApps.enable = true; + extraAppsEnable = true; + extraApps = with config.services.nextcloud.package.packages.apps; { + # List of apps we want to install and are already packaged in + # https://github.com/NixOS/nixpkgs/blob/master/pkgs/servers/nextcloud/packages/nextcloud-apps.json + inherit calendar contacts notes onlyoffice tasks cookbook; + }; + + settings = { + #overwriteprotocol = "https"; + trusted_proxies = [ "localhost" "127.0.0.1" "100.82.24.89" ]; + #trusted_domains = [ "nextcloud.knossos.arkadi.one" ]; + }; + config = { + dbtype = "pgsql"; + adminuser = "admin"; + adminpassFile = "/var/lib/secrets/nextcloud-admin-pass"; + }; + # Suggested by Nextcloud's health check. + phpOptions."opcache.interned_strings_buffer" = "16"; + }; +/* + # Nightly database backups. + postgresqlBackup = { + enable = true; + startAt = "*-*-* 01:15:00"; + }; +*/ + services.nginx.virtualHosts."nextcloud.knossos.arkadi.one".listen = [ { addr = "127.0.0.1"; port = 8009; } ]; + +} diff --git a/services/nextcloud/nextcloud.nix b/services/nextcloud/nextcloud.nix new file mode 100644 index 0000000..679000f --- /dev/null +++ b/services/nextcloud/nextcloud.nix @@ -0,0 +1,48 @@ +{ config, pkgs, ... }: +{ +services.nextcloud = { + enable = true; + configureRedis = true; + package = pkgs.nextcloud31; + hostName = "nextcloud.knossos"; + datadir = "/var/lib/nextcloud/"; + settings = { + overwriteprotocol = "https"; + trusted_proxies = [ "localhost" "127.0.0.1" "100.82.24.89" ]; + trusted_domains = [ "nextcloud.knossos.arkadi.one" ]; + }; + config = { + dbtype = "pgsql"; + dbuser = "nextcloud"; + dbhost = "/run/postgresql"; # nextcloud will add /.s.PGSQL.5432 by itself + dbname = "nextcloud"; + adminpassFile = "/var/lib/secrets/nextcloud/nextcloud-admin-pass"; + adminuser = "admin"; + }; +}; + + services.postgresql = { + enable = true; + ensureDatabases = [ "nextcloud" ]; + ensureUsers = [ + { name = "nextcloud"; + ensureDBOwnership = true; + } + ]; + }; + + # ensure that postgres is running *before* running the setup + systemd.services."nextcloud-setup" = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + +# CALIBRE-WEB already disabled? + +# services.nginx.enable = true; +# services.nginx.virtualHosts."nextcloud.knossos" ={ +# listen = [ { addr = "127.0.0.1"; port = 8009; } ]; +# forceSSL = false; +# }; + +} diff --git a/services/oldnextcloud.nix b/services/oldnextcloud.nix new file mode 100644 index 0000000..7b6fe3d --- /dev/null +++ b/services/oldnextcloud.nix @@ -0,0 +1,15 @@ +{ config, pkgs, ... }: +{ + +services.nextcloud = { + enable = true; + package = pkgs.nextcloud31; + hostName = "nextcloud.knossos"; + config.adminpassFile = "/var/lib/nextcloud-admin-pass"; + config.dbtype = "sqlite"; +}; + + +services.nginx.virtualHosts."nextcloud.knossos".listen = [ { addr = "127.0.0.1"; port = 8009; } ]; + +} diff --git a/services/transmission-settings.json b/services/transmission-settings.json new file mode 100644 index 0000000..eec4fca --- /dev/null +++ b/services/transmission-settings.json @@ -0,0 +1,18 @@ +# Put this file in /var/lib/secrets/transmission/settings.json + +{ + "peer-port": 51413, + "encryption": 1, + + "rpc-enabled": true, + "rpc-bind-address": "0.0.0.0", + "rpc-host-whitelist-enabled": true, + "rpc-host-whitelist": "*.knossos.arkadi.one,knossos,*.arkadi.one", + "rpc-whitelist-enabled": true, + "rpc-whitelist": "127.0.0.1,192.168.*.*,100.*.*.*", + "rpc-authentication-required": true, + "rpc-username": "elias", + "rpc-password": "family-name-spark727" + +} + diff --git a/services/transmission.nix b/services/transmission.nix new file mode 100644 index 0000000..d5be4e2 --- /dev/null +++ b/services/transmission.nix @@ -0,0 +1,29 @@ +{ config, pkgs, ... }: +{ +# https://mynixos.com/nixpkgs/options/services.transmission + + services.transmission = { + enable = true; + credentialsFile = "/var/lib/secrets/transmission/settings.json"; + openFirewall = true; + # openPeerPorts = true; + openRPCPort = true; + }; + +# NOTE +# credentialsFile example in transmission-settings.json in this directory +# move and put into: /var/lib/secrets/transmission/settings.json + +# ===== +# NOTES TO FIX +#added user here: https://mynixos.com/nixpkgs/option/services.transmission.credentialsFile + +#git hub issue +#https://mynixos.com/nixpkgs/option/services.transmission.credentialsFile +#config options +#https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md +#settings.json options + + + +} diff --git a/update.sh b/update.sh new file mode 100755 index 0000000..86dab6a --- /dev/null +++ b/update.sh @@ -0,0 +1,12 @@ +#!/run/current-system/sw/bin/bash +# add things to git + +COMMIT_MSG="Update NixOS config." +echo "Commit message?" +# what did I change? +read COMMIT_MSG +echo "OK!" + +git add . +git commit -m "$COMMIT_MSG" +git push origin main diff --git a/zfs-root-initrd/zfs-configuration.nix b/zfs-root-initrd/zfs-configuration.nix new file mode 100644 index 0000000..321c85c --- /dev/null +++ b/zfs-root-initrd/zfs-configuration.nix @@ -0,0 +1,226 @@ +{ config, pkgs, ... }: +# NixOS Homelab +# =================== +# The goal of this build is to get a basic good setup in NixOS that +# does similiar things to something like Yunohost but in a +# declarative fashion. +# +# Comments or suggestions to https://fedi.arkadi.one/@tootbrute + +{ + imports = + [ # Include the results of the hardware scan. + ./hardware-configuration.nix +# ./services/jellyfin.nix +# ./services/calibre-web.nix +# ./services/glances.nix +# ./services/fail2ban.nix +# ./services/transmission.nix + # ./services/nextcloud.nix + ]; + # Bootloader. + boot.loader.grub.enable = true; + boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.useOSProber = true; + + # ZFS SSH Remote Unlock, only works with ethernet now + # https://wiki.nixos.org/wiki/ZFS + boot = { + initrd.network = { + enable = true; + ssh = { + enable = true; + port = 2222; + hostKeys = [ /boot/host_ecdsa_key ]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfnE4JwpIyghoFYurZLjFkzc5G4l1FeS76yYITg9wUB elias@tux" #little hp - tux + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Q/NC0RHEUjx2WHrZPw0xnCjOCFv5uz53099lknZmG elias@fedora" #desktop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3Ihu9CsCL17FuHl6EqyMDT5BPjh8GlLTWHM+Y1D1I7 elias@bluenix" #bluenix + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv96m1nCz3D0lzjzeGa+n4m3krEyl7KZ0tstjIZdTkq elias@bluefin" #acer + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8zlxSVOTCnAgb4U5vkC3ietH3Jd9gLE+FA6UOZp64J elias@arkadi.one" #arkadi + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWN6eeLFbtRJDEebSjoI8FaDOA5bmIzbyTUvX/hPWdh elias@greynix" #asus + ]; + # to login: ssh -p 2222 root@192.168.15.180 "zfs load-key -a && killall zfs" + }; + }; +}; + +#above can i simplify this list of authorizedKeys? +# example: https://discourse.nixos.org/t/unlock-encrypted-zfs-via-ssh-on-boot/40582 +# authorizedKeys = with lib; concatLists (mapAttrsToList (name: user: if elem "wheel" user.extraGroups then user.openssh.authorizedKeys.keys else []) config.users.users); +*/ + + # ZFS + services.zfs.autoScrub.enable = true; + + # Nix settings + nix = { + settings = { + #experimental-features = [ "nix-command" "flakes" ]; + download-buffer-size = "4G"; + warn-dirty = false; + }; + # garbage collection + gc = { + automatic = true; + }; + optimise = { + automatic = true; + }; + }; + + # Networking + networking.hostName = "knossos"; # Define your hostname. + networking.wireless.enable = true; # Enables wireless support via wpa_supplicant. + + networking.wireless.networks = { + # SSID with spaces and/or special characters + "Suntek_188" = { + psk = "0226203850"; + }; + }; + + # Enable networking + #networking.networkmanager.enable = true; + + # Set your time zone. + time.timeZone = "Asia/Taipei"; + + # Select internationalisation properties. + i18n.defaultLocale = "en_US.UTF-8"; + + i18n.extraLocaleSettings = { + LC_ADDRESS = "zh_TW.UTF-8"; + LC_IDENTIFICATION = "zh_TW.UTF-8"; + LC_MEASUREMENT = "zh_TW.UTF-8"; + LC_MONETARY = "zh_TW.UTF-8"; + LC_NAME = "zh_TW.UTF-8"; + LC_NUMERIC = "zh_TW.UTF-8"; + LC_PAPER = "zh_TW.UTF-8"; + LC_TELEPHONE = "zh_TW.UTF-8"; + LC_TIME = "zh_TW.UTF-8"; + }; + + nix.settings.experimental-features = [ "nix-command" "flakes" ]; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.elias = { + isNormalUser = true; + description = "Tootbrute"; + extraGroups = [ "networkmanager" "wheel" "docker" "elias" ]; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDCbK2VQVSzh/e6qrq66iQnrXGET2JeQsyP+lKhUntlMqTiqMjUAT2cmjIOpspde/VsR60E88FjHpmy1dxrWtvldcLvUXmfjB2Id8zkj28gqPlLlMGyzQQ8M1hokVySFR3sBQESNsow67zg4zgdZESsNplSoxzrGg10Yowo3U6pLv6o/OjrfHeZaeFphEpgjQ+jdNkMS6sAPUKkzCg4zh+24M5cYNSvbXEv1OmSOUq4kZGL96xDt+Ke0rZnew/NBW7m5umh49q4Q0SPwbTf02UFMjAEPBKWREWvjBbreEN9AHytcaWk340bdX5UAsO1W8oA0qj1hrHrsEIw8n9WxoVzTDJrLW1zDFWWQ1L6xKoaawtcpDqg2lmcjaMIwEFvj7HSgn7/Y/UfTV5Gyhed968VqNlC4v4vEXQ5a44T5PFQLmo80PZ6xka4Rsa46n1vIFSdVu3JDr81s3U5pO3QxJMykUzY9Cs7jtQ/AeV9n4Bu6fm1gJzi2G/72SxJJ8OV4BU= elias@socrates" #acer at school + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGfnE4JwpIyghoFYurZLjFkzc5G4l1FeS76yYITg9wUB elias@tux" #little hp - tux + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH0Q/NC0RHEUjx2WHrZPw0xnCjOCFv5uz53099lknZmG elias@fedora" #desktop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL3Ihu9CsCL17FuHl6EqyMDT5BPjh8GlLTWHM+Y1D1I7 elias@bluenix" #bluenix + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILv96m1nCz3D0lzjzeGa+n4m3krEyl7KZ0tstjIZdTkq elias@bluefin" #acer + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK8zlxSVOTCnAgb4U5vkC3ietH3Jd9gLE+FA6UOZp64J elias@arkadi.one" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKWN6eeLFbtRJDEebSjoI8FaDOA5bmIzbyTUvX/hPWdh elias@greynix" #asus - greynix + ]; + linger = true; + packages = with pkgs; []; + }; + + # SSH Login Message + users.motd = " + + || + || + || //` `||''|, .|''|, ('''' ('''' .|''|, ('''' + ||<< || || || || `'') `'') || || `'') + .|| \\. .|| ||. `|..|' `...' `...' `|..|' `...' + +"; + + # Disable sudo password for the wheel group + security.sudo.wheelNeedsPassword = false; + + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + + # List packages installed in system profile. To search, run: + # $ nix search wget + environment.systemPackages = with pkgs; [ + wget + fastfetch + htop + btop + hollywood + curl + wget + restic + git + neovim + emacs + + tmux #like screen + wiper #like ncdu + systemctl-tui #systemd tui + + tcpdump #for wireguard test + + ]; + + # List services that you want to enable: + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Tailscale + services.tailscale = { + enable = true; + #permitCertUid = "caddy"; + }; + + # Cron + services.cron.enable = true; + services.cron.systemCronJobs = [ + "00 * * * * root curl https://hc-ping.com/0bbb3afb-196a-4d12-894f-599099029cfc" + ]; + + # Docker + # maybe I don't need? haven't used Docker yet. Disabled for now + + virtualisation = { + docker = { + enable = true; + autoPrune = { + enable = true; + dates = "weekly"; + }; +# rootless = { +# enable = true; +# setSocketVariable = true; +# }; + }; + }; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + # networking.firewall.enable = false; + + networking.firewall = { + # enable the firewall + enable = true; + + # allow all ports from your Tailscale network + trustedInterfaces = [ "tailscale0" ]; + #or allow you to SSH in over the public internet + allowedTCPPorts = [ 22 80 443 ]; + + # allow the Tailscale UDP port through the firewall + allowedUDPPorts = [ config.services.tailscale.port ]; + + }; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "24.11"; # Did you read the comment? + +} diff --git a/zfs-root-initrd/zfs-hardware-configuration.nix b/zfs-root-initrd/zfs-hardware-configuration.nix new file mode 100644 index 0000000..e9a4dd4 --- /dev/null +++ b/zfs-root-initrd/zfs-hardware-configuration.nix @@ -0,0 +1,64 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usbhid" "usb_storage" "sd_mod" "rtsx_pci_sdmmc" ]; + boot.initrd.kernelModules = [ "r8169" ]; #added for remote unlock, wifi is rtl8188ee, r8169 eth + boot.kernelModules = [ "kvm-intel" ]; + boot.initrd.network.udhcpc.enable = true; + boot.initrd.network.flushBeforeStage2 = true; + boot.kernelParams = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "zpool/root"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/nix" = + { device = "zpool/nix"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/var" = + { device = "zpool/var"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/home" = + { device = "zpool/home"; + fsType = "zfs"; + options = [ "zfsutil" ]; + }; + + fileSystems."/boot" = + { device = "/dev/disk/by-uuid/6D49-27BC"; + fsType = "vfat"; + options = [ "fmask=0022" "dmask=0022" ]; + }; + + swapDevices = + [ { device = "/dev/disk/by-id/ata-ST1000LM014-1EJ164_W3810DEF-part2"; + randomEncryption = true; + }]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp4s0.useDHCP = lib.mkDefault true; + # networking.interfaces.wlp3s0.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +}