diff --git a/flake.nix b/flake.nix index b7cc8d9..70d1a72 100644 --- a/flake.nix +++ b/flake.nix @@ -76,6 +76,10 @@ hostname = "dingserver"; headless = true; }; + dingserver2 = hostSystem { + hostname = "dingserver2"; + headless = true; + }; }; }; } diff --git a/hosts/dingserver2/caddy.nix b/hosts/dingserver2/caddy.nix new file mode 100644 index 0000000..e54cad3 --- /dev/null +++ b/hosts/dingserver2/caddy.nix @@ -0,0 +1,79 @@ +{ + pkgs, + lib, + ... +}: { + networking.firewall.allowedTCPPorts = [80 8448 443]; + + services.caddy = { + enable = true; + virtualHosts = { + "http://metrics.town" = { + extraConfig = '' + reverse_proxy http://localhost:3000 + ''; + }; + + "matrix.broccoli.town" = { + extraConfig = '' + reverse_proxy /_matrix/* http://localhost:8008 + reverse_proxy /_synapse/client/* http://localhost:8008 + ''; + }; + + "broccoli.town:8448" = { + extraConfig = '' + reverse_proxy http://localhost:8008 + ''; + }; + + "broccoli.town" = { + extraConfig = '' + header /.well-known/* "Access-Control-Allow-Origin" "*" + respond /.well-known/matrix/client "{\"m.homeserver\": {\"base_url\": \"https://broccoli.town\"}}" + + reverse_proxy /_matrix/* http://localhost:8008 + reverse_proxy /_synapse/client/* http://localhost:8008 + + redir / https://chat.broccoli.town + ''; + }; + + "chat.broccoli.town" = { + extraConfig = '' + header { + X-Frame-Options "SAMEORIGIN" + X-XSS-Protection "1; mode=block" + X-Content-Type-Options "nosniff" + X-Robots-Tag "noindex, noarchive, nofollow" + } + root * ${ + pkgs.element-web.override { + conf = { + default_server_config."m.homeserver" = { + "base_url" = "https://broccoli.town"; + "server_name" = "broccoli.town"; + }; + }; + } + } + file_server + ''; + }; + + "danielpatterson.dev" = { + extraConfig = '' + root * /srv/site/danielpatterson.dev + encode zstd gzip + file_server + ''; + }; + + "movies.danielpatterson.dev" = { + extraConfig = '' + reverse_proxy localhost:8096 + ''; + }; + }; + }; +} diff --git a/hosts/dingserver2/configuration.nix b/hosts/dingserver2/configuration.nix new file mode 100644 index 0000000..0c2d91b --- /dev/null +++ b/hosts/dingserver2/configuration.nix @@ -0,0 +1,47 @@ +{ + config, + pkgs, + lib, + ... +}: { + imports = [ + # Include the results of the hardware scan. + ../common + ./hardware-configuration.nix + ./caddy.nix + ./prometheus.nix + ./rclone.nix + ./synapse.nix + ./tmux.nix + ]; + + # Force disable the common boot loader + boot.loader.systemd-boot.enable = lib.mkForce false; + boot.loader.efi.canTouchEfiVariables = lib.mkForce false; + + # Use the GRUB 2 boot loader. + boot.loader.grub.enable = true; + boot.loader.grub.version = 2; + boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only + + networking = { + hostName = "dingserver2"; + interfaces.ens3.useDHCP = true; + + firewall.interfaces = { + "tailscale0" = { + allowedUDPPorts = [41641]; + }; + }; + }; + + services.jellyfin.enable = true; + + environment.systemPackages = with pkgs; [ + helix + kitty # For terminfo + lazygit + ]; + + system.stateVersion = "21.11"; # Did you read the comment? +} diff --git a/hosts/dingserver2/hardware-configuration.nix b/hosts/dingserver2/hardware-configuration.nix new file mode 100644 index 0000000..6964f02 --- /dev/null +++ b/hosts/dingserver2/hardware-configuration.nix @@ -0,0 +1,31 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ config, lib, pkgs, modulesPath, ... }: + +{ + imports = + [ (modulesPath + "/profiles/qemu-guest.nix") + ]; + + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = + { device = "/dev/disk/by-uuid/46ba1313-3910-4adc-b949-0f63bb8a6d60"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens3.useDHCP = lib.mkDefault true; + + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/dingserver2/prometheus.nix b/hosts/dingserver2/prometheus.nix new file mode 100644 index 0000000..e6e1d83 --- /dev/null +++ b/hosts/dingserver2/prometheus.nix @@ -0,0 +1,28 @@ +{ + config, + pkgs, + lib, + ... +}: { + services.grafana = { + enable = true; + }; + + services.prometheus = { + enable = true; + exporters = { + }; + + scrapeConfigs = [ + { + job_name = "synapse"; + metrics_path = "/_synapse/metrics"; + static_configs = [ + { + targets = ["localhost:9000"]; + } + ]; + } + ]; + }; +} diff --git a/hosts/dingserver2/rclone.nix b/hosts/dingserver2/rclone.nix new file mode 100644 index 0000000..17b46d8 --- /dev/null +++ b/hosts/dingserver2/rclone.nix @@ -0,0 +1,38 @@ +{ + pkgs, + config, + ... +}: let + mountdir = "/var/media/dungflix"; + + file = '' + [dungflix] + type = b2 + ''; +in { + age.secrets = { + dungflix_bucket_account_id.file = ../../secrets/dungflix_bucket_account_id.age; + dungflix_bucket_account_key.file = ../../secrets/dungflix_bucket_account_key.age; + }; + systemd.services.dungflix-mount = { + description = "Mount the Backblaze B2 media store"; + wantedBy = ["multi-user.target"]; + path = [pkgs.fuse]; + preStart = '' + mkdir -p -m 777 ${mountdir} + ''; + script = '' + export RCLONE_B2_ACCOUNT=''$(cat ${config.age.secrets.dungflix_bucket_account_id.path}) + export RCLONE_B2_KEY=''$(cat ${config.age.secrets.dungflix_bucket_account_key.path}) + ${pkgs.rclone}/bin/rclone --config="${pkgs.writeText "" file}" mount dungflix:dungflix-bucket ${mountdir} \ + --vfs-cache-mode full \ + --vfs-cache-max-age 48h \ + --vfs-cache-max-size 100G \ + --allow-other \ + --no-modtime \ + --buffer-size 2G \ + -vvv + ''; + postStop = "fusermount -u ${mountdir}"; + }; +} diff --git a/hosts/dingserver2/synapse.nix b/hosts/dingserver2/synapse.nix new file mode 100644 index 0000000..578157e --- /dev/null +++ b/hosts/dingserver2/synapse.nix @@ -0,0 +1,52 @@ +{ + config, + pkgs, + lib, + ... +}: let + fqdn = "matrix.broccoli.town"; +in { + services.postgresql = { + enable = true; + }; + + services.matrix-synapse = { + enable = true; + settings = { + enable_metrics = true; + server_name = "broccoli.town"; + database = { + name = "psycopg2"; + args = { + database = "synapse"; + user = "matrix-synapse"; + }; + }; + max_upload_size = "50M"; + listeners = [ + { + port = 8008; + type = "http"; + tls = false; + x_forwarded = true; + resources = [ + { + names = ["client" "federation"]; + compress = false; + } + ]; + } + { + port = 9000; + type = "metrics"; + tls = false; + bind_addresses = [ + "0.0.0.0" + ]; + resources = [ + ]; + } + ]; + }; + }; +} diff --git a/hosts/dingserver2/tmux.nix b/hosts/dingserver2/tmux.nix new file mode 100644 index 0000000..d9fe5a1 --- /dev/null +++ b/hosts/dingserver2/tmux.nix @@ -0,0 +1,38 @@ +{...}: { + programs.tmux = { + enable = true; + keyMode = "vi"; + terminal = "tmux-256color"; + escapeTime = 0; + baseIndex = 1; + historyLimit = 10000; + clock24 = true; + extraConfig = '' + unbind-key -a -T prefix + unbind-key -a -T root + unbind-key -a -T copy-mode + unbind-key -a -T copy-mode-vi + + set -g prefix M-w + + bind q detach + bind space copy-mode + bind -T copy-mode-vi Escape send-keys -X cancel + + bind -T copy-mode-vi Escape send -X cancel + bind -T copy-mode-vi k send -X cursor-up + bind -T copy-mode-vi j send -X cursor-down + bind -T copy-mode-vi h send -X cursor-left + bind -T copy-mode-vi l send -X cursor-right + + bind -T copy-mode-vi Space send -X begin-selection + bind -T copy-mode-vi y send -X copy-selection-no-clear + bind -T copy-mode-vi Enter send -X copy-selection-and-cancel + + set -g mouse on + bind -n WheelUpPane copy-mode -e + bind -T copy-mode-vi WheelUpPane send -X -N 5 scroll-up + bind -T copy-mode-vi WheelDownPane send -X -N 5 scroll-down + ''; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d76e763..29bae21 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -3,7 +3,8 @@ let user2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdj2kyVl2sbv6Y5kuUfyjszCs7nQWr+3rwaPiRiYDxj miniding"; user3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP0Ps8eEFIkLe863bisGvSIVXZqedp9z5AC8RKyvZtcA me@danielpatterson.dev"; user4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjVwYfjyZ7kd7idwfGNtS62VKAc34WIsjQvypMe0d8N dingserver"; - users = [user1 user2 user3 user4]; + user5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZKWq5v1xkK2d7D4lmwDKjdAHbWd+agXQCuMyjkzDEh daniel@dingserver"; + users = [user1 user2 user3 user4 user5]; # dingbox system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvWmwFd0xZcF0HcyhmemvT5Q8rHOW/fQ56IoLSVAljv root@nixos"; @@ -11,7 +12,9 @@ let system2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwfy5oG1heHoQlZgrTxqlW+oOTB8NdNcNm1IpKyqfIA root@nixos"; # pingbox system3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzy0KqakqljVqgA4lvfTt65cikgPOKFvBXF0WS0LxGP root@pingbox"; - systems = [system1 system2 system3]; + # dingserver2 + system4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxzzoExkmb0kP+6OS2omcoa8xe1ETc+FAhU5gBuBUDR root@dingserver"; + systems = [system1 system2 system3 system4]; in { "spotify_pass.age".publicKeys = users ++ systems; "rclone_password1.age".publicKeys = users ++ [system2];