Add dingserver2

flake.nix

@@ -76,6 +76,10 @@
         hostname = "dingserver";
         headless = true;
       };
+      dingserver2 = hostSystem {
+        hostname = "dingserver2";
+        headless = true;
+      };
     };
   };
 }

hosts/dingserver2/caddy.nix

@@ -0,0 +1,79 @@
+{
+  pkgs,
+  lib,
+  ...
+}: {
+  networking.firewall.allowedTCPPorts = [80 8448 443];
+
+  services.caddy = {
+    enable = true;
+    virtualHosts = {
+      "http://metrics.town" = {
+        extraConfig = ''
+          reverse_proxy http://localhost:3000
+        '';
+      };
+
+      "matrix.broccoli.town" = {
+        extraConfig = ''
+          reverse_proxy /_matrix/* http://localhost:8008
+          reverse_proxy /_synapse/client/* http://localhost:8008
+        '';
+      };
+
+      "broccoli.town:8448" = {
+        extraConfig = ''
+          reverse_proxy http://localhost:8008
+        '';
+      };
+
+      "broccoli.town" = {
+        extraConfig = ''
+          header /.well-known/* "Access-Control-Allow-Origin" "*"
+          respond /.well-known/matrix/client "{\"m.homeserver\": {\"base_url\": \"https://broccoli.town\"}}"
+
+          reverse_proxy /_matrix/* http://localhost:8008
+          reverse_proxy /_synapse/client/* http://localhost:8008
+
+          redir / https://chat.broccoli.town
+        '';
+      };
+
+      "chat.broccoli.town" = {
+        extraConfig = ''
+          header {
+            X-Frame-Options "SAMEORIGIN"
+            X-XSS-Protection "1; mode=block"
+            X-Content-Type-Options "nosniff"
+            X-Robots-Tag "noindex, noarchive, nofollow"
+          }
+          root * ${
+            pkgs.element-web.override {
+              conf = {
+                default_server_config."m.homeserver" = {
+                  "base_url" = "https://broccoli.town";
+                  "server_name" = "broccoli.town";
+                };
+              };
+            }
+          }
+          file_server
+        '';
+      };
+
+      "danielpatterson.dev" = {
+        extraConfig = ''
+          root * /srv/site/danielpatterson.dev
+          encode zstd gzip
+          file_server
+        '';
+      };
+
+      "movies.danielpatterson.dev" = {
+        extraConfig = ''
+          reverse_proxy localhost:8096
+        '';
+      };
+    };
+  };
+}

hosts/dingserver2/configuration.nix

@@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    # Include the results of the hardware scan.
+    ../common
+    ./hardware-configuration.nix
+    ./caddy.nix
+    ./prometheus.nix
+    ./rclone.nix
+    ./synapse.nix
+    ./tmux.nix
+  ];
+
+  # Force disable the common boot loader
+  boot.loader.systemd-boot.enable = lib.mkForce false;
+  boot.loader.efi.canTouchEfiVariables = lib.mkForce false;
+
+  # Use the GRUB 2 boot loader.
+  boot.loader.grub.enable = true;
+  boot.loader.grub.version = 2;
+  boot.loader.grub.device = "/dev/sda"; # or "nodev" for efi only
+
+  networking = {
+    hostName = "dingserver2";
+    interfaces.ens3.useDHCP = true;
+
+    firewall.interfaces = {
+      "tailscale0" = {
+        allowedUDPPorts = [41641];
+      };
+    };
+  };
+
+  services.jellyfin.enable = true;
+
+  environment.systemPackages = with pkgs; [
+    helix
+    kitty # For terminfo
+    lazygit
+  ];
+
+  system.stateVersion = "21.11"; # Did you read the comment?
+}

hosts/dingserver2/hardware-configuration.nix

@@ -0,0 +1,31 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/46ba1313-3910-4adc-b949-0f63bb8a6d60";
+      fsType = "ext4";
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens3.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/dingserver2/prometheus.nix

@@ -0,0 +1,28 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  services.grafana = {
+    enable = true;
+  };
+
+  services.prometheus = {
+    enable = true;
+    exporters = {
+    };
+
+    scrapeConfigs = [
+      {
+        job_name = "synapse";
+        metrics_path = "/_synapse/metrics";
+        static_configs = [
+          {
+            targets = ["localhost:9000"];
+          }
+        ];
+      }
+    ];
+  };
+}

hosts/dingserver2/rclone.nix

@@ -0,0 +1,38 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  mountdir = "/var/media/dungflix";
+
+  file = ''
+    [dungflix]
+    type = b2
+  '';
+in {
+  age.secrets = {
+    dungflix_bucket_account_id.file = ../../secrets/dungflix_bucket_account_id.age;
+    dungflix_bucket_account_key.file = ../../secrets/dungflix_bucket_account_key.age;
+  };
+  systemd.services.dungflix-mount = {
+    description = "Mount the Backblaze B2 media store";
+    wantedBy = ["multi-user.target"];
+    path = [pkgs.fuse];
+    preStart = ''
+      mkdir -p -m 777 ${mountdir}
+    '';
+    script = ''
+      export RCLONE_B2_ACCOUNT=''$(cat ${config.age.secrets.dungflix_bucket_account_id.path})
+      export RCLONE_B2_KEY=''$(cat ${config.age.secrets.dungflix_bucket_account_key.path})
+      ${pkgs.rclone}/bin/rclone --config="${pkgs.writeText "" file}" mount dungflix:dungflix-bucket ${mountdir} \
+        --vfs-cache-mode full \
+        --vfs-cache-max-age 48h \
+        --vfs-cache-max-size 100G \
+        --allow-other \
+        --no-modtime \
+        --buffer-size 2G \
+        -vvv
+    '';
+    postStop = "fusermount -u ${mountdir}";
+  };
+}

hosts/dingserver2/synapse.nix

@@ -0,0 +1,52 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  fqdn = "matrix.broccoli.town";
+in {
+  services.postgresql = {
+    enable = true;
+  };
+
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      enable_metrics = true;
+      server_name = "broccoli.town";
+      database = {
+        name = "psycopg2";
+        args = {
+          database = "synapse";
+          user = "matrix-synapse";
+        };
+      };
+      max_upload_size = "50M";
+      listeners = [
+        {
+          port = 8008;
+          type = "http";
+          tls = false;
+          x_forwarded = true;
+          resources = [
+            {
+              names = ["client" "federation"];
+              compress = false;
+            }
+          ];
+        }
+        {
+          port = 9000;
+          type = "metrics";
+          tls = false;
+          bind_addresses = [
+            "0.0.0.0"
+          ];
+          resources = [
+          ];
+        }
+      ];
+    };
+  };
+}

hosts/dingserver2/tmux.nix

@@ -0,0 +1,38 @@
+{...}: {
+  programs.tmux = {
+    enable = true;
+    keyMode = "vi";
+    terminal = "tmux-256color";
+    escapeTime = 0;
+    baseIndex = 1;
+    historyLimit = 10000;
+    clock24 = true;
+    extraConfig = ''
+      unbind-key -a -T prefix
+      unbind-key -a -T root
+      unbind-key -a -T copy-mode
+      unbind-key -a -T copy-mode-vi
+
+      set -g prefix M-w
+
+      bind q detach
+      bind space copy-mode
+      bind -T copy-mode-vi Escape send-keys -X cancel
+
+      bind -T copy-mode-vi Escape send -X cancel
+      bind -T copy-mode-vi k send -X cursor-up
+      bind -T copy-mode-vi j send -X cursor-down
+      bind -T copy-mode-vi h send -X cursor-left
+      bind -T copy-mode-vi l send -X cursor-right
+
+      bind -T copy-mode-vi Space send -X begin-selection
+      bind -T copy-mode-vi y send -X copy-selection-no-clear
+      bind -T copy-mode-vi Enter send -X copy-selection-and-cancel
+
+      set -g mouse on
+      bind -n WheelUpPane copy-mode -e
+      bind -T copy-mode-vi WheelUpPane send -X -N 5 scroll-up
+      bind -T copy-mode-vi WheelDownPane send -X -N 5 scroll-down
+    '';
+  };
+}

secrets/secrets.nix

@@ -3,7 +3,8 @@ let
   user2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBdj2kyVl2sbv6Y5kuUfyjszCs7nQWr+3rwaPiRiYDxj miniding";
   user3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP0Ps8eEFIkLe863bisGvSIVXZqedp9z5AC8RKyvZtcA me@danielpatterson.dev";
   user4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOjVwYfjyZ7kd7idwfGNtS62VKAc34WIsjQvypMe0d8N dingserver";
-  users = [user1 user2 user3 user4];
+  user5 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMZKWq5v1xkK2d7D4lmwDKjdAHbWd+agXQCuMyjkzDEh daniel@dingserver";
+  users = [user1 user2 user3 user4 user5];
 
   # dingbox
   system1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKvWmwFd0xZcF0HcyhmemvT5Q8rHOW/fQ56IoLSVAljv root@nixos";
@@ -11,7 +12,9 @@ let
   system2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDwfy5oG1heHoQlZgrTxqlW+oOTB8NdNcNm1IpKyqfIA root@nixos";
   # pingbox
   system3 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMzy0KqakqljVqgA4lvfTt65cikgPOKFvBXF0WS0LxGP root@pingbox";
-  systems = [system1 system2 system3];
+  # dingserver2
+  system4 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINxzzoExkmb0kP+6OS2omcoa8xe1ETc+FAhU5gBuBUDR root@dingserver";
+  systems = [system1 system2 system3 system4];
 in {
   "spotify_pass.age".publicKeys = users ++ systems;
   "rclone_password1.age".publicKeys = users ++ [system2];