2024-05-07 18:02:59 -04:00
|
|
|
{
|
|
|
|
|
pkgs,
|
|
|
|
|
home-manager,
|
|
|
|
|
lib,
|
|
|
|
|
config,
|
|
|
|
|
...
|
|
|
|
|
}:
|
2024-02-29 09:53:34 -05:00
|
|
|
let
|
2024-05-07 18:02:59 -04:00
|
|
|
start-haven = pkgs.writeShellScriptBin "start-haven" (builtins.readFile ./start-haven.sh);
|
2024-05-19 14:33:15 -04:00
|
|
|
|
2024-06-19 14:00:17 -04:00
|
|
|
services-root = "/storage/services";
|
|
|
|
|
|
2024-05-23 23:50:42 -04:00
|
|
|
subdomains = [
|
|
|
|
|
config.secrets.services.airsonic.url
|
2024-05-24 17:33:37 -04:00
|
|
|
config.secrets.services.cache.url
|
2024-05-23 23:50:42 -04:00
|
|
|
config.secrets.services.forgejo.url
|
2024-05-24 11:56:23 -04:00
|
|
|
config.secrets.services.gremlin-lab.url
|
2024-05-19 14:33:15 -04:00
|
|
|
];
|
2024-02-29 09:53:34 -05:00
|
|
|
in
|
|
|
|
|
{
|
2024-05-07 18:02:59 -04:00
|
|
|
imports = [ ./hardware-configuration.nix ];
|
|
|
|
|
|
|
|
|
|
system.stateVersion = "24.05";
|
2024-02-29 09:53:34 -05:00
|
|
|
|
2024-06-24 11:38:28 -04:00
|
|
|
aux.system = {
|
|
|
|
|
apps.tmux.enable = true;
|
2024-06-24 18:19:27 -04:00
|
|
|
# Configure the bootloader.
|
|
|
|
|
bootloader = {
|
|
|
|
|
enable = true;
|
|
|
|
|
secureboot.enable = true;
|
|
|
|
|
tpm2.enable = true;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
# Change the default text editor. Options are "emacs", "nano", or "vim".
|
|
|
|
|
editor = "nano";
|
|
|
|
|
|
2024-06-24 13:08:18 -04:00
|
|
|
gpu.amd.enable = true;
|
2024-06-24 18:19:27 -04:00
|
|
|
|
2024-06-24 12:24:21 -04:00
|
|
|
packages = [ start-haven ];
|
2024-06-24 18:19:27 -04:00
|
|
|
|
|
|
|
|
# Keep old generations for one month.
|
|
|
|
|
retentionPeriod = "monthly";
|
|
|
|
|
|
2024-05-07 18:02:59 -04:00
|
|
|
services = {
|
2024-05-20 20:52:57 -04:00
|
|
|
acme = {
|
|
|
|
|
enable = true;
|
2024-05-20 20:56:48 -04:00
|
|
|
defaultEmail = config.secrets.users.aires.email;
|
2024-05-20 20:52:57 -04:00
|
|
|
certs = {
|
|
|
|
|
"${config.secrets.networking.primaryDomain}" = {
|
|
|
|
|
dnsProvider = "namecheap";
|
|
|
|
|
extraDomainNames = subdomains;
|
|
|
|
|
webroot = null; # Required in order to prevent a failed assertion
|
|
|
|
|
credentialFiles = {
|
|
|
|
|
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
|
|
|
|
${config.secrets.networking.namecheap.api.user}
|
|
|
|
|
''}";
|
|
|
|
|
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
|
|
|
|
|
${config.secrets.networking.namecheap.api.key}
|
|
|
|
|
''}";
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-06-19 14:00:17 -04:00
|
|
|
"${config.secrets.networking.blogDomain}" = {
|
|
|
|
|
dnsProvider = "namecheap";
|
|
|
|
|
webroot = null; # Required in order to prevent a failed assertion
|
|
|
|
|
credentialFiles = {
|
|
|
|
|
"NAMECHEAP_API_USER_FILE" = "${pkgs.writeText "namecheap-api-user" ''
|
|
|
|
|
${config.secrets.networking.namecheap.api.user}
|
|
|
|
|
''}";
|
|
|
|
|
"NAMECHEAP_API_KEY_FILE" = "${pkgs.writeText "namecheap-api-key" ''
|
|
|
|
|
${config.secrets.networking.namecheap.api.key}
|
|
|
|
|
''}";
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-05-20 20:52:57 -04:00
|
|
|
};
|
|
|
|
|
};
|
2024-05-21 09:22:03 -04:00
|
|
|
apcupsd = {
|
|
|
|
|
enable = true;
|
|
|
|
|
configText = builtins.readFile ./etc/apcupsd.conf;
|
|
|
|
|
};
|
2024-05-20 12:27:01 -04:00
|
|
|
airsonic = {
|
|
|
|
|
enable = true;
|
2024-06-19 14:00:17 -04:00
|
|
|
home = "${services-root}/airsonic-advanced";
|
2024-05-20 12:27:01 -04:00
|
|
|
};
|
2024-06-24 12:24:21 -04:00
|
|
|
autoUpgrade = {
|
2024-06-24 18:19:27 -04:00
|
|
|
enable = false; # Don't update the system...
|
|
|
|
|
pushUpdates = true; # ...but do push updates remotely.
|
2024-06-24 12:24:21 -04:00
|
|
|
configDir = config.secrets.nixConfigFolder;
|
|
|
|
|
onCalendar = "daily";
|
|
|
|
|
user = config.users.users.aires.name;
|
|
|
|
|
};
|
2024-05-20 20:52:57 -04:00
|
|
|
boinc.enable = true;
|
2024-05-24 17:33:37 -04:00
|
|
|
cache = {
|
2024-05-25 11:07:10 -04:00
|
|
|
enable = false; # Disable for now
|
2024-06-19 14:00:17 -04:00
|
|
|
secretKeyFile = "${services-root}/nix-cache/cache-priv-key.pem";
|
2024-05-24 17:33:37 -04:00
|
|
|
};
|
2024-05-07 18:02:59 -04:00
|
|
|
duplicacy-web = {
|
|
|
|
|
enable = true;
|
|
|
|
|
autostart = false;
|
2024-05-22 11:05:20 -04:00
|
|
|
environment = "/storage/backups/settings/Haven";
|
2024-05-07 18:02:59 -04:00
|
|
|
};
|
2024-05-20 12:27:01 -04:00
|
|
|
forgejo = {
|
|
|
|
|
enable = true;
|
2024-06-19 14:00:17 -04:00
|
|
|
home = "${services-root}/forgejo";
|
2024-06-04 14:18:45 -04:00
|
|
|
actions = {
|
|
|
|
|
enable = true;
|
|
|
|
|
token = config.secrets.services.forgejo.runner-token;
|
|
|
|
|
};
|
2024-05-20 12:27:01 -04:00
|
|
|
};
|
2024-05-07 18:02:59 -04:00
|
|
|
msmtp.enable = true;
|
2024-05-20 20:52:57 -04:00
|
|
|
nginx = {
|
|
|
|
|
enable = true;
|
|
|
|
|
autostart = false;
|
|
|
|
|
virtualHosts = {
|
|
|
|
|
"${config.secrets.networking.primaryDomain}" = {
|
|
|
|
|
default = true;
|
|
|
|
|
enableACME = true; # Enable Let's Encrypt
|
|
|
|
|
locations."/" = {
|
|
|
|
|
# Catchall vhost, will redirect users to Forgejo
|
2024-05-22 15:39:57 -04:00
|
|
|
return = "301 https://${config.secrets.services.forgejo.url}";
|
2024-05-20 20:52:57 -04:00
|
|
|
};
|
|
|
|
|
};
|
2024-06-19 14:00:17 -04:00
|
|
|
"${config.secrets.networking.blogDomain}" = {
|
|
|
|
|
useACMEHost = config.secrets.networking.blogDomain;
|
|
|
|
|
forceSSL = true;
|
2024-06-19 14:26:32 -04:00
|
|
|
root = "${services-root}/nginx/sites/${config.secrets.networking.blogDomain}";
|
2024-06-19 14:00:17 -04:00
|
|
|
};
|
2024-05-24 11:56:23 -04:00
|
|
|
"${config.secrets.services.gremlin-lab.url}" = {
|
|
|
|
|
useACMEHost = config.secrets.networking.primaryDomain;
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
locations."/" = {
|
|
|
|
|
proxyPass = "http://${config.secrets.services.gremlin-lab.ip}";
|
|
|
|
|
proxyWebsockets = true;
|
|
|
|
|
extraConfig = "proxy_ssl_server_name on;";
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-06-04 14:18:45 -04:00
|
|
|
"${config.secrets.services.forgejo.url}" = {
|
|
|
|
|
useACMEHost = config.secrets.networking.primaryDomain;
|
|
|
|
|
forceSSL = true;
|
|
|
|
|
locations."/" = {
|
|
|
|
|
proxyPass = "http://127.0.0.1:3000";
|
|
|
|
|
proxyWebsockets = true;
|
|
|
|
|
extraConfig = "proxy_ssl_server_name on;"; # required when the target is also TLS server with multiple hosts
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-05-20 20:52:57 -04:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
ssh = {
|
|
|
|
|
enable = true;
|
|
|
|
|
ports = [ config.secrets.hosts.haven.ssh.port ];
|
|
|
|
|
};
|
2024-05-22 16:47:55 -04:00
|
|
|
virtualization = {
|
|
|
|
|
enable = true;
|
|
|
|
|
user = "aires";
|
|
|
|
|
};
|
2024-05-07 18:02:59 -04:00
|
|
|
};
|
2024-05-21 09:22:03 -04:00
|
|
|
users.aires = {
|
|
|
|
|
enable = true;
|
|
|
|
|
services.syncthing = {
|
2024-05-07 18:02:59 -04:00
|
|
|
enable = true;
|
2024-05-21 09:22:03 -04:00
|
|
|
autostart = false;
|
2024-05-07 18:02:59 -04:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
2024-02-29 09:53:34 -05:00
|
|
|
|
2024-05-20 20:52:57 -04:00
|
|
|
# TODO: VPN (Check out Wireguard)
|
2024-05-19 14:33:15 -04:00
|
|
|
|
|
|
|
|
# Allow Haven to be a build target for other architectures (mainly ARM64)
|
|
|
|
|
boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
|
2024-04-01 12:30:07 -04:00
|
|
|
}
|
