diff --git a/common/default.nix b/common/default.nix index ccdfac3..927d8d9 100644 --- a/common/default.nix +++ b/common/default.nix @@ -7,7 +7,7 @@ }: { #nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"]; networking.hosts = { - "192.168.178.35" = [ "jellyfin.fritz.box" "grafana.fritz.box" ]; + "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"]; }; environment.systemPackages = with pkgs; [ xdg-desktop-portal-hyprland diff --git a/flake.nix b/flake.nix index b39e651..6dbdf50 100644 --- a/flake.nix +++ b/flake.nix @@ -66,6 +66,11 @@ modules = [./hosts/x86_64-linux/lambda]; specialArgs = {inherit inputs;}; }; + "beleth" = lib.nixosSystem { + system = "x86_64-linux"; + modules = [./hosts/x86_64-linux/beleth]; + specialArgs = {inherit inputs;}; + }; "alastor" = lib.nixosSystem { system = "aarch64-linux"; modules = [./hosts/aarch64-linux/alastor]; diff --git a/hosts/x86_64-linux/beleth/default.nix b/hosts/x86_64-linux/beleth/default.nix new file mode 100644 index 0000000..4511cdb --- /dev/null +++ b/hosts/x86_64-linux/beleth/default.nix @@ -0,0 +1,110 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; { + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + ./monitoring.nix + ./jellyfin.nix + ]; + + services.nginx = { + enable = true; + package = pkgs.nginxQuic; + + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL"; + sslProtocols = mkDefault "TLSv1.3"; + # sslDhparam = config.security.dhparams.params.nginx.path; + + clientMaxBodySize = mkDefault "128M"; + commonHttpConfig = '' + map $scheme $hsts_header { + https "max-age=31536000; includeSubdomains; preload"; + } + add_header Strict-Transport-Security $hsts_header; + add_header X-Content-Type-Options "nosniff" always; + add_header X-XSS-Protection "1; mode=block" always; + add_header X-Frame-Options "SAMEORIGIN" always; + add_header Referrer-Policy "same-origin" always; + ''; + }; + + security.acme = { + acceptTerms = true; + defaults.email = "xqtc@tutanota.com"; + defaults.keyType = "ec256"; + certs = { + "jellyfin.heroin.trade" = {}; + "grafana.heroin.trade" = {}; + }; + }; + + nix.settings.experimental-features = ["nix-command" "flakes"]; + + nix.settings = { + trusted-users = ["xqtc"]; + substituters = [ + "https://nix-community.cachix.org" + ]; + trusted-public-keys = [ + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + # Use the systemd-boot EFI boot loader. + boot.loader.systemd-boot.enable = true; + boot.loader.efi.canTouchEfiVariables = true; + + networking.hostName = "beleth"; # Define your hostname. + networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. + + # Set your time zone. + time.timeZone = "Europe/Berlin"; + + users.users.xqtc = { + isNormalUser = true; + extraGroups = ["wheel"]; + packages = with pkgs; [ + tree + ]; + openssh.authorizedKeys.keys = [ + # TODO: Add remaining keys from https://meta.sr.ht/~xqrc.keys + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7UkcmSVo+SeB5Obevz3mf3UHruYxn0UHUzoOs2gDBy xqtc@asmodeus" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPf3w5bHAssHthg9SPXVpG4w9v8m16X/0J3bjg08P6EA xqtc@seraphim" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYa+LoHGGvu12iBufUcr3GD8tsq4LuJdwLjaDkTr0SL xqtc@lilith" + ]; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7UkcmSVo+SeB5Obevz3mf3UHruYxn0UHUzoOs2gDBy xqtc@asmodeus" + ]; + + environment.systemPackages = with pkgs; [ + neovim + vim + git + wget + ]; + + programs.mtr.enable = true; + programs.gnupg.agent = { + enable = true; + enableSSHSupport = true; + }; + + # Enable the OpenSSH daemon. + services.openssh.enable = true; + + # Open ports in the firewall. + networking.firewall.allowedTCPPorts = [22 80 443]; + # networking.firewall.allowedUDPPorts = [443]; + + system.stateVersion = "24.05"; # Did you read the comment? +} diff --git a/hosts/x86_64-linux/beleth/hardware-configuration.nix b/hosts/x86_64-linux/beleth/hardware-configuration.nix new file mode 100644 index 0000000..e1fe1b8 --- /dev/null +++ b/hosts/x86_64-linux/beleth/hardware-configuration.nix @@ -0,0 +1,41 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; + + boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "sd_mod"]; + boot.initrd.kernelModules = []; + boot.kernelModules = ["kvm-intel"]; + boot.extraModulePackages = []; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/f38db2c6-40b8-451b-98e4-066e0b3d9f83"; + fsType = "btrfs"; + }; + + fileSystems."/boot" = { + device = "/dev/disk/by-uuid/3352-4ED1"; + fsType = "vfat"; + }; + + swapDevices = []; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; + hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; +} diff --git a/hosts/x86_64-linux/beleth/jellyfin.nix b/hosts/x86_64-linux/beleth/jellyfin.nix new file mode 100644 index 0000000..fefc23a --- /dev/null +++ b/hosts/x86_64-linux/beleth/jellyfin.nix @@ -0,0 +1,73 @@ +{ + config, + pkgs, + lib, + ... +}: let + proxyConfig = '' + + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + ''; +in { + environment.systemPackages = with pkgs; [ + jellyfin + jellyfin-web + jellyfin-ffmpeg + ]; + nixpkgs.config.packageOverrides = pkgs: { + intel-vaapi-driver = + pkgs.intel-vaapi-driver.override {enableHybridCodec = true;}; + }; + hardware.opengl = { + enable = true; + extraPackages = with pkgs; [ + intel-media-driver # LIBVA_DRIVER_NAME=iHD + intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium) + vaapiVdpau + libvdpau-va-gl + ]; + }; + environment.sessionVariables = { + LIBVA_DRIVER_NAME = "iHD"; + }; # Force intel-media-driver + services.jellyfin.enable = true; + # services.jellyfin.openFirewall = true; + services.jellyfin.user = "xqtc"; + services.nginx.virtualHosts."jellyfin.heroin.trade" = { + # addSSL = true; + # kTLS = true; + + forceSSL = true; + enableACME = true; + locations = { + # "= /".return = "302 https://$host/web/"; + "/" = { + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_set_header X-Real-IP $remote_addr; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header X-Forwarded-Proto $scheme; + # proxy_set_header X-Forwarded-Protocol $scheme; + # proxy_set_header X-Forwarded-Host $http_host; + # proxy_buffering on; + # ''; + proxyPass = "http://127.0.0.1:8096"; + proxyWebsockets = true; + }; + # "= /web/" = { + # proxyPass = "http://127.0.0.1:8096/web/index.html"; + # extraConfig = proxyConfig; + # }; + # "/socket" = { + # proxyPass = "http://127.0.0.1:8096"; + # proxyWebsockets = true; + # extraConfig = proxyConfig; + # }; + }; + }; +} diff --git a/hosts/x86_64-linux/beleth/monitoring.nix b/hosts/x86_64-linux/beleth/monitoring.nix new file mode 100644 index 0000000..43ebc6b --- /dev/null +++ b/hosts/x86_64-linux/beleth/monitoring.nix @@ -0,0 +1,48 @@ +{ + config, + pkgs, + ... +}: { + networking.firewall.allowedTCPPorts = [80 443 9001]; + services.grafana = { + enable = true; + settings.server = { + port = 2342; + addr = "127.0.0.1"; + }; + }; + + services.prometheus = { + enable = true; + port = 9001; + exporters = { + node = { + enable = true; + enabledCollectors = ["systemd" "sysctl" "powersupplyclass"]; + port = 9002; + }; + }; + scrapeConfigs = [ + { + job_name = "beleth"; + static_configs = [ + { + targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"]; + } + ]; + } + ]; + }; + + services.nginx.virtualHosts."grafana.heroin.trade" = { + forceSSL = true; + enableACME = true; + locations."/" = { + extraConfig = '' + proxy_set_header Host $host; + ''; + proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}"; + proxyWebsockets = true; + }; + }; +} diff --git a/hosts/x86_64-linux/seraphim/jellyfin.nix b/hosts/x86_64-linux/seraphim/jellyfin.nix index 0a491db..faa7d72 100644 --- a/hosts/x86_64-linux/seraphim/jellyfin.nix +++ b/hosts/x86_64-linux/seraphim/jellyfin.nix @@ -1,5 +1,9 @@ -{config, pkgs, lib, ...}: { + config, + pkgs, + lib, + ... +}: { services.jellyfin.enable = true; services.jellyfin.user = "xqtc"; services.nginx.virtualHosts."jellyfin.fritz.box" = { diff --git a/hosts/x86_64-linux/seraphim/monitoring.nix b/hosts/x86_64-linux/seraphim/monitoring.nix index 3d77eaf..298eae0 100644 --- a/hosts/x86_64-linux/seraphim/monitoring.nix +++ b/hosts/x86_64-linux/seraphim/monitoring.nix @@ -19,7 +19,7 @@ exporters = { node = { enable = true; - enabledCollectors = ["systemd" "sysctl" "powersupplyclass" ]; + enabledCollectors = ["systemd" "sysctl" "powersupplyclass"]; port = 9002; }; };