added beleth

2024-11-22 16:10:32 +01:00 · 2024-04-01 02:29:05 +02:00 · 2024-04-01 02:29:05 +02:00 · b66f815460
parent 1b1893b267
commit b66f815460
8 changed files with 284 additions and 3 deletions
--- a/common/default.nix
+++ b/common/default.nix
@ -7,7 +7,7 @@
 }: {
  #nixpkgs.config.permittedInsecurePackages = ["electron-25.9.0" "electron-24.8.6"];
  networking.hosts = {
-    "192.168.178.35" = [ "jellyfin.fritz.box" "grafana.fritz.box" ];    
+    "192.168.178.35" = ["jellyfin.fritz.box" "grafana.fritz.box"];
  };
  environment.systemPackages = with pkgs; [
    xdg-desktop-portal-hyprland
--- a/flake.nix
+++ b/flake.nix
@ -66,6 +66,11 @@
        modules = [./hosts/x86_64-linux/lambda];
        specialArgs = {inherit inputs;};
      };
+      "beleth" = lib.nixosSystem {
+        system = "x86_64-linux";
+        modules = [./hosts/x86_64-linux/beleth];
+        specialArgs = {inherit inputs;};
+      };
      "alastor" = lib.nixosSystem {
        system = "aarch64-linux";
        modules = [./hosts/aarch64-linux/alastor];
--- a/hosts/x86_64-linux/beleth/default.nix
+++ b/hosts/x86_64-linux/beleth/default.nix
@ -0,0 +1,110 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+with lib; {
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    ./monitoring.nix
+    ./jellyfin.nix
+  ];
+
+  services.nginx = {
+    enable = true;
+    package = pkgs.nginxQuic;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
+    sslProtocols = mkDefault "TLSv1.3";
+    # sslDhparam = config.security.dhparams.params.nginx.path;
+
+    clientMaxBodySize = mkDefault "128M";
+    commonHttpConfig = ''
+      map $scheme $hsts_header {
+        https   "max-age=31536000; includeSubdomains; preload";
+      }
+      add_header Strict-Transport-Security 	$hsts_header;
+      add_header X-Content-Type-Options 	  "nosniff" always;
+      add_header X-XSS-Protection 		      "1; mode=block" always;
+      add_header X-Frame-Options 		        "SAMEORIGIN" always;
+      add_header Referrer-Policy 		        "same-origin" always;
+    '';
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "xqtc@tutanota.com";
+    defaults.keyType = "ec256";
+    certs = {
+      "jellyfin.heroin.trade" = {};
+      "grafana.heroin.trade" = {};
+    };
+  };
+
+  nix.settings.experimental-features = ["nix-command" "flakes"];
+
+  nix.settings = {
+    trusted-users = ["xqtc"];
+    substituters = [
+      "https://nix-community.cachix.org"
+    ];
+    trusted-public-keys = [
+      "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
+    ];
+  };
+  # Use the systemd-boot EFI boot loader.
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "beleth"; # Define your hostname.
+  networking.networkmanager.enable = true; # Easiest to use and most distros use this by default.
+
+  # Set your time zone.
+  time.timeZone = "Europe/Berlin";
+
+  users.users.xqtc = {
+    isNormalUser = true;
+    extraGroups = ["wheel"];
+    packages = with pkgs; [
+      tree
+    ];
+    openssh.authorizedKeys.keys = [
+      # TODO: Add remaining keys from https://meta.sr.ht/~xqrc.keys
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7UkcmSVo+SeB5Obevz3mf3UHruYxn0UHUzoOs2gDBy xqtc@asmodeus"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPf3w5bHAssHthg9SPXVpG4w9v8m16X/0J3bjg08P6EA xqtc@seraphim"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJYa+LoHGGvu12iBufUcr3GD8tsq4LuJdwLjaDkTr0SL xqtc@lilith"
+    ];
+  };
+  users.users.root.openssh.authorizedKeys.keys = [
+    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN7UkcmSVo+SeB5Obevz3mf3UHruYxn0UHUzoOs2gDBy xqtc@asmodeus"
+  ];
+
+  environment.systemPackages = with pkgs; [
+    neovim
+    vim
+    git
+    wget
+  ];
+
+  programs.mtr.enable = true;
+  programs.gnupg.agent = {
+    enable = true;
+    enableSSHSupport = true;
+  };
+
+  # Enable the OpenSSH daemon.
+  services.openssh.enable = true;
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [22 80 443];
+  # networking.firewall.allowedUDPPorts = [443];
+
+  system.stateVersion = "24.05"; # Did you read the comment?
+}
--- a/hosts/x86_64-linux/beleth/hardware-configuration.nix
+++ b/hosts/x86_64-linux/beleth/hardware-configuration.nix
@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+
+  boot.initrd.availableKernelModules = ["xhci_pci" "ahci" "sd_mod"];
+  boot.initrd.kernelModules = [];
+  boot.kernelModules = ["kvm-intel"];
+  boot.extraModulePackages = [];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/f38db2c6-40b8-451b-98e4-066e0b3d9f83";
+    fsType = "btrfs";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/3352-4ED1";
+    fsType = "vfat";
+  };
+
+  swapDevices = [];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/x86_64-linux/beleth/jellyfin.nix
+++ b/hosts/x86_64-linux/beleth/jellyfin.nix
@ -0,0 +1,73 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  proxyConfig = ''
+
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Protocol $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+  '';
+in {
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+  ];
+  nixpkgs.config.packageOverrides = pkgs: {
+    intel-vaapi-driver =
+      pkgs.intel-vaapi-driver.override {enableHybridCodec = true;};
+  };
+  hardware.opengl = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver # LIBVA_DRIVER_NAME=iHD
+      intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
+      vaapiVdpau
+      libvdpau-va-gl
+    ];
+  };
+  environment.sessionVariables = {
+    LIBVA_DRIVER_NAME = "iHD";
+  }; # Force intel-media-driver
+  services.jellyfin.enable = true;
+  # services.jellyfin.openFirewall = true;
+  services.jellyfin.user = "xqtc";
+  services.nginx.virtualHosts."jellyfin.heroin.trade" = {
+    # addSSL = true;
+    # kTLS = true;
+
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      # "= /".return = "302 https://$host/web/";
+      "/" = {
+        # extraConfig = ''
+        #          proxy_set_header Host $host;
+        #   proxy_set_header X-Real-IP $remote_addr;
+        #      	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        #      	proxy_set_header X-Forwarded-Proto $scheme;
+        #      	proxy_set_header X-Forwarded-Protocol $scheme;
+        #      	proxy_set_header X-Forwarded-Host $http_host;
+        #   proxy_buffering on;
+        # '';
+        proxyPass = "http://127.0.0.1:8096";
+        proxyWebsockets = true;
+      };
+      # "= /web/" = {
+      #   proxyPass = "http://127.0.0.1:8096/web/index.html";
+      #   extraConfig = proxyConfig;
+      # };
+      # "/socket" = {
+      #   proxyPass = "http://127.0.0.1:8096";
+      #   proxyWebsockets = true;
+      #   extraConfig = proxyConfig;
+      # };
+    };
+  };
+}
--- a/hosts/x86_64-linux/beleth/monitoring.nix
+++ b/hosts/x86_64-linux/beleth/monitoring.nix
@ -0,0 +1,48 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  networking.firewall.allowedTCPPorts = [80 443 9001];
+  services.grafana = {
+    enable = true;
+    settings.server = {
+      port = 2342;
+      addr = "127.0.0.1";
+    };
+  };
+
+  services.prometheus = {
+    enable = true;
+    port = 9001;
+    exporters = {
+      node = {
+        enable = true;
+        enabledCollectors = ["systemd" "sysctl" "powersupplyclass"];
+        port = 9002;
+      };
+    };
+    scrapeConfigs = [
+      {
+        job_name = "beleth";
+        static_configs = [
+          {
+            targets = ["127.0.0.1:${toString config.services.prometheus.exporters.node.port}"];
+          }
+        ];
+      }
+    ];
+  };
+
+  services.nginx.virtualHosts."grafana.heroin.trade" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      extraConfig = ''
+        proxy_set_header Host $host;
+      '';
+      proxyPass = "http://127.0.0.1:${toString config.services.grafana.settings.server.http_port}";
+      proxyWebsockets = true;
+    };
+  };
+}
--- a/hosts/x86_64-linux/seraphim/jellyfin.nix
+++ b/hosts/x86_64-linux/seraphim/jellyfin.nix
@ -1,5 +1,9 @@
-{config, pkgs, lib, ...}:
 {
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
  services.jellyfin.enable = true;
  services.jellyfin.user = "xqtc";
  services.nginx.virtualHosts."jellyfin.fritz.box" = {
--- a/hosts/x86_64-linux/seraphim/monitoring.nix
+++ b/hosts/x86_64-linux/seraphim/monitoring.nix
@ -19,7 +19,7 @@
    exporters = {
      node = {
        enable = true;
-        enabledCollectors = ["systemd" "sysctl" "powersupplyclass" ];
+        enabledCollectors = ["systemd" "sysctl" "powersupplyclass"];
        port = 9002;
      };
    };