diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index c52495e..28e6384 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -32,11 +32,6 @@ motd = "Welcome to the Server"; defaultUserShell = pkgs.zsh; users = { - rodant = { - isNormalUser = true; - description = "llm user"; - packages = with pkgs; [git python3 nodejs cargo ripgrep curl wget ffmpeg imagemagick texliveFull ]; - }; k = { isNormalUser = true; description = "k"; @@ -59,7 +54,7 @@ }; environment.systemPackages = with pkgs; [ - microcode-intel + microcodeIntel firefox ]; @@ -70,9 +65,10 @@ extraPackages = with pkgs; [ intel-media-driver intel-vaapi-driver - libva-vdpau-driver + vaapiVdpau intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) vpl-gpu-rt # QSV on 11th gen or newer + intel-media-sdk # QSV up to 11th gen ]; }; diff --git a/hosts/server/service.nix b/hosts/server/service.nix index 2c5d18f..cb61f3b 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -6,8 +6,8 @@ networking = { firewall = { enable = true; - allowedTCPPorts = [80 443 51820 2020 26615]; - allowedUDPPorts = [51820 24454 26615]; + allowedTCPPorts = [80 443 22 25565 26615 8080 53 19132]; + allowedUDPPorts = [26615 8080 1900 51820 53 19132]; }; nat.externalInterface = "wlp0s20f3"; nat.internalInterfaces = ["wg0"]; @@ -47,51 +47,11 @@ }; services = { - openssh = { - enable = true; - ports = [2020]; - }; + openssh = {enable = true;}; jellyfin = {enable = true;}; - fail2ban = { - enable = true; - jails = { - nginx-http-auth = { - settings = { - enabled = true; - port = "http,https"; - logpath = "/var/log/nginx/error.log"; - # "auto" or "polling" is required for file-based logs on NixOS - backend = "auto"; - }; - }; - - nginx-botsearch = { - settings = { - enabled = true; - port = "http,https"; - logpath = "/var/log/nginx/access.log"; - backend = "auto"; - maxretry = 2; - }; - }; - recidive = { - settings = { - enabled = true; - port = "allports"; - protocol = "all"; - # Look for 'Ban' messages in fail2ban's own log - backend = "systemd"; - #logpath = "/var/log/fail2ban.log"; - #backend = "auto"; - bantime = "1w"; # Ban for 1 week - findtime = "1d"; # Look back 1 day - maxretry = 5; # If they were banned 5 times in 24 hours - }; - }; - }; - }; + fail2ban = {enable = true;}; postgresql = {enable = true;}; @@ -102,68 +62,18 @@ secretKeyFile = "/var/cache-priv-key.pem"; }; -prometheus = { - enable = true; - scrapeConfigs = [{ - job_name = "ratchat-server"; - static_configs = [{ - targets = [ "127.0.0.1:9011" ]; - }]; - }]; -}; - -grafana = { - enable = true; - settings = { - server = { - http_addr = "127.0.0.1"; - http_port = 3000; - }; - }; - - provision = { - enable = true; - datasources.settings.datasources = [{ - name = "Prometheus"; - type = "prometheus"; - url = "http://localhost:9090"; - }]; - }; -}; - ollama = { - enable = true; - package = pkgs.ollama-vulkan; - environmentVariables = { - GGML_VK_DISABLE_INTEGER_DOT_PRODUCT = "1"; - OLLAMA_FLASH_ATTENTION = "1"; - OLLAMA_VULKAN = "1"; - OLLAMA_HOST = "0.0.0.0:11434"; - }; - }; - anubis = { - defaultOptions = { - enable = true; - settings.SERVE_ROBOTS_TXT = true; - firewall.enabled = true; - firewall.block_openai = true; - firewall.block_google = true; - }; + enable = false; + package = pkgs.ollama-intel; }; - open-webui = { - enable = true; - port = 5009; - }; - - forgejo = { + gitea = { enable = true; settings = { service.DISABLE_REGISTRATION = true; service.ENABLE_PUSH_CREATE_USER = true; server = { HTTP_PORT = 8001; - SSH_PORT = 2020; DOMAIN = "dhilton.xyz"; ROOT_URL = "https://git.dhilton.xyz"; ENABLE_PUSH_CREATE_USER = true; @@ -171,7 +81,6 @@ grafana = { }; }; - gitea-actions-runner.package = pkgs.forgejo-runner; gitea-actions-runner.instances.home = { enable = true; url = "https://git.dhilton.xyz"; @@ -187,8 +96,8 @@ grafana = { }; home-assistant = { - enable = true; - extraComponents = ["wiz" "fail2ban" "ollama" "wyoming" "bluetooth" "ios" "homekit" "jellyfin" "apple_tv" "androidtv" "androidtv_remote"]; + enable = false; + extraComponents = ["wiz" "fail2ban" "ollama" "wyoming" "androidtv" "androidtv_remote"]; config = { default_config = {}; "automation ui" = "!include automations.yaml"; @@ -202,12 +111,12 @@ grafana = { wyoming = { piper.servers."piperNix" = { - enable = true; + enable = false; uri = "tcp://0.0.0.0:10200"; voice = "en-us-ryan-low"; }; faster-whisper.servers."whisperNix" = { - enable = true; + enable = false; uri = "tcp://0.0.0.0:10300"; language = "en"; }; @@ -222,18 +131,30 @@ grafana = { }; }; + akkoma = { + enable = true; + initDb.enable = true; + config = { + ":pleroma" = { + ":instance" = { + name = "dhilton fedi"; + description = "dhilton akkoma server"; + email = "markers711@gmail.com"; + registration_open = false; + }; + "Pleroma.Web.Endpoint" = {url.host = "fed.dhilton.xyz";}; + }; + }; + nginx = { + enableACME = true; + forceSSL = true; + }; + }; + nginx = { enable = true; -commonHttpConfig = '' - map $http_authorization $is_allowed_user { - default 0; - "Bearer ratToken" 1; - "Bearer notRatToken" 1; - } - ''; recommendedProxySettings = true; recommendedTlsSettings = true; - clientMaxBodySize = "4g"; virtualHosts = { "dhilton.xyz" = { @@ -260,17 +181,6 @@ commonHttpConfig = '' }; }; - "rat.dhilton.xyz" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:9011"; -extraConfig = '' - if ($is_allowed_user = 0) { return 401; } - ''; - }; - }; - "hom.dhilton.xyz" = { forceSSL = true; enableACME = true; @@ -289,20 +199,11 @@ extraConfig = '' }; }; - "oai.dhilton.xyz" = { + "map.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://127.0.0.1:5009"; - proxyWebsockets = true; - }; - }; - - "gfa.dhilton.xyz" = { - forceSSL = true; - enableACME = true; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; + proxyPass = "http://127.0.0.1:8100"; proxyWebsockets = true; }; };