From 1da6dc34eb33d786a13f6fdc884fd7e3c1415f5d Mon Sep 17 00:00:00 2001 From: k Date: Wed, 28 Jan 2026 06:04:26 +0000 Subject: [PATCH 01/11] added mlflow --- hosts/server/service.nix | 29 ++++++++++++++++++++--------- 1 file changed, 20 insertions(+), 9 deletions(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index 07997cd..23f44ca 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -6,23 +6,25 @@ networking = { firewall = { enable = true; - allowedTCPPorts = [80 443 22 25565 26615 8080 53 19132 ]; - allowedUDPPorts = [26615 8080 1900 51820 53 19132 ]; + allowedTCPPorts = [80 443 22 25565 26615 8080 53 19132]; + allowedUDPPorts = [26615 8080 1900 51820 53 19132]; }; nat.externalInterface = "wlp0s20f3"; - nat.internalInterfaces = [ "wg0" ]; + nat.internalInterfaces = ["wg0"]; wireguard.interfaces = { wg0 = { ips = ["10.0.0.1/24"]; listenPort = 51820; privateKeyFile = "/keys/wg-private"; - peers = [ - { # laptop - publicKey = "Ze2y3K+blI3aBc1AKTlvv90j+McBaitB+qSLazsuSFM="; + peers = [ + { + # laptop + publicKey = "Ze2y3K+blI3aBc1AKTlvv90j+McBaitB+qSLazsuSFM="; allowedIPs = ["10.0.0.2/32"]; } - { # phone + { + # phone publicKey = "vcheBoHRxCrwzbMw0UI9ZsQfVDJizBWkeM+pF5/8+HE="; allowedIPs = ["10.0.0.3/32"]; } @@ -179,13 +181,22 @@ }; }; - "hom.dhilton.xyz" = { + "mlf.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://127.0.0.1:8002"; + proxyPass = "http://127.0.0.1:5002"; proxyWebsockets = true; }; + extraConfig = '' + client_max_body_size 4G; + proxy_request_buffering off; + proxy_buffering off; + proxy_connect_timeout 600s; + proxy_send_timeout 600s; + proxy_read_timeout 600s; + send_timeout 600s; + ''; }; "srx.dhilton.xyz" = { From dfd41745bca9ad8e9402edc937879648c18f70bf Mon Sep 17 00:00:00 2001 From: k Date: Wed, 28 Jan 2026 06:04:57 +0000 Subject: [PATCH 02/11] minor update --- hosts/server/configuration.nix | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 28e6384..c984732 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -54,7 +54,7 @@ }; environment.systemPackages = with pkgs; [ - microcodeIntel + microcode-intel firefox ]; @@ -65,10 +65,9 @@ extraPackages = with pkgs; [ intel-media-driver intel-vaapi-driver - vaapiVdpau + libva-vdpau-driver intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) vpl-gpu-rt # QSV on 11th gen or newer - intel-media-sdk # QSV up to 11th gen ]; }; From 37d2d2c2d6130053f9f5f56594d76a63ea8cffd4 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:37:29 -0400 Subject: [PATCH 03/11] change ssh port --- hosts/server/service.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index 23f44ca..943a3e1 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -47,7 +47,10 @@ }; services = { - openssh = {enable = true;}; + openssh = { + enable = true; + ports = [2020]; + }; jellyfin = {enable = true;}; From 6e69171320825dd86cf4cd02948c6339218967e8 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:42:33 -0400 Subject: [PATCH 04/11] port and fail2ban update --- hosts/server/service.nix | 43 +++++++++++++++++++++++++++++++++++++--- 1 file changed, 40 insertions(+), 3 deletions(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index 943a3e1..a7ab35e 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -6,8 +6,8 @@ networking = { firewall = { enable = true; - allowedTCPPorts = [80 443 22 25565 26615 8080 53 19132]; - allowedUDPPorts = [26615 8080 1900 51820 53 19132]; + allowedTCPPorts = [80 443 51820 2020 26615]; + allowedUDPPorts = [51820 24454 26615]; }; nat.externalInterface = "wlp0s20f3"; nat.internalInterfaces = ["wg0"]; @@ -54,7 +54,44 @@ jellyfin = {enable = true;}; - fail2ban = {enable = true;}; + fail2ban = { + enable = true; + jails = { + nginx-http-auth = { + settings = { + enabled = true; + port = "http,https"; + logpath = "/var/log/nginx/error.log"; + # "auto" or "polling" is required for file-based logs on NixOS + backend = "auto"; + }; + }; + + nginx-botsearch = { + settings = { + enabled = true; + port = "http,https"; + logpath = "/var/log/nginx/access.log"; + backend = "auto"; + maxretry = 2; + }; + }; + recidive = { + settings = { + enabled = true; + port = "allports"; + protocol = "all"; + # Look for 'Ban' messages in fail2ban's own log + backend = "systemd"; + #logpath = "/var/log/fail2ban.log"; + #backend = "auto"; + bantime = "1w"; # Ban for 1 week + findtime = "1d"; # Look back 1 day + maxretry = 5; # If they were banned 5 times in 24 hours + }; + }; + }; + }; postgresql = {enable = true;}; From d49f8611d506cb20e7417f49b33d994b2f41434a Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:44:55 -0400 Subject: [PATCH 05/11] gitea -> forgejo --- hosts/server/service.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index a7ab35e..f81acd9 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -107,13 +107,14 @@ package = pkgs.ollama-intel; }; - gitea = { + forgejo = { enable = true; settings = { service.DISABLE_REGISTRATION = true; service.ENABLE_PUSH_CREATE_USER = true; server = { HTTP_PORT = 8001; + SSH_PORT = 2020; DOMAIN = "dhilton.xyz"; ROOT_URL = "https://git.dhilton.xyz"; ENABLE_PUSH_CREATE_USER = true; @@ -121,6 +122,7 @@ }; }; + gitea-actions-runner.package = pkgs.forgejo-runner; gitea-actions-runner.instances.home = { enable = true; url = "https://git.dhilton.xyz"; From abba34b8ecc5b5c9898730cad58472f30dd6ee98 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:46:17 -0400 Subject: [PATCH 06/11] Ollama --- hosts/server/service.nix | 34 +++++++++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index f81acd9..ca44f36 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -103,8 +103,28 @@ }; ollama = { - enable = false; - package = pkgs.ollama-intel; + enable = true; + package = pkgs.ollama-vulkan; + environmentVariables = { + GGML_VK_DISABLE_INTEGER_DOT_PRODUCT = "1"; + OLLAMA_FLASH_ATTENTION = "1"; + OLLAMA_VULKAN = "1"; + OLLAMA_HOST = "0.0.0.0:11434"; + }; + }; + anubis = { + defaultOptions = { + enable = true; + settings.SERVE_ROBOTS_TXT = true; + firewall.enabled = true; + firewall.block_openai = true; + firewall.block_google = true; + }; + }; + + open-webui = { + enable = true; + port = 5009; }; forgejo = { @@ -250,7 +270,15 @@ }; }; - "map.dhilton.xyz" = { + "oai.dhilton.xyz" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:5009"; + proxyWebsockets = true; + }; + }; + forceSSL = true; enableACME = true; locations."/" = { From e6bef7bf709ede6076fc5ab77c64e115f2d25bb4 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:47:26 -0400 Subject: [PATCH 07/11] Some ratchat tweeks --- hosts/server/service.nix | 41 +++++++++++++++++++++++++++++++++++++++- 1 file changed, 40 insertions(+), 1 deletion(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index ca44f36..b973218 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -102,6 +102,35 @@ secretKeyFile = "/var/cache-priv-key.pem"; }; +prometheus = { + enable = true; + scrapeConfigs = [{ + job_name = "ratchat-server"; + static_configs = [{ + targets = [ "127.0.0.1:9011" ]; + }]; + }]; +}; + +grafana = { + enable = true; + settings = { + server = { + http_addr = "127.0.0.1"; + http_port = 3000; + }; + }; + + provision = { + enable = true; + datasources.settings.datasources = [{ + name = "Prometheus"; + type = "prometheus"; + url = "http://localhost:9090"; + }]; + }; +}; + ollama = { enable = true; package = pkgs.ollama-vulkan; @@ -243,7 +272,17 @@ }; }; - "mlf.dhilton.xyz" = { + "rat.dhilton.xyz" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://127.0.0.1:9011"; +extraConfig = '' + if ($is_allowed_user = 0) { return 401; } + ''; + }; + }; + forceSSL = true; enableACME = true; locations."/" = { From 87dadbdcfca321126ca52919c611101c4a67e424 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:48:00 -0400 Subject: [PATCH 08/11] Renable home manager --- hosts/server/service.nix | 20 ++++++-------------- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index b973218..edd6595 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -187,8 +187,8 @@ grafana = { }; home-assistant = { - enable = false; - extraComponents = ["wiz" "fail2ban" "ollama" "wyoming" "androidtv" "androidtv_remote"]; + enable = true; + extraComponents = ["wiz" "fail2ban" "ollama" "wyoming" "bluetooth" "ios" "homekit" "jellyfin" "apple_tv" "androidtv" "androidtv_remote"]; config = { default_config = {}; "automation ui" = "!include automations.yaml"; @@ -202,12 +202,12 @@ grafana = { wyoming = { piper.servers."piperNix" = { - enable = false; + enable = true; uri = "tcp://0.0.0.0:10200"; voice = "en-us-ryan-low"; }; faster-whisper.servers."whisperNix" = { - enable = false; + enable = true; uri = "tcp://0.0.0.0:10300"; language = "en"; }; @@ -283,21 +283,13 @@ extraConfig = '' }; }; + "hom.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://127.0.0.1:5002"; + proxyPass = "http://127.0.0.1:8002"; proxyWebsockets = true; }; - extraConfig = '' - client_max_body_size 4G; - proxy_request_buffering off; - proxy_buffering off; - proxy_connect_timeout 600s; - proxy_send_timeout 600s; - proxy_read_timeout 600s; - send_timeout 600s; - ''; }; "srx.dhilton.xyz" = { From 0e1f86d230a1e1ca86dae6191a6767e3146cebf3 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:48:29 -0400 Subject: [PATCH 09/11] add gra endpoint --- hosts/server/service.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index edd6595..0248ae6 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -310,10 +310,11 @@ extraConfig = '' }; }; + "gfa.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://127.0.0.1:8100"; + proxyPass = "http://127.0.0.1:3000"; proxyWebsockets = true; }; }; From b8fe345989027e7b6e1c5bcee3f8b0b24dcb1b78 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:48:48 -0400 Subject: [PATCH 10/11] remove akkoma --- hosts/server/service.nix | 28 ++++++++-------------------- 1 file changed, 8 insertions(+), 20 deletions(-) diff --git a/hosts/server/service.nix b/hosts/server/service.nix index 0248ae6..2c5d18f 100644 --- a/hosts/server/service.nix +++ b/hosts/server/service.nix @@ -222,30 +222,18 @@ grafana = { }; }; - akkoma = { - enable = true; - initDb.enable = true; - config = { - ":pleroma" = { - ":instance" = { - name = "dhilton fedi"; - description = "dhilton akkoma server"; - email = "markers711@gmail.com"; - registration_open = false; - }; - "Pleroma.Web.Endpoint" = {url.host = "fed.dhilton.xyz";}; - }; - }; - nginx = { - enableACME = true; - forceSSL = true; - }; - }; - nginx = { enable = true; +commonHttpConfig = '' + map $http_authorization $is_allowed_user { + default 0; + "Bearer ratToken" 1; + "Bearer notRatToken" 1; + } + ''; recommendedProxySettings = true; recommendedTlsSettings = true; + clientMaxBodySize = "4g"; virtualHosts = { "dhilton.xyz" = { From e737bbcbf42b903ed65502f4a45a72ced932dca4 Mon Sep 17 00:00:00 2001 From: k Date: Sun, 10 May 2026 15:49:00 -0400 Subject: [PATCH 11/11] Add rodant user --- hosts/server/configuration.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index c984732..c52495e 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -32,6 +32,11 @@ motd = "Welcome to the Server"; defaultUserShell = pkgs.zsh; users = { + rodant = { + isNormalUser = true; + description = "llm user"; + packages = with pkgs; [git python3 nodejs cargo ripgrep curl wget ffmpeg imagemagick texliveFull ]; + }; k = { isNormalUser = true; description = "k";