{ pkgs, lib, ... }: { networking = { firewall = { enable = true; allowedTCPPorts = [80 443 51820 2020 26615]; allowedUDPPorts = [51820 24454 26615]; }; nat.externalInterface = "wlp0s20f3"; nat.internalInterfaces = ["wg0"]; wireguard.interfaces = { wg0 = { ips = ["10.0.0.1/24"]; listenPort = 51820; privateKeyFile = "/keys/wg-private"; peers = [ { # laptop publicKey = "Ze2y3K+blI3aBc1AKTlvv90j+McBaitB+qSLazsuSFM="; allowedIPs = ["10.0.0.2/32"]; } { # phone publicKey = "vcheBoHRxCrwzbMw0UI9ZsQfVDJizBWkeM+pF5/8+HE="; allowedIPs = ["10.0.0.3/32"]; } ]; }; }; }; networking.nat.enable = true; security.acme = { acceptTerms = true; defaults.email = "markers711@gmail.com"; }; virtualisation = { docker = {enable = true;}; libvirtd = {enable = true;}; kvmgt = {enable = true;}; }; services = { openssh = { enable = true; ports = [2020]; }; jellyfin = {enable = true;}; fail2ban = { enable = true; jails = { nginx-http-auth = { settings = { enabled = true; port = "http,https"; logpath = "/var/log/nginx/error.log"; # "auto" or "polling" is required for file-based logs on NixOS backend = "auto"; }; }; nginx-botsearch = { settings = { enabled = true; port = "http,https"; logpath = "/var/log/nginx/access.log"; backend = "auto"; maxretry = 2; }; }; recidive = { settings = { enabled = true; port = "allports"; protocol = "all"; # Look for 'Ban' messages in fail2ban's own log backend = "systemd"; #logpath = "/var/log/fail2ban.log"; #backend = "auto"; bantime = "1w"; # Ban for 1 week findtime = "1d"; # Look back 1 day maxretry = 5; # If they were banned 5 times in 24 hours }; }; }; }; postgresql = {enable = true;}; i2p = {enable = true;}; nix-serve = { enable = true; secretKeyFile = "/var/cache-priv-key.pem"; }; prometheus = { enable = true; scrapeConfigs = [{ job_name = "ratchat-server"; static_configs = [{ targets = [ "127.0.0.1:9011" ]; }]; }]; }; grafana = { enable = true; settings = { server = { http_addr = "127.0.0.1"; http_port = 3000; }; }; provision = { enable = true; datasources.settings.datasources = [{ name = "Prometheus"; type = "prometheus"; url = "http://localhost:9090"; }]; }; }; ollama = { enable = true; package = pkgs.ollama-vulkan; environmentVariables = { GGML_VK_DISABLE_INTEGER_DOT_PRODUCT = "1"; OLLAMA_FLASH_ATTENTION = "1"; OLLAMA_VULKAN = "1"; OLLAMA_HOST = "0.0.0.0:11434"; }; }; anubis = { defaultOptions = { enable = true; settings.SERVE_ROBOTS_TXT = true; firewall.enabled = true; firewall.block_openai = true; firewall.block_google = true; }; }; open-webui = { enable = true; port = 5009; }; forgejo = { enable = true; settings = { service.DISABLE_REGISTRATION = true; service.ENABLE_PUSH_CREATE_USER = true; server = { HTTP_PORT = 8001; SSH_PORT = 2020; DOMAIN = "dhilton.xyz"; ROOT_URL = "https://git.dhilton.xyz"; ENABLE_PUSH_CREATE_USER = true; }; }; }; gitea-actions-runner.package = pkgs.forgejo-runner; gitea-actions-runner.instances.home = { enable = true; url = "https://git.dhilton.xyz"; name = "nixsrv"; token = "LaqTWUDidsm510TGBglGvcphsUxYmCzMjrZbEtJj"; labels = [ "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04" "ubuntu-20.04:docker://catthehacker/ubuntu:act-20.04" "ubuntu-18.04:docker://catthehacker/ubuntu:act-18.04" "native:host" ]; }; home-assistant = { enable = true; extraComponents = ["wiz" "fail2ban" "ollama" "wyoming" "bluetooth" "ios" "homekit" "jellyfin" "apple_tv" "androidtv" "androidtv_remote"]; config = { default_config = {}; "automation ui" = "!include automations.yaml"; http = { use_x_forwarded_for = "true"; trusted_proxies = ["127.0.0.1"]; server_port = 8002; }; }; }; wyoming = { piper.servers."piperNix" = { enable = true; uri = "tcp://0.0.0.0:10200"; voice = "en-us-ryan-low"; }; faster-whisper.servers."whisperNix" = { enable = true; uri = "tcp://0.0.0.0:10300"; language = "en"; }; }; searx = { enable = true; settings = { server.port = 8003; server.secret_key = "secretlol"; search.formats = ["html" "json"]; }; }; akkoma = { enable = true; initDb.enable = true; config = { ":pleroma" = { ":instance" = { name = "dhilton fedi"; description = "dhilton akkoma server"; email = "markers711@gmail.com"; registration_open = false; }; "Pleroma.Web.Endpoint" = {url.host = "fed.dhilton.xyz";}; }; }; nginx = { enableACME = true; forceSSL = true; }; }; nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts = { "dhilton.xyz" = { enableACME = true; forceSSL = true; root = "/var/www/dhilton"; }; "git.dhilton.xyz" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8001"; proxyWebsockets = true; }; }; "jel.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8096"; proxyWebsockets = true; }; }; "rat.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:9011"; extraConfig = '' if ($is_allowed_user = 0) { return 401; } ''; }; }; "hom.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8002"; proxyWebsockets = true; }; }; "srx.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8003"; proxyWebsockets = true; }; }; "oai.dhilton.xyz" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:5009"; proxyWebsockets = true; }; }; forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8100"; proxyWebsockets = true; }; }; "nix.dhilton.xyz" = { locations."/".proxyPass = "http://127.0.0.1:5000"; }; }; }; }; }