nixos_configs/hosts/server/service.nix

{
  pkgs,
  lib,
  ...
}: {
  networking.firewall = {
    enable = true;
    allowedTCPPorts = [80 443 22 26615 25565 24454 8080 53];
    allowedUDPPorts = [26615 25565 24454 8080 53];
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "markers711@gmail.com";
  };

  virtualisation.docker = {enable = true;};

  services = {
    openssh = {enable = true;};

    jellyfin = {enable = true;};

    fail2ban = {enable = true;};

    postgresql = {enable = true;};

    i2p = {enable = true;};

    nix-serve = {
      enable = true;
      secretKeyFile = "/var/cache-priv-key.pem";
    };

    ollama = {
      enable = true;
      package = pkgs.ollama-intel;
    };

    crab-hole = {
      enable = true;
      settings = {
        api = {
          listen = "192.168.0.2";
          port = 8080;
          show_doc = true;
        };
        downstream = [
          {
            listen = "192.168.0.2";
            port = 53;
            protocol = "udp";
          }
        ];
        upstream = {
          name_servers = [
            {
              protocol = "tls";
              socket_addr = "[2606:4700:4700::1111]:853";
              tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com";
              trust_nx_responses = false;
            }
            {
              protocol = "tls";
              socket_addr = "1.1.1.1:853";
              tls_dns_name = "1dot1dot1dot1.cloudflare-dns.com";
              trust_nx_responses = false;
            }
          ];
        };
        blocklist.lists = [
          "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
          "https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt"
          "https://raw.githubusercontent.com/anudeepND/blacklist/master/CoinMiner.txt"
          "https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt"
        ];
      };
    };

    gitea = {
      enable = true;
      settings = {
        service.DISABLE_REGISTRATION = true;
        service.ENABLE_PUSH_CREATE_USER = true;
        server = {
          HTTP_PORT = 8001;
          DOMAIN = "dhilton.xyz";
          ROOT_URL = "https://git.dhilton.xyz";
          ENABLE_PUSH_CREATE_USER = true;
        };
      };
    };

    gitea-actions-runner.instances.home = {
      enable = true;
      url = "https://git.dhilton.xyz";
      name = "nixsrv";
      token = "LaqTWUDidsm510TGBglGvcphsUxYmCzMjrZbEtJj";
      labels = [
        "ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
        "ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
        "ubuntu-20.04:docker://catthehacker/ubuntu:act-20.04"
        "ubuntu-18.04:docker://catthehacker/ubuntu:act-18.04"
        "native:host"
      ];
    };

    home-assistant = {
      enable = true;
      extraComponents = ["wiz" "fail2ban" "ollama" "wyoming"];
      config = {
        default_config = {};
        "automation ui" = "!include automations.yaml";
        http = {
          use_x_forwarded_for = "true";
          trusted_proxies = ["127.0.0.1"];
          server_port = 8003;
        };
      };
    };

    wyoming = {
      piper.servers."piperNix" = {
        enable = true;
        uri = "tcp://0.0.0.0:10200";
        voice = "en-us-ryan-low";
      };
      faster-whisper.servers."whisperNix" = {
        enable = true;
        uri = "tcp://0.0.0.0:10300";
        language = "en";
      };
    };

    searx = {
      enable = true;
      settings = {
        server.port = 8005;
        server.secret_key = "secretlol";
        search.formats = ["html" "json"];
      };
    };

    akkoma = {
      enable = true;
      initDb.enable = true;
      config = {
        ":pleroma" = {
          ":instance" = {
            name = "dhilton fedi";
            description = "dhilton akkoma server";
            email = "markers711@gmail.com";
            registration_open = false;
          };
          "Pleroma.Web.Endpoint" = {url.host = "fed.dhilton.xyz";};
        };
      };
      nginx = {
        enableACME = true;
        forceSSL = true;
      };
    };

    nginx = {
      enable = true;
      recommendedProxySettings = true;
      recommendedTlsSettings = true;

      virtualHosts = {
        "dhilton.xyz" = {
          enableACME = true;
          forceSSL = true;
          root = "/var/www/dhilton";
        };

        "git.dhilton.xyz" = {
          enableACME = true;
          forceSSL = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8001";
            proxyWebsockets = true;
          };
        };

        "jel.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8096";
            proxyWebsockets = true;
          };
        };

        "srx.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8005";
            proxyWebsockets = true;
          };
        };

        "hom.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8003";
            proxyWebsockets = true;
          };
        };

        "map.dhilton.xyz" = {
          forceSSL = true;
          enableACME = true;
          locations."/" = {
            proxyPass = "http://127.0.0.1:8100";
            proxyWebsockets = true;
          };
        };

        "nix.dhilton.xyz" = {
          locations."/".proxyPass = "http://127.0.0.1:5000";
        };
      };
    };
  };
}