k/nixos_configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos_configs/hosts/server/service.nix
k e183e8310c
Some checks failed
Verify Nix Flake / verify_build (push) Failing after 3s
Details
formating
2026-05-10 15:50:22 -04:00

322 lines
7.6 KiB
Nix
Raw Blame History

{
pkgs,
lib,
...
}: {
networking = {
firewall = {
enable = true;
allowedTCPPorts = [80 443 51820 2020 26615];
allowedUDPPorts = [51820 24454 26615];
};
nat.externalInterface = "wlp0s20f3";
nat.internalInterfaces = ["wg0"];
wireguard.interfaces = {
wg0 = {
ips = ["10.0.0.1/24"];
listenPort = 51820;
privateKeyFile = "/keys/wg-private";
peers = [
{
# laptop
publicKey = "Ze2y3K+blI3aBc1AKTlvv90j+McBaitB+qSLazsuSFM=";
allowedIPs = ["10.0.0.2/32"];
}
{
# phone
publicKey = "vcheBoHRxCrwzbMw0UI9ZsQfVDJizBWkeM+pF5/8+HE=";
allowedIPs = ["10.0.0.3/32"];
}
];
};
};
};
networking.nat.enable = true;
security.acme = {
acceptTerms = true;
defaults.email = "markers711@gmail.com";
};
virtualisation = {
docker = {enable = true;};
libvirtd = {enable = true;};
kvmgt = {enable = true;};
};
services = {
openssh = {
enable = true;
ports = [2020];
};
jellyfin = {enable = true;};
fail2ban = {
enable = true;
jails = {
nginx-http-auth = {
settings = {
enabled = true;
port = "http,https";
logpath = "/var/log/nginx/error.log";
# "auto" or "polling" is required for file-based logs on NixOS
backend = "auto";
};
};
nginx-botsearch = {
settings = {
enabled = true;
port = "http,https";
logpath = "/var/log/nginx/access.log";
backend = "auto";
maxretry = 2;
};
};
recidive = {
settings = {
enabled = true;
port = "allports";
protocol = "all";
# Look for 'Ban' messages in fail2ban's own log
backend = "systemd";
#logpath = "/var/log/fail2ban.log";
#backend = "auto";
bantime = "1w"; # Ban for 1 week
findtime = "1d"; # Look back 1 day
maxretry = 5; # If they were banned 5 times in 24 hours
};
};
};
};
postgresql = {enable = true;};
i2p = {enable = true;};
nix-serve = {
enable = true;
secretKeyFile = "/var/cache-priv-key.pem";
};
prometheus = {
enable = true;
scrapeConfigs = [
{
job_name = "ratchat-server";
static_configs = [
{
targets = ["127.0.0.1:9011"];
}
];
}
];
};
grafana = {
enable = true;
settings = {
server = {
http_addr = "127.0.0.1";
http_port = 3000;
};
};
provision = {
enable = true;
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
url = "http://localhost:9090";
}
];
};
};
ollama = {
enable = true;
package = pkgs.ollama-vulkan;
environmentVariables = {
GGML_VK_DISABLE_INTEGER_DOT_PRODUCT = "1";
OLLAMA_FLASH_ATTENTION = "1";
OLLAMA_VULKAN = "1";
OLLAMA_HOST = "0.0.0.0:11434";
};
};
anubis = {
defaultOptions = {
enable = true;
settings.SERVE_ROBOTS_TXT = true;
firewall.enabled = true;
firewall.block_openai = true;
firewall.block_google = true;
};
};
open-webui = {
enable = true;
port = 5009;
};
forgejo = {
enable = true;
settings = {
service.DISABLE_REGISTRATION = true;
service.ENABLE_PUSH_CREATE_USER = true;
server = {
HTTP_PORT = 8001;
SSH_PORT = 2020;
DOMAIN = "dhilton.xyz";
ROOT_URL = "https://git.dhilton.xyz";
ENABLE_PUSH_CREATE_USER = true;
};
};
};
gitea-actions-runner.package = pkgs.forgejo-runner;
gitea-actions-runner.instances.home = {
enable = true;
url = "https://git.dhilton.xyz";
name = "nixsrv";
token = "LaqTWUDidsm510TGBglGvcphsUxYmCzMjrZbEtJj";
labels = [
"ubuntu-latest:docker://catthehacker/ubuntu:act-latest"
"ubuntu-22.04:docker://catthehacker/ubuntu:act-22.04"
"ubuntu-20.04:docker://catthehacker/ubuntu:act-20.04"
"ubuntu-18.04:docker://catthehacker/ubuntu:act-18.04"
"native:host"
];
};
home-assistant = {
enable = true;
extraComponents = ["wiz" "fail2ban" "ollama" "wyoming" "bluetooth" "ios" "homekit" "jellyfin" "apple_tv" "androidtv" "androidtv_remote"];
config = {
default_config = {};
"automation ui" = "!include automations.yaml";
http = {
use_x_forwarded_for = "true";
trusted_proxies = ["127.0.0.1"];
server_port = 8002;
};
};
};
wyoming = {
piper.servers."piperNix" = {
enable = true;
uri = "tcp://0.0.0.0:10200";
voice = "en-us-ryan-low";
};
faster-whisper.servers."whisperNix" = {
enable = true;
uri = "tcp://0.0.0.0:10300";
language = "en";
};
};
searx = {
enable = true;
settings = {
server.port = 8003;
server.secret_key = "secretlol";
search.formats = ["html" "json"];
};
};
nginx = {
enable = true;
commonHttpConfig = ''
map $http_authorization $is_allowed_user {
default 0;
"Bearer ratToken" 1;
"Bearer notRatToken" 1;
}
'';
recommendedProxySettings = true;
recommendedTlsSettings = true;
clientMaxBodySize = "4g";
virtualHosts = {
"dhilton.xyz" = {
enableACME = true;
forceSSL = true;
root = "/var/www/dhilton";
};
"git.dhilton.xyz" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8001";
proxyWebsockets = true;
};
};
"jel.dhilton.xyz" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true;
};
};
"rat.dhilton.xyz" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:9011";
extraConfig = ''
if ($is_allowed_user = 0) { return 401; }
'';
};
};
"hom.dhilton.xyz" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8002";
proxyWebsockets = true;
};
};
"srx.dhilton.xyz" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:8003";
proxyWebsockets = true;
};
};
"oai.dhilton.xyz" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:5009";
proxyWebsockets = true;
};
};
"gfa.dhilton.xyz" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
proxyWebsockets = true;
};
};
"nix.dhilton.xyz" = {
locations."/".proxyPass = "http://127.0.0.1:5000";
};
};
};
};
}
Reference in a new issue View git blame Copy permalink