From d746960980f381d96f369a6fff4eca244d2312d0 Mon Sep 17 00:00:00 2001 From: Harry Date: Mon, 8 Jul 2024 19:11:59 +0200 Subject: [PATCH] first commit --- .sops.yaml | 9 ++ configuration.nix | 104 +++++++++++++ hardware-configuration.nix | 42 ++++++ nix | 1 + secrets/example.yaml | 34 +++++ secrets/searx.env | 9 ++ secrets/slskd.env | 10 ++ server-configuration.nix | 298 +++++++++++++++++++++++++++++++++++++ 8 files changed, 507 insertions(+) create mode 100644 .sops.yaml create mode 100644 configuration.nix create mode 100644 hardware-configuration.nix create mode 120000 nix create mode 100644 secrets/example.yaml create mode 100644 secrets/searx.env create mode 100644 secrets/slskd.env create mode 100644 server-configuration.nix diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..d782dcb --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,9 @@ +keys: + - &admin_cypherpunk age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s + - &server_cypherpunk age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env)$ + key_groups: + - age: + - *admin_cypherpunk + - *server_cypherpunk diff --git a/configuration.nix b/configuration.nix new file mode 100644 index 0000000..46292c0 --- /dev/null +++ b/configuration.nix @@ -0,0 +1,104 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page, on +# https://search.nixos.org/options and in the NixOS manual (`nixos-help`). + +{ + config, + lib, + pkgs, + ... +}: + +{ + imports = [ + # Include the results of the hardware scan. + ./hardware-configuration.nix + "${(import ./nix/sources.nix).sops-nix}/modules/sops" + ./server-configuration.nix + ]; + + # Use the GRUB 2 boot loader. + boot = { + loader.grub = { + enable = true; + device = "/dev/sda"; + }; + kernelParams = [ "console=ttyS0" ]; + }; + + networking.hostName = "hypervirtualworld"; # Define your hostname. + + # Set your time zone. + time.timeZone = lib.mkDefault "Europe/Paris"; + + # Select internationalisation properties. + i18n.defaultLocale = "fr_FR.UTF-8"; + console = { + font = "Lat2-Terminus16"; + keyMap = "fr"; + }; + + services.qemuGuest.enable = true; + services.cloud-init.network.enable = true; + + # Define a user account. Don't forget to set a password with ‘passwd’. + users.users.cypherpunk = { + isNormalUser = true; + extraGroups = [ + "wheel" + "docker" + "dialout" + ]; # Enable ‘sudo’ for the user. + packages = with pkgs; [ btop ]; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8sdToNavEQv7PTMJ97HIGM6UlChwGS3x9O8hFilzui harryh@ik.me" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/pj2uTGRHkYwP/EqIfgHP+MQavBuDMnWMXtOedkwIQ harryh@ik.me" + ]; + }; + + # List packages installed in system profile. To search, run: + environment.systemPackages = with pkgs; [ + neovim + curl + git + ]; + + # enable docker + virtualisation.docker = { + enable = true; + }; + + # configure openssh + services.openssh = { + enable = true; + # require public key authentication for better security + settings.PasswordAuthentication = false; + settings.KbdInteractiveAuthentication = false; + settings.PermitRootLogin = "no"; + }; + + # Copy the NixOS configuration file and link it from the resulting system + # (/run/current-system/configuration.nix). This is useful in case you + # accidentally delete configuration.nix. + system.copySystemConfiguration = true; + + # This option defines the first version of NixOS you have installed on this particular machine, + # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions. + # + # Most users should NEVER change this value after the initial install, for any reason, + # even if you've upgraded your system to a new NixOS release. + # + # This value does NOT affect the Nixpkgs version your packages and OS are pulled from, + # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how + # to actually do that. + # + # This value being lower than the current NixOS release does NOT mean your system is + # out of date, out of support, or vulnerable. + # + # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration, + # and migrated your data accordingly. + # + # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion . + system.stateVersion = "24.05"; # Did you read the comment? + +} diff --git a/hardware-configuration.nix b/hardware-configuration.nix new file mode 100644 index 0000000..e192fd3 --- /dev/null +++ b/hardware-configuration.nix @@ -0,0 +1,42 @@ +# Do not modify this file! It was generated by ‘nixos-generate-config’ +# and may be overwritten by future invocations. Please make changes +# to /etc/nixos/configuration.nix instead. +{ + config, + lib, + pkgs, + modulesPath, + ... +}: + +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + + boot.initrd.availableKernelModules = [ + "ata_piix" + "uhci_hcd" + "virtio_pci" + "virtio_scsi" + "sd_mod" + "sr_mod" + ]; + boot.initrd.kernelModules = [ ]; + boot.kernelModules = [ ]; + boot.extraModulePackages = [ ]; + + fileSystems."/" = { + device = "/dev/disk/by-uuid/62b25445-dfe7-4b49-83bc-c479335c1a78"; + fsType = "ext4"; + }; + + swapDevices = [ ]; + + # Enables DHCP on each ethernet and wireless interface. In case of scripted networking + # (the default) this is the recommended approach. When using systemd-networkd it's + # still possible to use this option, but it's recommended to use it in conjunction + # with explicit per-interface declarations with `networking.interfaces..useDHCP`. + networking.useDHCP = lib.mkDefault true; + # networking.interfaces.ens18.useDHCP = lib.mkDefault true; + + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nix b/nix new file mode 120000 index 0000000..a2f715e --- /dev/null +++ b/nix @@ -0,0 +1 @@ +/home/cypherpunk/nix/ \ No newline at end of file diff --git a/secrets/example.yaml b/secrets/example.yaml new file mode 100644 index 0000000..f976c05 --- /dev/null +++ b/secrets/example.yaml @@ -0,0 +1,34 @@ +slskd: + username: ENC[AES256_GCM,data:iBBZDMMXqmc=,iv:AgFj1FIZqqJrlwWWGcb9M3GzsSGi2rZAw2FEffzVAM8=,tag:4g9dWLXbrzRmeohKRYmx5w==,type:str] + password: ENC[AES256_GCM,data:VtTXofstN6Auz3SO,iv:bMU3HLCsSh8ZZftmH5kEbYZoFtNIeqtTM9fUgCYLxhc=,tag:YwFIr/eqHAHXdtgqUguMMQ==,type:str] +searx: + secret_key: ENC[AES256_GCM,data:Aiy95HoQTPzqkL6LPrW1Ya/NyIEPEFlFoOkIV+6DUWM=,iv:TJk+EcNHXPzSto/QiaenH369PG5LLYt4JoEAhdksPNc=,tag:GjSR5dMNKKEif7hQmeEV8w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxS3dXcEkycEltZ1JRbC8z + cFkwRDViUlFCTXlsTnhHMERBYkI5M1FtclNBCkljTm5iY0RZazd4RW1Rb1hpQVN4 + SDU5Zkw5L0VPZEt6Lys2a3BYdWIvTncKLS0tIEFkYys1VjRrK1pDUHZtL09GeDE5 + emdUNFBOcDdYSmZ0S1hmMmFzck1LTFEKnMvK7JDqojKElSzlMJbYwiq5/2NTAaPI + FFDqrrLfJ3qn7IZmuFQapIpSyWB9v4sSZqdPu23TK2GEy8wWweJQjw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeGZxa1haT0NMTG01cXZH + TjVVSENSMThKaWhCQ0l5c1BRQnZycmdHekVnClkzWjhZKy94RjFyYjJQeXo4bDZI + am14WGoyNEMrMzNGbndnWUdjbCtoK1EKLS0tIENNV3NwRGY1M0U3M0ZnTjhtU05N + MEZhN2dYUXZpWEpydlRNMU9FSnpRTXMK9w4bgI/kAAQB/FXwt7k7xcQAFKEfaCVD + ZoBG7/wPfpvmk73gLf7xHrrKG0N90mVVSVtVjP+R6bs4B50bAuQtRA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-07T13:15:54Z" + mac: ENC[AES256_GCM,data:A4ELPQIvjgPjcZvRbOsY0aMyxBJxuJaxAsYJ096Zzt957O/jco/ixaNOCNyLYgyN9eynuf+eW4NrYMAmCmFytkO3hCclys3vpTm81U35MPbfxEmE+p7ikyu7p8klskFS8olRIQZKL6TvE4vCOMXFvGxvq7GiOLDkb27IbAroVB0=,iv:73OEcyqz6HOVcKIA3ROncVClDd9h6p2kcfGesTANfC4=,tag:7Gp9RGzLDslBvJJKJLXITA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/secrets/searx.env b/secrets/searx.env new file mode 100644 index 0000000..c8e23c2 --- /dev/null +++ b/secrets/searx.env @@ -0,0 +1,9 @@ +SECRET_KEY=ENC[AES256_GCM,data:Tz1+TBc07+S+1s65OsXglFD6AWPk9so5LoABfRQFt/0=,iv:DBCDFrDBjn2/H6ycvDGjABpBvDSP/P52C9313K7F2VE=,tag:dqtWCP2r9mF3pfB7XKNKHQ==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZDJhNXFzcXdDODF3KzlK\nb2V2ZmNleitiZHhTZlRyQXBjLzcvV3hZRTIwCnV3Qy9WMU93MlV2RUFoWmdPZkFF\nQW5BWCtRVkF4cDVUUXE4VjNNY2ZvUEUKLS0tIEJFcWc5Y3pRZDVnMVBJdFhmU1FO\nSHd0bVRGZFFPWG1QUXl3aWlIdVRGdTQK2Z/iidiGms+sZJkZa+WBgVO370xW+ZOr\nulDZFCZ6HFBjNDUWwk5+WPVMsT2yKSScFdEcFDh1xjMta8v6ufKnQg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUzBZQ0FwK0NmdlVnZWVS\nRmZyTjkwMWJXOE5UWnZHeUUva2ZKU3dFY0FRClRlTnJtZ1VwZE1SSkNZR1ZmaGxh\nLzBxbVI2ZjVhNm0yU1I5Rm9pTGpaajAKLS0tIGZ5ZlRJM0p5WXBqemNvYlFGcVhD\na0RoSWcvZkxkejc4b3FlSG45RUdHWEkKMcs10Bu0Box9DL9Jr/U6lqmzybQvI8uh\nomBSFIoXcf+Nbeo/cQWAT4WdjwWSbfyYX6is7K10E2fPc9+Bv+ZCMw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce +sops_lastmodified=2024-07-08T16:04:38Z +sops_mac=ENC[AES256_GCM,data:jbs/oz2xndHP8c5iyZFodh/AiT6A7q72KvKbb7UBzTfnhkl9TzdrsHVowSLZrK8Lv2JeReehLSLK5W4B3UPPQM5975Ycxa2wtA2sinkm6n3e8BN4qB3ia8PLpsfXi4WbKSvkYX/jojQmXEZLrxSFOzu2N3+P5Bqx19D89mY2O80=,iv:woWu6lZ1er3DB/aRmfeJSzt4SrR6IBYmZ0pCgFeFy2E=,tag:k/xzSdMakgf5qvzrnsvXPg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/secrets/slskd.env b/secrets/slskd.env new file mode 100644 index 0000000..5039361 --- /dev/null +++ b/secrets/slskd.env @@ -0,0 +1,10 @@ +SLSKD_SLSK_USERNAME=ENC[AES256_GCM,data:ndRuxcaBnFQ=,iv:5Yw/OR9yIZ4f2Ih+l/eLYQrYWx1/mmAZeWS+uq63/AA=,tag:/3TZ2kmsPBcEZZ/o5Q7qMw==,type:str] +SLSKD_SLSK_PASSWORD=ENC[AES256_GCM,data:UCeJInKY+fjP03w+,iv:pEp8lm8os6W67uRoyzohA08GPeQtUs+I2nJP/N4Qj7o=,tag:KFznti99iojUANNOLRNfjg==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OVhrM2dscXFPSy8zK3E0\neWpKY1pncCsxeGNOUmRJQlRCaUtnWFFpcDJnCk1YRGEvZnFESVBhYmdiVWVNbnZw\nci94SEozZlVJVmZ4bmxpRGpoN0R4Z0UKLS0tIFVVSnc1R05MeVhQSnROMnFXS1Uw\nYld3TklmVmN0V1JhaldRcndBYzJ2K0EKmIZHSF/UJiS8bfjBns8x+dSXeg0C1Hzs\nda/d+EA8fuasS9uL59MSGkrWbDMuYvfi79kyR5KvEhIVofM+PuTbdg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s +sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBLzh4R0ttM3RSdytnVElR\nZTRpZ2s0eTRNWFIwazZaTExXNW1kRWxqUVdrCnJsVE5ZeUpnczJoTGdZL0huNXFq\ndy94bUdkcXpnTmFDK0dwSktlTFF0SnMKLS0tIGVJNFZpNUswWnJWZzRkNVhIVzRX\nbmxyaWZlQmRSSkhXcnIvN0hMQno0TzgKw7/0A1XNMO5kFNZrQ9ook6JCWKHX52C/\nB0FeBiB3BhH3VUgG8H8z2fiyaCQbMRXEi0MjzajWbc+n7WgnlkhDTg==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_1__map_recipient=age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce +sops_lastmodified=2024-07-08T12:01:54Z +sops_mac=ENC[AES256_GCM,data:2C8abKsoaQhoL/jUWJOFuPKHvpZq8TcIy8XcxcsvCVhpLaoFeK8E0i9BCnpUQTFHE4NJF6pIvrGBWMirUlf20QTmxywdcuUL9sqNahNGPFSCEGhpyQyNCcqlX7qVn6rGgBjfRDcGHIKPWFco83vKDWz9cDtLGbsl8z9Pi3e9jwY=,iv:2A60YeXfz5idgfa4Ps8qtFRz+deAd9Cocgt9x0lH/LQ=,tag:ioAdk22Bz8/SqL1ookQLFg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.8.1 diff --git a/server-configuration.nix b/server-configuration.nix new file mode 100644 index 0000000..19da9d2 --- /dev/null +++ b/server-configuration.nix @@ -0,0 +1,298 @@ +{ + config, + lib, + pkgs, + ... +}: +let + ip = "192.168.1.207"; + driveMountPoint = "/mnt/hdd1"; + authentik-version = "2024.2.3"; + authentik-nix-src = builtins.fetchTarball { + url = "https://github.com/nix-community/authentik-nix/archive/version/${authentik-version}.tar.gz"; + sha256 = "15b9a2csd2m3vwhj3xc24nrqnj1hal60jrd69splln0ynbnd9ki4"; + }; + authentik-nix = import authentik-nix-src; +in +{ + # mounting external hard drives ! + fileSystems."/mnt/hdd1" = { + device = "/dev/disk/by-uuid/008e5b16-5620-4fd5-a506-ef8d9bdec0c7"; + fsType = "ext4"; + options = [ + "defaults" + "nofail" + "rw" + ]; + }; + + # setting up networking!! + networking = { + interfaces = { + ens18.ipv4.addresses = [ + { + address = ip; + prefixLength = 24; + } + ]; + }; + + defaultGateway = "192.168.1.1"; + nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; + nftables.enable = true; + # firewall rules + firewall = { + enable = true; + allowedTCPPorts = [ 22 5030 8080 9091 ]; + allowedUDPPorts = [ ]; + }; + }; + + # enable samba + services.samba = { + enable = true; + securityType = "user"; + openFirewall = true; + extraConfig = '' + workgroup = WORKGROUP + server string = hyperserver + netbios name = hyperserver + security = user + ''; + shares = { + music = { + path = "${driveMountPoint}/Music"; + browseable = "yes"; + "read only" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "cypherpunk"; + }; + ebooks = { + path = "${driveMountPoint}/Ebooks"; + browseable = "yes"; + "read only" = "no"; + "create mask" = "0644"; + "directory mask" = "0755"; + "force user" = "cypherpunk"; + }; + }; + }; + + imports = [ authentik-nix.nixosModules.default ]; + + sops.age.sshKeyPaths = [ "/home/cypherpunk/.ssh/id_ed25519" ]; + sops.age.keyFile = "/var/lib/sops-nix/key.txt"; + sops.age.generateKey = true; + + sops.secrets."searx.env" = { + sopsFile = ./secrets/searx.env; + format = "dotenv"; + }; + + sops.secrets."slskd.env" = { + sopsFile = ./secrets/slskd.env; + format = "dotenv"; + }; + + environment.systemPackages = with pkgs; [ + jellyfin + jellyfin-web + jellyfin-ffmpeg + transmission + sonarr + radarr + prowlarr + readarr + jellyseerr + homepage-dashboard + slskd + niv # for using sops-nix + ]; + + services.jellyfin = { + enable = true; + openFirewall = true; + user = "cypherpunk"; + }; + + services.sonarr = { + enable = true; + openFirewall = true; + }; + + services.radarr = { + enable = true; + openFirewall = true; + }; + + services.readarr = { + enable = true; + openFirewall = true; + }; + + services.slskd = { + enable = true; + openFirewall = true; + environmentFile = config.sops.secrets."slskd.env".path; + domain = null; + settings = { + shares.directories = [ "${driveMountPoint}/Music" ]; + soulseek.description = "i luv katz n mewsik"; + directories.files.downloads = "${driveMountPoint}/Music/clean"; + directories.files.incomplete = "${driveMountPoint}/Music/incomplete"; + }; + }; + + services.prowlarr = { + enable = true; + openFirewall = true; + }; + + services.jellyseerr = { + openFirewall = true; + enable = true; + }; + + services.transmission = { + enable = true; + openFirewall = true; + openRPCPort = true; + settings = { + rpc-bind-address = "0.0.0.0"; #Bind to own IP + rpc-whitelist-enabled = false; + download-dir = "${driveMountPoint}/Torrents"; + }; + }; + + services.searx = { + enable = true; + settings = { + server.secret_key = builtins.toJSON config.sops.secrets."searx.env"; + }; + }; + + services.calibre-web = { + enable = true; + openFirewall = true; + options = { + enableBookUploading = true; + }; + }; + + /* + services.authentik = { + enable = true; + }; + + services.photoprism = { + + enable = true; + originalsPath = "/mnt/hdd1/photoprism"; + settings = { + PHOTOPRISM_DEFAULT_LOCALE = "fr"; + }; + }; + */ + + virtualisation.oci-containers = { + backend = "docker"; + containers = { + flaresolverr = { + ports = [ "8181:8181" ]; + image = "ghcr.io/flaresolverr/flaresolverr:latest"; + environment = {}; + }; + }; +}; + + services.homepage-dashboard = { + enable = true; + openFirewall = true; + services = [ + { + "Divertissement" = [ + { + "Jellyfin" = { + icon = "jellyfin"; + description = "Permet de regarder ou écouter du contenu."; + href = "http://${ip}:8096/"; + }; + } + { + "calibre-web" = { + icon = "calibre"; + description = "Serveur de livres"; + href = "http://${ip}:8083"; + }; + } + ]; + } + { + "Téléchargement" = [ + { + "Jellyseerr" = { + icon = "jellyseerr"; + description = "Moteur de recherche de films/séries"; + href = "http://${ip}:5055"; + }; + } + { + "slskd" = { + description = "Pour télécharger/partager de la musique"; + href = "http://${ip}:5030"; + }; + } + { + "Readarr" = { + description = "Moteur de recherche de livres"; + href = "http://${ip}:8787/"; + }; + } + { + "Prowlarr" = { + icon = "prowlarr"; + description = "Indexe les différents sites de téléchargement"; + href = "http://${ip}:9696/"; + }; + } + { + + "Sonarr" = { + icon = "sonarr"; + description = "Moteur de recherche pour les séries"; + href = "http://${ip}:8989"; + }; + } + { + + "Transmission" = { + icon = "transmission"; + description = "s'occupe du téléchargement des fichiers"; + href = "http://${ip}:9091"; + }; + } + ]; + } + { + "Utilitaires" = [ + { + "Photoprism" = { + icon = "photoprism"; + description = "Sauvegarde de photos"; + href = "http://${ip}:2342"; + }; + } + ]; + } + ]; + + + + }; + + }; +