first commit

.sops.yaml

@@ -0,0 +1,9 @@
+keys:
+  - &admin_cypherpunk age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s
+  - &server_cypherpunk age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce
+creation_rules:
+  - path_regex: secrets/[^/]+\.(yaml|json|env)$
+    key_groups:
+    - age:
+      - *admin_cypherpunk
+      - *server_cypherpunk

configuration.nix

@@ -0,0 +1,104 @@
+# Edit this configuration file to define what should be installed on
+# your system. Help is available in the configuration.nix(5) man page, on
+# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
+
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+
+{
+  imports = [
+    # Include the results of the hardware scan.
+    ./hardware-configuration.nix
+    "${(import ./nix/sources.nix).sops-nix}/modules/sops"
+    ./server-configuration.nix
+  ];
+
+  # Use the GRUB 2 boot loader.
+  boot = {
+    loader.grub = {
+      enable = true;
+      device = "/dev/sda";
+    };
+    kernelParams = [ "console=ttyS0" ];
+  };
+
+  networking.hostName = "hypervirtualworld"; # Define your hostname.
+
+  # Set your time zone.
+  time.timeZone = lib.mkDefault "Europe/Paris";
+
+  # Select internationalisation properties.
+  i18n.defaultLocale = "fr_FR.UTF-8";
+  console = {
+    font = "Lat2-Terminus16";
+    keyMap = "fr";
+  };
+
+  services.qemuGuest.enable = true;
+  services.cloud-init.network.enable = true;
+
+  # Define a user account. Don't forget to set a password with ‘passwd’.
+  users.users.cypherpunk = {
+    isNormalUser = true;
+    extraGroups = [
+      "wheel"
+      "docker"
+      "dialout"
+    ]; # Enable ‘sudo’ for the user.
+    packages = with pkgs; [ btop ];
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA8sdToNavEQv7PTMJ97HIGM6UlChwGS3x9O8hFilzui harryh@ik.me"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/pj2uTGRHkYwP/EqIfgHP+MQavBuDMnWMXtOedkwIQ harryh@ik.me"
+    ];
+  };
+
+  # List packages installed in system profile. To search, run:
+  environment.systemPackages = with pkgs; [
+    neovim
+    curl
+    git
+  ];
+
+  # enable docker
+  virtualisation.docker = {
+    enable = true;
+  };
+
+  # configure openssh
+  services.openssh = {
+    enable = true;
+    # require public key authentication for better security
+    settings.PasswordAuthentication = false;
+    settings.KbdInteractiveAuthentication = false;
+    settings.PermitRootLogin = "no";
+  };
+
+  # Copy the NixOS configuration file and link it from the resulting system
+  # (/run/current-system/configuration.nix). This is useful in case you
+  # accidentally delete configuration.nix.
+  system.copySystemConfiguration = true;
+
+  # This option defines the first version of NixOS you have installed on this particular machine,
+  # and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
+  #
+  # Most users should NEVER change this value after the initial install, for any reason,
+  # even if you've upgraded your system to a new NixOS release.
+  #
+  # This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
+  # so changing it will NOT upgrade your system - see https://nixos.org/manual/nixos/stable/#sec-upgrading for how
+  # to actually do that.
+  #
+  # This value being lower than the current NixOS release does NOT mean your system is
+  # out of date, out of support, or vulnerable.
+  #
+  # Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
+  # and migrated your data accordingly.
+  #
+  # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
+  system.stateVersion = "24.05"; # Did you read the comment?
+
+}

hardware-configuration.nix

@@ -0,0 +1,42 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
+
+  boot.initrd.availableKernelModules = [
+    "ata_piix"
+    "uhci_hcd"
+    "virtio_pci"
+    "virtio_scsi"
+    "sd_mod"
+    "sr_mod"
+  ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/62b25445-dfe7-4b49-83bc-c479335c1a78";
+    fsType = "ext4";
+  };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.ens18.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

nix

@@ -0,0 +1 @@
+/home/cypherpunk/nix/

secrets/example.yaml

@@ -0,0 +1,34 @@
+slskd:
+    username: ENC[AES256_GCM,data:iBBZDMMXqmc=,iv:AgFj1FIZqqJrlwWWGcb9M3GzsSGi2rZAw2FEffzVAM8=,tag:4g9dWLXbrzRmeohKRYmx5w==,type:str]
+    password: ENC[AES256_GCM,data:VtTXofstN6Auz3SO,iv:bMU3HLCsSh8ZZftmH5kEbYZoFtNIeqtTM9fUgCYLxhc=,tag:YwFIr/eqHAHXdtgqUguMMQ==,type:str]
+searx:
+    secret_key: ENC[AES256_GCM,data:Aiy95HoQTPzqkL6LPrW1Ya/NyIEPEFlFoOkIV+6DUWM=,iv:TJk+EcNHXPzSto/QiaenH369PG5LLYt4JoEAhdksPNc=,tag:GjSR5dMNKKEif7hQmeEV8w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxS3dXcEkycEltZ1JRbC8z
+            cFkwRDViUlFCTXlsTnhHMERBYkI5M1FtclNBCkljTm5iY0RZazd4RW1Rb1hpQVN4
+            SDU5Zkw5L0VPZEt6Lys2a3BYdWIvTncKLS0tIEFkYys1VjRrK1pDUHZtL09GeDE5
+            emdUNFBOcDdYSmZ0S1hmMmFzck1LTFEKnMvK7JDqojKElSzlMJbYwiq5/2NTAaPI
+            FFDqrrLfJ3qn7IZmuFQapIpSyWB9v4sSZqdPu23TK2GEy8wWweJQjw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByeGZxa1haT0NMTG01cXZH
+            TjVVSENSMThKaWhCQ0l5c1BRQnZycmdHekVnClkzWjhZKy94RjFyYjJQeXo4bDZI
+            am14WGoyNEMrMzNGbndnWUdjbCtoK1EKLS0tIENNV3NwRGY1M0U3M0ZnTjhtU05N
+            MEZhN2dYUXZpWEpydlRNMU9FSnpRTXMK9w4bgI/kAAQB/FXwt7k7xcQAFKEfaCVD
+            ZoBG7/wPfpvmk73gLf7xHrrKG0N90mVVSVtVjP+R6bs4B50bAuQtRA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-07-07T13:15:54Z"
+    mac: ENC[AES256_GCM,data:A4ELPQIvjgPjcZvRbOsY0aMyxBJxuJaxAsYJ096Zzt957O/jco/ixaNOCNyLYgyN9eynuf+eW4NrYMAmCmFytkO3hCclys3vpTm81U35MPbfxEmE+p7ikyu7p8klskFS8olRIQZKL6TvE4vCOMXFvGxvq7GiOLDkb27IbAroVB0=,iv:73OEcyqz6HOVcKIA3ROncVClDd9h6p2kcfGesTANfC4=,tag:7Gp9RGzLDslBvJJKJLXITA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

secrets/searx.env

@@ -0,0 +1,9 @@
+SECRET_KEY=ENC[AES256_GCM,data:Tz1+TBc07+S+1s65OsXglFD6AWPk9so5LoABfRQFt/0=,iv:DBCDFrDBjn2/H6ycvDGjABpBvDSP/P52C9313K7F2VE=,tag:dqtWCP2r9mF3pfB7XKNKHQ==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4ZDJhNXFzcXdDODF3KzlK\nb2V2ZmNleitiZHhTZlRyQXBjLzcvV3hZRTIwCnV3Qy9WMU93MlV2RUFoWmdPZkFF\nQW5BWCtRVkF4cDVUUXE4VjNNY2ZvUEUKLS0tIEJFcWc5Y3pRZDVnMVBJdFhmU1FO\nSHd0bVRGZFFPWG1QUXl3aWlIdVRGdTQK2Z/iidiGms+sZJkZa+WBgVO370xW+ZOr\nulDZFCZ6HFBjNDUWwk5+WPVMsT2yKSScFdEcFDh1xjMta8v6ufKnQg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDUzBZQ0FwK0NmdlVnZWVS\nRmZyTjkwMWJXOE5UWnZHeUUva2ZKU3dFY0FRClRlTnJtZ1VwZE1SSkNZR1ZmaGxh\nLzBxbVI2ZjVhNm0yU1I5Rm9pTGpaajAKLS0tIGZ5ZlRJM0p5WXBqemNvYlFGcVhD\na0RoSWcvZkxkejc4b3FlSG45RUdHWEkKMcs10Bu0Box9DL9Jr/U6lqmzybQvI8uh\nomBSFIoXcf+Nbeo/cQWAT4WdjwWSbfyYX6is7K10E2fPc9+Bv+ZCMw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce
+sops_lastmodified=2024-07-08T16:04:38Z
+sops_mac=ENC[AES256_GCM,data:jbs/oz2xndHP8c5iyZFodh/AiT6A7q72KvKbb7UBzTfnhkl9TzdrsHVowSLZrK8Lv2JeReehLSLK5W4B3UPPQM5975Ycxa2wtA2sinkm6n3e8BN4qB3ia8PLpsfXi4WbKSvkYX/jojQmXEZLrxSFOzu2N3+P5Bqx19D89mY2O80=,iv:woWu6lZ1er3DB/aRmfeJSzt4SrR6IBYmZ0pCgFeFy2E=,tag:k/xzSdMakgf5qvzrnsvXPg==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

secrets/slskd.env

@@ -0,0 +1,10 @@
+SLSKD_SLSK_USERNAME=ENC[AES256_GCM,data:ndRuxcaBnFQ=,iv:5Yw/OR9yIZ4f2Ih+l/eLYQrYWx1/mmAZeWS+uq63/AA=,tag:/3TZ2kmsPBcEZZ/o5Q7qMw==,type:str]
+SLSKD_SLSK_PASSWORD=ENC[AES256_GCM,data:UCeJInKY+fjP03w+,iv:pEp8lm8os6W67uRoyzohA08GPeQtUs+I2nJP/N4Qj7o=,tag:KFznti99iojUANNOLRNfjg==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4OVhrM2dscXFPSy8zK3E0\neWpKY1pncCsxeGNOUmRJQlRCaUtnWFFpcDJnCk1YRGEvZnFESVBhYmdiVWVNbnZw\nci94SEozZlVJVmZ4bmxpRGpoN0R4Z0UKLS0tIFVVSnc1R05MeVhQSnROMnFXS1Uw\nYld3TklmVmN0V1JhaldRcndBYzJ2K0EKmIZHSF/UJiS8bfjBns8x+dSXeg0C1Hzs\nda/d+EA8fuasS9uL59MSGkrWbDMuYvfi79kyR5KvEhIVofM+PuTbdg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1c8kr95dc7cqq34qyjgpnsgfgyntqnt5rlrq2c025ehp32f8h3sjqkf8k3s
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBLzh4R0ttM3RSdytnVElR\nZTRpZ2s0eTRNWFIwazZaTExXNW1kRWxqUVdrCnJsVE5ZeUpnczJoTGdZL0huNXFq\ndy94bUdkcXpnTmFDK0dwSktlTFF0SnMKLS0tIGVJNFZpNUswWnJWZzRkNVhIVzRX\nbmxyaWZlQmRSSkhXcnIvN0hMQno0TzgKw7/0A1XNMO5kFNZrQ9ook6JCWKHX52C/\nB0FeBiB3BhH3VUgG8H8z2fiyaCQbMRXEi0MjzajWbc+n7WgnlkhDTg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1k9297jq43kjmqcau62rt7pz0fc8uqkyshpm6kvw2tky4997r6flqmx8cce
+sops_lastmodified=2024-07-08T12:01:54Z
+sops_mac=ENC[AES256_GCM,data:2C8abKsoaQhoL/jUWJOFuPKHvpZq8TcIy8XcxcsvCVhpLaoFeK8E0i9BCnpUQTFHE4NJF6pIvrGBWMirUlf20QTmxywdcuUL9sqNahNGPFSCEGhpyQyNCcqlX7qVn6rGgBjfRDcGHIKPWFco83vKDWz9cDtLGbsl8z9Pi3e9jwY=,iv:2A60YeXfz5idgfa4Ps8qtFRz+deAd9Cocgt9x0lH/LQ=,tag:ioAdk22Bz8/SqL1ookQLFg==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.8.1

server-configuration.nix

@@ -0,0 +1,298 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  ip = "192.168.1.207";
+  driveMountPoint = "/mnt/hdd1";
+  authentik-version = "2024.2.3";
+  authentik-nix-src = builtins.fetchTarball {
+    url = "https://github.com/nix-community/authentik-nix/archive/version/${authentik-version}.tar.gz";
+    sha256 = "15b9a2csd2m3vwhj3xc24nrqnj1hal60jrd69splln0ynbnd9ki4";
+  };
+  authentik-nix = import authentik-nix-src;
+in
+{
+  # mounting external hard drives !
+  fileSystems."/mnt/hdd1" = {
+    device = "/dev/disk/by-uuid/008e5b16-5620-4fd5-a506-ef8d9bdec0c7";
+    fsType = "ext4";
+    options = [
+      "defaults"
+      "nofail"
+      "rw"
+    ];
+  };
+
+  # setting up networking!!
+  networking = {
+    interfaces = {
+      ens18.ipv4.addresses = [
+        {
+          address = ip;
+          prefixLength = 24;
+        }
+      ];
+    };
+
+    defaultGateway = "192.168.1.1";
+    nameservers = [
+      "1.1.1.1"
+      "1.0.0.1"
+    ];
+    nftables.enable = true;
+    # firewall rules
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 22 5030 8080 9091 ];
+      allowedUDPPorts = [ ];
+    };
+  };
+
+  # enable samba
+  services.samba = {
+    enable = true;
+    securityType = "user";
+    openFirewall = true;
+    extraConfig = ''
+      workgroup = WORKGROUP
+      server string = hyperserver
+      netbios name = hyperserver
+      security = user
+    '';
+    shares = {
+      music = {
+        path = "${driveMountPoint}/Music";
+        browseable = "yes";
+        "read only" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "cypherpunk";
+      };
+      ebooks = {
+        path = "${driveMountPoint}/Ebooks";
+        browseable = "yes";
+        "read only" = "no";
+        "create mask" = "0644";
+        "directory mask" = "0755";
+        "force user" = "cypherpunk";
+      };
+    };
+  };
+
+  imports = [ authentik-nix.nixosModules.default ];
+
+  sops.age.sshKeyPaths = [ "/home/cypherpunk/.ssh/id_ed25519" ];
+  sops.age.keyFile = "/var/lib/sops-nix/key.txt";
+  sops.age.generateKey = true;
+
+  sops.secrets."searx.env" = { 
+    sopsFile = ./secrets/searx.env;
+    format = "dotenv";
+  };
+
+  sops.secrets."slskd.env" = {
+    sopsFile = ./secrets/slskd.env;
+    format = "dotenv";
+  };
+
+  environment.systemPackages = with pkgs; [
+    jellyfin
+    jellyfin-web
+    jellyfin-ffmpeg
+    transmission
+    sonarr
+    radarr
+    prowlarr
+    readarr
+    jellyseerr
+    homepage-dashboard
+    slskd
+    niv # for using sops-nix
+  ];
+
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+    user = "cypherpunk";
+  };
+
+  services.sonarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.radarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.readarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.slskd = {
+    enable = true;
+    openFirewall = true;
+    environmentFile = config.sops.secrets."slskd.env".path;
+    domain = null;
+    settings = {
+      shares.directories = [ "${driveMountPoint}/Music" ];
+      soulseek.description = "i luv katz n mewsik";
+      directories.files.downloads = "${driveMountPoint}/Music/clean";
+      directories.files.incomplete = "${driveMountPoint}/Music/incomplete";
+    };
+  };
+
+  services.prowlarr = {
+    enable = true;
+    openFirewall = true;
+  };
+
+  services.jellyseerr = {
+    openFirewall = true;
+    enable = true;
+  };
+
+  services.transmission = {
+    enable = true;
+    openFirewall = true;
+    openRPCPort = true;
+    settings = {
+      rpc-bind-address = "0.0.0.0"; #Bind to own IP
+      rpc-whitelist-enabled = false;
+      download-dir = "${driveMountPoint}/Torrents";
+    };
+  };
+
+  services.searx = {
+    enable = true;
+    settings = {
+      server.secret_key = builtins.toJSON config.sops.secrets."searx.env";
+    };
+  };
+
+  services.calibre-web = {
+    enable = true;
+    openFirewall = true;
+    options = {
+      enableBookUploading = true;
+    };
+  };
+
+  /*
+    services.authentik = {
+      enable = true;
+    };
+
+      services.photoprism = {
+
+        enable = true;
+        originalsPath = "/mnt/hdd1/photoprism";
+        settings = {
+          PHOTOPRISM_DEFAULT_LOCALE = "fr";
+        };
+      };
+  */
+
+  virtualisation.oci-containers = {
+    backend = "docker";
+    containers = {
+      flaresolverr = {
+        ports = [ "8181:8181" ];
+        image = "ghcr.io/flaresolverr/flaresolverr:latest";
+	environment = {};
+      };
+    };
+};
+
+  services.homepage-dashboard = {
+    enable = true;
+    openFirewall = true;
+    services = [
+      {
+        "Divertissement" = [
+          {
+            "Jellyfin" = {
+              icon = "jellyfin";
+              description = "Permet de regarder ou écouter du contenu.";
+              href = "http://${ip}:8096/";
+            };
+          }
+          {
+            "calibre-web" = {
+              icon = "calibre";
+              description = "Serveur de livres";
+              href = "http://${ip}:8083";
+            };
+          }
+        ];
+      }
+      {
+        "Téléchargement" = [
+          {
+            "Jellyseerr" = {
+              icon = "jellyseerr";
+              description = "Moteur de recherche de films/séries";
+              href = "http://${ip}:5055";
+            };
+          }
+          {
+            "slskd" = {
+              description = "Pour télécharger/partager de la musique";
+              href = "http://${ip}:5030";
+            };
+          }
+          {
+            "Readarr" = {
+              description = "Moteur de recherche de livres";
+              href = "http://${ip}:8787/";
+            };
+          }
+          {
+            "Prowlarr" = {
+              icon = "prowlarr";
+              description = "Indexe les différents sites de téléchargement";
+              href = "http://${ip}:9696/";
+            };
+          }
+          {
+
+            "Sonarr" = {
+              icon = "sonarr";
+              description = "Moteur de recherche pour les séries";
+              href = "http://${ip}:8989";
+            };
+          }
+          {
+
+            "Transmission" = {
+              icon = "transmission";
+              description = "s'occupe du téléchargement des fichiers";
+              href = "http://${ip}:9091";
+            };
+          }
+        ];
+      }
+      {
+        "Utilitaires" = [
+          {
+            "Photoprism" = {
+              icon = "photoprism";
+              description = "Sauvegarde de photos";
+              href = "http://${ip}:2342";
+            };
+          }
+        ];
+      }
+    ];
+
+
+
+  };
+
+  };
+