now using flake-parts; refactored nixosConfigurations; using hm standalone

2025-10-14 15:43:12 -03:00 · 2025-10-14 15:43:12 -03:00 · 816496fbab
commit 816496fbab
parent 7f64d49052
104 changed files with 1414 additions and 1910 deletions
--- a/hosts/alexandria/firewall.nix
+++ b/hosts/alexandria/firewall.nix
@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  networking.firewall = {
+    allowedTCPPorts = [
+      80
+      443
+    ];
+    allowedUDPPorts = [ ];
+  };
+}
--- a/hosts/alexandria/forgejo.nix
+++ b/hosts/alexandria/forgejo.nix
@ -0,0 +1,21 @@
+{ ... }:
+
+{
+  services.forgejo = {
+    enable = true;
+    repositoryRoot = "/data/forgejo";
+    settings = {
+      session.COOKIE_SECURE = true;
+      server = {
+        PROTOCOL = "http+unix";
+        DOMAIN = "git.baduhai.dev";
+        ROOT_URL = "https://git.baduhai.dev";
+        OFFLINE_MODE = true; # disable use of CDNs
+        SSH_DOMAIN = "baduhai.dev";
+      };
+      log.LEVEL = "Warn";
+      mailer.ENABLED = false;
+      actions.ENABLED = false;
+    };
+  };
+}
--- a/hosts/alexandria/hardware-configuration.nix
+++ b/hosts/alexandria/hardware-configuration.nix
@ -0,0 +1,49 @@
+{
+  config,
+  lib,
+  modulesPath,
+  ...
+}:
+
+{
+  imports = [ (modulesPath + "/installer/scan/not-detected.nix") ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "xhci_pci"
+        "ahci"
+        "usbhid"
+        "usb_storage"
+        "sd_mod"
+      ];
+      kernelModules = [ ];
+    };
+    kernelModules = [ "kvm-intel" ];
+    extraModulePackages = [ ];
+  };
+
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-uuid/31289617-1d84-4432-a833-680b52e88525";
+      fsType = "ext4";
+    };
+    "/boot" = {
+      device = "/dev/disk/by-uuid/4130-BE54";
+      fsType = "vfat";
+    };
+  };
+
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 8192;
+    }
+  ];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  powerManagement.cpuFreqGovernor = lib.mkDefault "powersave";
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
--- a/hosts/alexandria/jellyfin.nix
+++ b/hosts/alexandria/jellyfin.nix
@ -0,0 +1,8 @@
+{ ... }:
+
+{
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true;
+  };
+}
--- a/hosts/alexandria/librespeed.nix
+++ b/hosts/alexandria/librespeed.nix
@ -0,0 +1,14 @@
+{ ... }:
+
+{
+  virtualisation.oci-containers.containers."librespeed" = {
+    image = "lscr.io/linuxserver/librespeed:latest";
+    environment = {
+      TZ = "America/Bahia";
+    };
+    extraOptions = [
+      "--pull=newer"
+      "--label=io.containers.autoupdate=registry"
+    ];
+  };
+}
--- a/hosts/alexandria/nginx.nix
+++ b/hosts/alexandria/nginx.nix
@ -0,0 +1,71 @@
+{ config, lib, ... }:
+
+{
+  security.acme = {
+    acceptTerms = true;
+    defaults = {
+      email = "baduhai@proton.me";
+      dnsResolver = "1.1.1.1:53";
+      dnsProvider = "cloudflare";
+      credentialsFile = config.age.secrets.cloudflare.path;
+    };
+    certs."baduhai.dev" = {
+      extraDomainNames = [ "*.baduhai.dev" ];
+    };
+  };
+
+  age.secrets.cloudflare = {
+    file = ../../secrets/cloudflare.age;
+    owner = "nginx";
+    group = "nginx";
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts =
+      let
+        commonVHostConfig = {
+          useACMEHost = "baduhai.dev";
+          forceSSL = true;
+          kTLS = true;
+        };
+      in
+      lib.mapAttrs (_: lib.recursiveUpdate commonVHostConfig) {
+        "_".locations."/".return = "444";
+        "dav.baduhai.dev".locations = {
+          "/caldav" = {
+            proxyPass = "http://unix:/run/radicale/radicale.sock:/";
+            extraConfig = ''
+              proxy_set_header X-Script-Name /caldav;
+              proxy_pass_header Authorization;
+            '';
+          };
+          "/webdav" = {
+            proxyPass = "http://unix:/run/rclone-webdav/webdav.sock:/webdav/";
+            extraConfig = ''
+              proxy_set_header X-Script-Name /webdav;
+              proxy_pass_header Authorization;
+              proxy_connect_timeout 300; # Increase timeouts for large file uploads
+              proxy_send_timeout 300;
+              proxy_read_timeout 300;
+              client_max_body_size 10G; # Allow large file uploads
+              proxy_buffering off; # Buffer settings for better performance
+              proxy_request_buffering off;
+            '';
+          };
+        };
+        "git.baduhai.dev".locations."/".proxyPass =
+          "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}:/";
+        "jellyfin.baduhai.dev".locations."/".proxyPass = "http://127.0.0.1:8096/";
+        "pass.baduhai.dev".locations."/".proxyPass =
+          "http://unix:${config.services.vaultwarden.config.ROCKET_ADDRESS}:/";
+        "speedtest.baduhai.dev".locations."/".proxyPass = "http://librespeed:80/";
+      };
+  };
+
+  users.users.nginx.extraGroups = [ "acme" ];
+}
--- a/hosts/alexandria/radicale.nix
+++ b/hosts/alexandria/radicale.nix
@ -0,0 +1,17 @@
+{ ... }:
+
+{
+  services.radicale = {
+    enable = true;
+    settings = {
+      server = {
+        hosts = [ "/run/radicale/radicale.sock" ];
+      };
+      auth = {
+        type = "htpasswd";
+        htpasswd_filename = "/etc/radicale/users";
+        htpasswd_encryption = "bcrypt";
+      };
+    };
+  };
+}
--- a/hosts/alexandria/rclone-webdav.nix
+++ b/hosts/alexandria/rclone-webdav.nix
@ -0,0 +1,82 @@
+{ config, pkgs, ... }:
+
+let
+  rclone-webdav-start = pkgs.writeShellScript "rclone-webdav-start.sh" ''
+    #!/bin/bash
+
+    # Configuration
+    CREDS_FILE="/run/agenix/webdav"
+    SERVE_DIR="/data/webdav"
+    SOCKET_PATH="/run/rclone-webdav/webdav.sock"
+
+    # Check if credentials file exists
+    if [ ! -f "$CREDS_FILE" ]; then
+      echo "Error: Credentials file $CREDS_FILE not found"
+      exit 1
+    fi
+
+    # Read credentials from file (format: username:password)
+    CREDENTIALS=$(cat "$CREDS_FILE")
+    USERNAME=$(echo "$CREDENTIALS" | cut -d':' -f1)
+    PASSWORD=$(echo "$CREDENTIALS" | cut -d':' -f2)
+
+    # Validate credentials
+    if [ -z "$USERNAME" ] || [ -z "$PASSWORD" ]; then
+      echo "Error: Invalid credentials format. Expected username:password"
+      exit 1
+    fi
+
+    # Ensure serve directory exists
+    mkdir -p "$SERVE_DIR"
+
+    # Remove existing socket if it exists
+    rm -f "$SOCKET_PATH"
+
+    # Start rclone serve webdav
+    exec ${pkgs.rclone}/bin/rclone serve webdav "$SERVE_DIR" \
+      --addr unix://"$SOCKET_PATH" \
+      --user "$USERNAME" \
+      --pass "$PASSWORD" \
+      --config="" \
+      --baseurl "/webdav" \
+      --verbose
+  '';
+in
+
+{
+  age.secrets.webdav = {
+    file = ../../secrets/webdav.age;
+    owner = "user";
+    group = "users";
+  };
+
+  systemd.services.rclone-webdav = {
+    description = "RClone WebDAV Server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "exec";
+      User = "user";
+      Group = "nginx";
+      ExecStart = "${rclone-webdav-start}";
+      Restart = "always";
+      RestartSec = "10";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = true;
+      ReadWritePaths = [
+        "/data/webdav"
+        "/run"
+      ];
+      RuntimeDirectory = "rclone-webdav";
+      RuntimeDirectoryMode = "0750";
+      UMask = "0002";
+    };
+    preStart = ''
+      mkdir -p /data/webdav
+      chown user:users /data/webdav
+      chmod 755 /data/webdav
+    '';
+  };
+}
--- a/hosts/alexandria/vaultwarden.nix
+++ b/hosts/alexandria/vaultwarden.nix
@ -0,0 +1,12 @@
+{ ... }:
+
+{
+  services.vaultwarden = {
+    enable = true;
+    config = {
+      DOMAIN = "https://pass.baduhai.dev";
+      SIGNUPS_ALLOWED = false;
+      ROCKET_ADDRESS = "/run/vaultwarden/vaultwarden.sock";
+    };
+  };
+}