initial commit

2025-11-09 23:51:40 -05:00 · 2025-11-09 23:51:40 -05:00 · 4014d5e658
commit 4014d5e658
30 changed files with 911 additions and 0 deletions
--- a/hosts/blobercraft/ai.nix
+++ b/hosts/blobercraft/ai.nix
@ -0,0 +1,34 @@
+{ lib, config, ... }:
+{
+  options.ai.enable = lib.mkEnableOption "enable ai services";
+  config = lib.mkIf config.ai.enable {
+    fileSystems."/mnt/priv" = {
+      device = "192.168.50.240:/mnt/tank/Private";
+      fsType = "nfs";
+      options = [ "defaults" ];
+    };
+
+    services.gatus.settings.endpoints = [
+      {
+        name = "open-webui";
+        group = "local";
+        url = "http://0.0.0.0:${config.services.open-webui.port}/System/Ping";
+        interval = "5m";
+        # conditions = [''[BODY] == "Jellyfin Server"'']; # TODO:
+      }
+    ];
+
+    services = {
+      ollama = {
+        enable = true;
+        # Optional: preload models, see https://ollama.com/library
+        loadModels = [ "llama3.2:3b" "deepseek-r1:1.5b"];
+      };
+      open-webui = {
+        enable = true;
+        port = 2333;
+        openFirewall = true;
+      };
+    };
+  };
+}
--- a/hosts/blobercraft/default.nix
+++ b/hosts/blobercraft/default.nix
@ -0,0 +1,17 @@
+{ ... }:
+{
+  imports = [
+    ./hardware-configuration.nix # Include the results of the hardware scan.
+    ./jellyfin.nix
+    ./minecraft.nix
+    ./gatus.nix
+    ./ai.nix
+  ];
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  # ai.enable = true;
+  jellyfin.enable = true;
+  minecraft.enable = true;
+}
--- a/hosts/blobercraft/gatus.nix
+++ b/hosts/blobercraft/gatus.nix
@ -0,0 +1,45 @@
+{ unstable, ... }: let
+  gatus.up = [
+    "[STATUS] == 200"
+    "[RESPONSE_TIME] < 300"
+  ];
+in {
+  services.gatus = {
+    package = unstable.gatus;
+    enable = true;
+    openFirewall = true;
+    settings = {
+      web.port = 8081;
+      endpoints = [
+        {
+          name = "nas";
+          group = "external";
+          url = "http://192.168.50.240";
+          interval = "5m";
+          conditions = gatus.up;
+        }
+        {
+          name = "site";
+          group = "remote";
+          url = "https://squi.bid";
+          interval = "10m";
+          conditions = gatus.up;
+        }
+        {
+          name = "git site";
+          group = "remote";
+          url = "https://git.squi.bid";
+          interval = "10m";
+          conditions = gatus.up;
+        }
+        {
+          name = "voidpkgs";
+          group = "remote";
+          url = "https://voidpkgs.squi.bid";
+          interval = "10m";
+          conditions = [''[BODY] == pat(*x86_64-repodata.sig2*)''];
+        }
+      ];
+    };
+  };
+}
--- a/hosts/blobercraft/hardware-configuration.nix
+++ b/hosts/blobercraft/hardware-configuration.nix
@ -0,0 +1,39 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/profiles/qemu-guest.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/37cd6e5e-5e67-48de-a2cf-9f1f26db5721";
+      fsType = "ext4";
+    };
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/2EB4-8533";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/7849db93-3c39-4571-ac39-8542251eb194"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}
--- a/hosts/blobercraft/jellyfin.nix
+++ b/hosts/blobercraft/jellyfin.nix
@ -0,0 +1,78 @@
+{ lib, config, ... }:
+{
+  options.jellyfin.enable = lib.mkEnableOption "enable jellfin service";
+  config = lib.mkIf config.jellyfin.enable {
+    fileSystems."/mnt/media" = {
+      device = "192.168.50.240:/mnt/tank/Media";
+      fsType = "nfs";
+      options = [ "defaults" ];
+    };
+
+    services.gatus.settings.endpoints = [
+      {
+        name = "jellyfin";
+        group = "local";
+        url = "http://localhost:8096/System/Ping";
+        interval = "5m";
+        conditions = [''[BODY] == "Jellyfin Server"''];
+      }
+    ];
+
+    services.declarative-jellyfin = {
+      enable = true;
+      openFirewall = true;
+      serverId = "0ba4e888503b4524a90285b7ad500256"; # could be anything
+      system = {
+        serverName = config.networking.hostName;
+        trickplayOptions = {
+          enableHwAcceleration = true;
+          enableHwEncoding = true;
+        };
+        pluginRepositories = [
+          {
+            content.Name = "Jellyfin Stable";
+            content.Url = "https://repo.jellyfin.org/files/plugin/manifest.json";
+            tag = "RepositoryInfo"; # Needed to generate the correct XML
+          }
+          {
+            content.Name = "Intro Skipper";
+            content.Url = "https://intro-skipper.org/manifest.json";
+            tag = "RepositoryInfo"; # Needed to generate the correct XML
+          }
+        ];
+      };
+      users.zachary = {
+        mutable = false;
+        permissions.isAdministrator = true;
+        hashedPasswordFile = config.sops.secrets."jellyfin/zachary".path;
+      };
+      libraries = {
+        Movies = {
+          enabled = true;
+          contentType = "movies";
+          pathInfos = ["/mnt/media/movies"];
+        };
+        Shows = {
+          enabled = true;
+          contentType = "tvshows";
+          pathInfos = ["/mnt/media/shows"];
+        };
+      };
+      encoding = {
+        enableHardwareEncoding = true;
+        hardwareAccelerationType = "vaapi";
+        enableDecodingColorDepth10Hevc = true; # enable if your system supports
+        allowHevcEncoding = true; # enable if your system supports
+        allowAv1Encoding = true; # enable if your system supports
+        hardwareDecodingCodecs = [ # enable the codecs your system supports
+          "h264"
+          "hevc"
+          "mpeg2video"
+          "vc1"
+          "vp9"
+          "av1"
+        ];
+      };
+    };
+  };
+}
--- a/hosts/blobercraft/minecraft.nix
+++ b/hosts/blobercraft/minecraft.nix
@ -0,0 +1,24 @@
+{ lib, config, pkgs, ... }:
+{
+  options.minecraft.enable = lib.mkEnableOption "enable minecraft user";
+  config = lib.mkIf config.minecraft.enable {
+    users.users.minecraft = {
+      createHome = true;
+      home = "/home/minecraft";
+      useDefaultShell = true;
+      isNormalUser = true;
+      description = "minecraft server account";
+      group = "minecraft";
+      openssh.authorizedKeys.keys = [] ++ config.ssh.keys;
+
+      # make sure we have every version of java required to run minecraft
+      packages = with pkgs; [
+        jre8
+        jre17_minimal
+        jre21_minimal
+      ];
+    };
+
+    users.groups.minecraft = {};
+  };
+}
--- a/hosts/crayon/default.nix
+++ b/hosts/crayon/default.nix
@ -0,0 +1,12 @@
+{ ... }:
+{
+  imports = [
+    ./hardware-configuration.nix # Include the results of the hardware scan.
+    ./mailserver.nix
+    ./nginx.nix
+    ./git.nix
+  ];
+
+  boot.loader.grub.enable = true;
+  boot.loader.grub.device = "/dev/vda";
+}
--- a/hosts/crayon/git.nix
+++ b/hosts/crayon/git.nix
@ -0,0 +1,32 @@
+{ config, ... }:
+let
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in {
+  services.nginx.virtualHosts.${srv.DOMAIN} = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      client_max_body_size 512M;
+    '';
+    locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.squi.bid";
+        ROOT_URL = "https://${srv.DOMAIN}/";
+        HTTP_PORT = 3000;
+      };
+      service = {
+        ENABLE_CAPTCHA = true;
+        REGISTER_MANUAL_CONFIRM = true; # all new users must be approved by me
+      };
+      ui.DEFAULT_THEME = "gitea-dark";
+    };
+  };
+}
--- a/hosts/crayon/hardware-configuration.nix
+++ b/hosts/crayon/hardware-configuration.nix
@ -0,0 +1,32 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports = [ ];
+
+  boot.initrd.availableKernelModules = [ "ahci" "xhci_pci" "virtio_pci" "sr_mod" "virtio_blk" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/4d47e9c5-a695-4c12-b44c-1c3c81de20d4";
+      fsType = "ext4";
+    };
+
+  swapDevices =
+    [ { device = "/dev/disk/by-uuid/937d42d7-9d77-46fd-88fb-3d6d746635ed"; }
+    ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  virtualisation.hypervGuest.enable = true;
+}
--- a/hosts/crayon/mailserver.nix
+++ b/hosts/crayon/mailserver.nix
@ -0,0 +1,41 @@
+{ config, ... }:
+{
+  # this should really be imported through a flake but I couldn't get that
+  # working :(
+  imports = [
+    (builtins.fetchTarball {
+      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz";
+      sha256 = "1qn5fg0h62r82q7xw54ib9wcpflakix2db2mahbicx540562la1y";
+    })
+  ];
+
+  mailserver = {
+    enable = true;
+    fqdn = "mail.zacharyscheiman.com";
+    domains = [ "zacharyscheiman.com" "squi.bid" ];
+    messageSizeLimit = 2500000000; # 2.5GB
+
+    loginAccounts = {
+      "me@zacharyscheiman.com" = {
+        hashedPasswordFile = config.sops.secrets."mail/me".path;
+        aliases = [
+          "zach@zacharyscheiman.com"
+          "zack@zacharyscheiman.com"
+          "zachary@zacharyscheiman.com"
+
+          # required aliases
+          "postmaster@zacharyscheiman.com"
+          "abuse@zacharyscheiman.com"
+          "security@zacharyscheiman.com"
+        ];
+      };
+    };
+
+    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
+    # down nginx and opens port 80.
+    certificateScheme = "acme-nginx";
+  };
+
+  security.acme.acceptTerms = true;
+  security.acme.defaults.email = "security@zacharyscheiman.com";
+}
--- a/hosts/crayon/nginx.nix
+++ b/hosts/crayon/nginx.nix
@ -0,0 +1,46 @@
+{ pkgs, config, ... }:
+let
+  mkVirtHosts = virtHosts:
+    builtins.listToAttrs (builtins.map (name: {
+      name = name;
+      value = (builtins.import ./www/${name}.nix {
+        # we have to explicitly pass in arguments because we're using import
+        phpsock = config.services.phpfpm.pools.nginx.socket;
+        inherit pkgs;
+      });
+    }) <| virtHosts);
+in {
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  # setup phpfpm pooler for sites using php
+  services.phpfpm.pools = {
+    nginx = {
+      user = config.services.nginx.user;
+      group = config.services.nginx.group;
+      phpPackage = pkgs.php;
+      settings = {
+        "listen.owner" = config.services.nginx.user;
+        "listen.group" = config.services.nginx.group;
+        "listen.mode" = "0660";
+        "pm" = "dynamic";
+        "pm.max_children" = 5;
+        "pm.start_servers" = 2;
+        "pm.min_spare_servers" = 1;
+        "pm.max_spare_servers" = 3;
+      };
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+
+    virtualHosts = mkVirtHosts [
+      "squi.bid"
+      "5438.squi.bid"
+      "voidpkgs.squi.bid"
+    ];
+  };
+}
--- a/hosts/crayon/www/5438.squi.bid.nix
+++ b/hosts/crayon/www/5438.squi.bid.nix
@ -0,0 +1,12 @@
+{ ... }:
+{
+  root = "/var/www/5438"; # TODO: make declarative
+
+  locations."/" = {
+    index = "zacharys-guide.pdf";
+  };
+
+  # https
+  enableACME = true;
+  forceSSL = true;
+}
--- a/hosts/crayon/www/squi.bid.nix
+++ b/hosts/crayon/www/squi.bid.nix
@ -0,0 +1,31 @@
+{ phpsock, pkgs, ... }:
+{
+  serverAliases = ["www.squi.bid"];
+  root = "/var/www/squi.bid"; # TODO: make declarative
+
+  locations = {
+    "/" = {
+      tryFiles = "$uri $uri.html $uri/ @extensionless-php";
+      index = "index.html index.htm index.php";
+    };
+    "~ \\.php$" = {
+      extraConfig = ''
+        fastcgi_pass unix:${phpsock};
+        include ${pkgs.nginx}/conf/fastcgi.conf;
+        expires 3m;
+        add_header Cache-Control "max-age=180, public";
+      '';
+    };
+    "~* \\.(?:css|js|jpg|png)$" = {
+      extraConfig = ''
+        expires 1y;
+        access_log off;
+        add_header Cache-Control "max-age=31556952, public";
+      '';
+    };
+  };
+
+  # https
+  enableACME = true;
+  forceSSL = true;
+}
--- a/hosts/crayon/www/voidpkgs.squi.bid.nix
+++ b/hosts/crayon/www/voidpkgs.squi.bid.nix
@ -0,0 +1,17 @@
+{ ... }:
+{
+  root = "/var/www/voidpkgs"; # TODO: make declarative
+
+  locations."/" = {
+    extraConfig = ''
+      try_files $uri $uri/ =404;
+      sendfile on;
+      sendfile_max_chunk 1m;
+      autoindex on;
+    '';
+  };
+
+  # https
+  enableACME = true;
+  forceSSL = true;
+}