{ config, lib, pkgs, inputs, ... }: { # Setup hardware imports = [ inputs.nixos-hardware.nixosModules.raspberry-pi-4 ]; fileSystems = { "/" = { device = "/dev/disk/by-label/NIXOS_SD"; fsType = "ext4"; options = [ "noatime" ]; }; }; # Sops setup for this machine sops.secrets = { "borg-ssh-key" = { sopsFile = ../../secrets/tounge/borg.yaml; format = "yaml"; }; "borg-password" = { sopsFile = ../../secrets/tounge/borg.yaml; format = "yaml"; }; "cloudflare-api" = { sopsFile = ../../secrets/tounge/cloudflare-api; format = "binary"; }; }; # Setup system configuration nathan = { services = { nginx = { enable = true; acme = true; }; borg = { enable = true; extraExcludes = [ "/var/lib/docker" "/var/log" ]; passwordFile = config.sops.secrets."borg-password".path; sshKey = config.sops.secrets."borg-ssh-key".path; }; }; config = { setupGrub = false; userUid = "1001"; nix = { autoUpdate = true; autoGC = true; }; harden = false; virtualization = { docker = true; }; }; }; # Configure networking networking = { domain = "mccarty.io"; useDHCP = false; interfaces.eth0 = { ipv4.addresses = [{ address = "10.0.0.10"; prefixLength = 21; }]; }; defaultGateway = "10.0.4.1"; nameservers = [ "1.1.1.1" "1.0.0.1" ]; # Open ports in firewall firewall = { allowedTCPPorts = [ 3080 30443 ]; allowedUDPPorts = [ 53 ]; }; }; # Setup home manager home-manager.users.nathan = import ./home.nix; # Containerized applications virtualisation.oci-containers.containers = { # Setup pi hole "pihole" = { image = "pihole/pihole:latest"; ports = [ "10.0.0.10:53:53/tcp" "10.0.0.10:53:53/udp" "100.89.216.133:53:53/tcp" "100.89.216.133:53:53/udp" "3080:80" "30443:443" ]; volumes = [ "/var/lib/pihole/:/etc/pihole/" "/var/lib/dnsmasq.d:/etc/dnsmasq.d/" ]; extraOptions = [ "--cap-add=NET_ADMIN" "--dns=1.1.1.1" ]; }; # Setup heimdall "hub" = { image = "lscr.io/linuxserver/heimdall:latest"; environment = { "PUID" = "1001"; "PGID" = "1001"; "TZ" = "America/New_York"; }; ports = [ "4080:80" "4443:443" ]; volumes = [ "/var/lib/heimdall:/config" ]; }; }; # Nginx virtual hosts services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "pihole.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://localhost:3080"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "hub.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "https://localhost:4443"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "sonarr.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:8989"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "radarr.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:7878"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "sabnzbd.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:8080"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "lidarr.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:8686"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "tautulli.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:8181"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "bazarr.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:6767"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "jellyfin.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations = { "/socket" = { proxyPass = "http://100.104.25.128:8096"; extraConfig = '' proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; ''; }; "/" = { proxyPass = "http://100.104.25.128:8096"; extraConfig = '' allow all; ''; }; }; }; "jellyseerr.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:5055"; extraConfig = '' allow all; ''; }; }; "wizarr.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:5690"; extraConfig = '' allow all; ''; }; }; "tdarr.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:8265"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "kavita.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:5000"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; "audiobookshelf.mccarty.io" = { forceSSL = true; useACMEHost = "mccarty.io"; locations."/" = { proxyPass = "http://100.104.25.128:13378"; extraConfig = '' allow 100.64.0.0/10; deny all; ''; }; }; }; }; # Now we can configure ACME so we can get a star cert security.acme.certs."mccarty.io" = { domain = "*.mccarty.io"; group = "nginx"; extraDomainNames = [ "mccarty.io" ]; dnsProvider = "cloudflare"; credentialsFile = config.sops.secrets."cloudflare-api".path; dnsPropagationCheck = true; }; }