225 lines
5.5 KiB
Nix
225 lines
5.5 KiB
Nix
{ config, lib, pkgs, inputs, ... }:
|
|
|
|
{
|
|
# Setup hardware
|
|
imports = [ inputs.nixos-hardware.nixosModules.raspberry-pi-4 ];
|
|
fileSystems = {
|
|
"/" = {
|
|
device = "/dev/disk/by-label/NIXOS_SD";
|
|
fsType = "ext4";
|
|
options = [ "noatime" ];
|
|
};
|
|
};
|
|
# Sops setup for this machine
|
|
sops.secrets = {
|
|
"borg-ssh-key" = {
|
|
sopsFile = ../../secrets/tounge/borg.yaml;
|
|
format = "yaml";
|
|
};
|
|
"borg-password" = {
|
|
sopsFile = ../../secrets/tounge/borg.yaml;
|
|
format = "yaml";
|
|
};
|
|
"cloudflare-api" = {
|
|
sopsFile = ../../secrets/tounge/cloudflare-api;
|
|
format = "binary";
|
|
};
|
|
};
|
|
# Setup system configuration
|
|
nathan = {
|
|
services = {
|
|
nginx = {
|
|
enable = true;
|
|
acme = true;
|
|
};
|
|
borg = {
|
|
enable = true;
|
|
extraExcludes = [ "/var/lib/docker" "/var/log" ];
|
|
passwordFile = config.sops.secrets."borg-password".path;
|
|
sshKey = config.sops.secrets."borg-ssh-key".path;
|
|
};
|
|
};
|
|
config = {
|
|
setupGrub = false;
|
|
nix = {
|
|
autoUpdate = true;
|
|
autoGC = true;
|
|
};
|
|
harden = false;
|
|
virtualization = { docker = true; };
|
|
};
|
|
};
|
|
# Configure networking
|
|
networking = {
|
|
domain = "mccarty.io";
|
|
useDHCP = false;
|
|
interfaces.eth0 = {
|
|
ipv4.addresses = [{
|
|
address = "10.0.0.10";
|
|
prefixLength = 21;
|
|
}];
|
|
};
|
|
defaultGateway = "10.0.4.1";
|
|
nameservers = [ "1.1.1.1" "1.0.0.1" ];
|
|
# Open ports in firewall
|
|
firewall = {
|
|
allowedTCPPorts = [ 3080 30443 ];
|
|
allowedUDPPorts = [ 53 ];
|
|
};
|
|
};
|
|
|
|
# Setup home manager
|
|
home-manager.users.nathan = import ./home.nix;
|
|
|
|
# Containerized applications
|
|
virtualisation.oci-containers.containers = {
|
|
# Setup pi hole
|
|
"pihole" = {
|
|
image = "pihole/pihole:latest";
|
|
ports = [
|
|
"10.0.0.10:53:53/tcp"
|
|
"10.0.0.10:53:53/udp"
|
|
"100.75.37.98:53:53/tcp"
|
|
"100.75.37.98:53:53/udp"
|
|
"3080:80"
|
|
"30443:443"
|
|
];
|
|
volumes = [
|
|
"/var/lib/pihole/:/etc/pihole/"
|
|
"/var/lib/dnsmasq.d:/etc/dnsmasq.d/"
|
|
];
|
|
extraOptions = [ "--cap-add=NET_ADMIN" "--dns=1.1.1.1" ];
|
|
};
|
|
# Setup heimdall
|
|
"hub" = {
|
|
image = "lscr.io/linuxserver/heimdall:latest";
|
|
environment = {
|
|
"PUID" = "1001";
|
|
"PGID" = "1001";
|
|
"TZ" = "America/New_York";
|
|
};
|
|
ports = [ "4080:80" "4433:433" ];
|
|
volumes = [ "/var/lib/heimdall:/config" ];
|
|
};
|
|
};
|
|
# Nginx virtual hosts
|
|
services.nginx = {
|
|
enable = true;
|
|
recommendedTlsSettings = true;
|
|
recommendedOptimisation = true;
|
|
recommendedGzipSettings = true;
|
|
recommendedProxySettings = true;
|
|
|
|
virtualHosts = {
|
|
"pihole.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:3080";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
"hub.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://localhost:4080";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
"sonarr.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://100.121.150.78:8989";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
"radarr.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://100.121.150.78:7878";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
"sabnzbd.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://100.121.150.78:8080";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
"lidarr.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://100.121.150.78:8686";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
"tautulli.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://100.121.150.78:8181";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
"bazarr.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://100.121.150.78:6767";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
"calibre.mccarty.io" = {
|
|
forceSSL = true;
|
|
useACMEHost = "mccarty.io";
|
|
locations."/" = {
|
|
proxyPass = "http://100.95.223.6:8083";
|
|
extraConfig = ''
|
|
allow 100.64.0.0/10;
|
|
deny all;
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
# Now we can configure ACME so we can get a star cert
|
|
security.acme.certs."mccarty.io" = {
|
|
domain = "*.mccarty.io";
|
|
group = "nginx";
|
|
extraDomainNames = [ "mccarty.io" ];
|
|
dnsProvider = "cloudflare";
|
|
credentialsFile = config.sops.secrets."cloudflare-api".path;
|
|
dnsPropagationCheck = true;
|
|
};
|
|
}
|