-
Notifications
You must be signed in to change notification settings - Fork 2
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
5 changed files
with
382 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,173 @@ | ||
| { | ||
| config, | ||
| pkgs, | ||
| lib, | ||
| ... | ||
| }: { | ||
| imports = [ | ||
| ./hardware-configuration.nix | ||
| ]; | ||
|
|
||
| config = { | ||
| networking.hostName = "terra"; | ||
|
|
||
| ################ | ||
| ## Bootloader ## | ||
| ################ | ||
| boot.loader.systemd-boot.enable = true; | ||
| # I'm booting from an external USB drive so I | ||
| # prefer not touching the EFI variables | ||
| boot.loader.efi.canTouchEfiVariables = false; | ||
|
|
||
| ################ | ||
| ## Networking ## | ||
| ################ | ||
| networking.useDHCP = false; | ||
| networking.interfaces.enp1s0.useDHCP = true; | ||
|
|
||
| # My DNS has rebinding protection and Plex doesn't like that | ||
| networking.nameservers = ["1.1.1.1" "1.0.0.1"]; | ||
|
|
||
| ####################### | ||
| ## Setup Fan control ## | ||
| ####################### | ||
| # Terramaster F2-221's fan is connected to a case fan header. | ||
| # It doesn't spin up under load so I set up fancontrol to take | ||
| # care of this. | ||
| local.services.fancontrol.enable = true; | ||
| local.services.fancontrol.config = '' | ||
| INTERVAL=10 | ||
| DEVPATH=hwmon0=devices/platform/coretemp.0 hwmon1=devices/platform/it87.2592 | ||
| DEVNAME=hwmon0=coretemp hwmon1=it8613 | ||
| FCTEMPS=hwmon1/pwm3=hwmon0/temp1_input | ||
| FCFANS=hwmon1/pwm3=hwmon1/fan3_input | ||
| MINTEMP=hwmon1/pwm3=50 | ||
| MAXTEMP=hwmon1/pwm3=80 | ||
| MINSTART=hwmon1/pwm3=52 | ||
| MINSTOP=hwmon1/pwm3=12 | ||
| ''; | ||
|
|
||
| ################### | ||
| ## Setup hd-idle ## | ||
| ################### | ||
| systemd.services.hd-idle = { | ||
| description = "Hard Disk Idle Spin-Down Utility"; | ||
| wantedBy = ["multi-user.target"]; | ||
|
|
||
| serviceConfig.ExecStart = lib.concatStringsSep " " [ | ||
| "${pkgs.hd-idle}/bin/hd-idle" | ||
| "-i 0" | ||
| "-c ata" | ||
| "-a /dev/disk/by-id/ata-ST4000VN008-2DR166_ZDH0SPM0" | ||
| "-i 1800" | ||
| "-a /dev/disk/by-id/ata-ST4000VN008-2DR166_ZDH0XSZT" | ||
| "-i 1800" | ||
| ]; | ||
| }; | ||
|
|
||
| ################ | ||
| ## K3s Server ## | ||
| ################ | ||
| services.k3s.enable = true; | ||
| services.k3s.role = "server"; | ||
| services.k3s.extraFlags = let | ||
| # Addmission control config for k3s cluster | ||
| admissionControlConfig = pkgs.writeText "k3s-admission-control-config.yaml" '' | ||
| apiVersion: apiserver.config.k8s.io/v1 | ||
| kind: AdmissionConfiguration | ||
| plugins: | ||
| - name: PodSecurity | ||
| configuration: | ||
| apiVersion: pod-security.admission.config.k8s.io/v1beta1 | ||
| kind: PodSecurityConfiguration | ||
| defaults: | ||
| enforce: "baseline" | ||
| enforce-version: "latest" | ||
| audit: "restricted" | ||
| audit-version: "latest" | ||
| warn: "restricted" | ||
| warn-version: "latest" | ||
| exemptions: | ||
| usernames: [] | ||
| runtimeClasses: [] | ||
| namespaces: [kube-system] | ||
| ''; | ||
|
|
||
| # Config options for k3s server | ||
| serverConfig = pkgs.writeText "k3s-config.yaml" (lib.generators.toYAML {} { | ||
| # Use persisted data directory | ||
| data-dir = "/nix/persist/var/lib/rancher/k3s"; | ||
|
|
||
| # Instead cilium will be deployed | ||
| flannel-backend = "none"; | ||
| # Running on bare metal | ||
| disable-cloud-controller = true; | ||
| # Will run cilium with kube proxy replacement | ||
| disable-kube-proxy = true; | ||
| # Will run cilium for network policy enforcement | ||
| disable-network-policy = true; | ||
| # Don't need the helm controller | ||
| disable-helm-controller = true; | ||
| # Extra stuff to disable that I will deploy manually | ||
| disable = ["traefik" "servicelb" "local-storage"]; | ||
|
|
||
| # Don't schedule workloads on the server | ||
| node-taint = [ | ||
| "node.kubernetes.io/control-plane:NoSchedule" | ||
| ]; | ||
|
|
||
| # Add kube apiserver flags | ||
| kube-apiserver-arg = [ | ||
| # Set admission control config | ||
| "admission-control-config-file=${admissionControlConfig}" | ||
| ]; | ||
| }); | ||
| in "--config ${serverConfig}"; | ||
|
|
||
| ####################### | ||
| ## Plex Media Server ## | ||
| ####################### | ||
| services.plex.enable = true; | ||
| services.plex.openFirewall = true; | ||
| services.plex.dataDir = "/nix/persist/var/lib/plex"; | ||
|
|
||
| ############### | ||
| ## Tailscale ## | ||
| ############### | ||
| services.tailscale.enable = true; | ||
|
|
||
| ####################### | ||
| ## State persistence ## | ||
| ####################### | ||
| environment.persistence."/nix/persist".directories = [ | ||
| "/var/lib/tailscale" | ||
| ]; | ||
|
|
||
| ########## | ||
| ## Sudo ## | ||
| ########## | ||
| # So I can use nixos-rebuild with --use-remote-sudo | ||
| # TODO: Figure out how to allow less commands | ||
| security.sudo.extraRules = [ | ||
| { | ||
| users = ["arnar"]; | ||
| commands = [ | ||
| { | ||
| command = "ALL"; | ||
| options = ["NOPASSWD"]; | ||
| } | ||
| ]; | ||
| } | ||
| ]; | ||
|
|
||
| ################# | ||
| ## NixOS stuff ## | ||
| ################# | ||
| system.stateVersion = "23.05"; | ||
| nix.gc = { | ||
| automatic = true; | ||
| dates = "Mon *-*-* 04:00:00"; | ||
| options = "--delete-older-than 35d"; | ||
| }; | ||
| }; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| {inputs, ...}: { | ||
| modules = [ | ||
| ./configuration.nix | ||
| inputs.self.nixosModules.immutable | ||
| inputs.self.nixosModules.server | ||
| ]; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,98 @@ | ||
| { | ||
| config, | ||
| lib, | ||
| pkgs, | ||
| modulesPath, | ||
| ... | ||
| }: let | ||
| kernel = config.boot.kernelPackages.kernel; | ||
| hddled = pkgs.stdenv.mkDerivation rec { | ||
| name = "hddled_tmj33-${version}-${kernel.version}"; | ||
| version = "0.2"; | ||
|
|
||
| src = pkgs.fetchFromGitHub { | ||
| owner = "arnarg"; | ||
| repo = "hddled_tmj33"; | ||
| rev = version; | ||
| sha256 = "sha256-h2yvaFC0uemt9TZO1FR4Kfqm2bErol7KzjL6SOqtHik="; | ||
| }; | ||
|
|
||
| nativeBuildInputs = kernel.moduleBuildDependencies; | ||
|
|
||
| # We don't want to depmod yet, just build and package the module | ||
| preConfigure = '' | ||
| sed -i 's|depmod|#depmod|' Makefile | ||
| ''; | ||
|
|
||
| makeFlags = [ | ||
| "TARGET=${kernel.modDirVersion}" | ||
| "KERNEL_MODULES=${kernel.dev}/lib/modules/${kernel.modDirVersion}" | ||
| "MODDESTDIR=$(out)/lib/modules/${kernel.modDirVersion}/kernel/drivers/misc" | ||
| ]; | ||
| }; | ||
| in { | ||
| imports = [ | ||
| (modulesPath + "/installer/scan/not-detected.nix") | ||
| ]; | ||
|
|
||
| boot.initrd.availableKernelModules = ["ahci" "xhci_pci" "usb_storage" "uas" "sd_mod" "sdhci_pci"]; | ||
| boot.initrd.kernelModules = []; | ||
|
|
||
| boot.extraModulePackages = with pkgs.linuxPackages; [ | ||
| # Terramaster F2-221 has an it8613e chip | ||
| it87 | ||
| # Custom kernel module for controlling the HDD leds | ||
| # on Terramaster F2-221 | ||
| hddled | ||
| ]; | ||
| boot.kernelModules = [ | ||
| # For virtualization | ||
| "kvm-intel" | ||
| # For fancontrol | ||
| "coretemp" | ||
| # Terramaster F2-221 has an it8613e chip | ||
| "it87" | ||
| # Custom kernel module for controlling the HDD leds | ||
| # on Terramaster F2-221 | ||
| "hddled_tmj33" | ||
| ]; | ||
|
|
||
| # Root on tmpfs | ||
| fileSystems."/" = { | ||
| device = "none"; | ||
| fsType = "tmpfs"; | ||
| options = ["defaults" "size=2G" "mode=755"]; | ||
| }; | ||
|
|
||
| fileSystems."/boot" = { | ||
| label = "boot"; | ||
| fsType = "vfat"; | ||
| }; | ||
|
|
||
| fileSystems."/nix" = { | ||
| label = "nix"; | ||
| fsType = "ext4"; | ||
| neededForBoot = true; | ||
| }; | ||
|
|
||
| fileSystems."/var/log" = { | ||
| device = "/nix/persist/var/log"; | ||
| fsType = "none"; | ||
| options = ["bind"]; | ||
| }; | ||
|
|
||
| fileSystems."/tank" = { | ||
| device = "/dev/disk/by-uuid/4f87db74-309f-4256-baaa-4596a22b04e5"; | ||
| fsType = "btrfs"; | ||
| options = ["rw" "relatime" "space_cache" "subvolid=257" "subvol=/tank"]; | ||
| }; | ||
|
|
||
| services.btrfs.autoScrub = { | ||
| enable = true; | ||
| fileSystems = ["/tank"]; | ||
| interval = "Mon *-*-* 00:00:00"; | ||
| }; | ||
|
|
||
| nix.settings.max-jobs = 2; | ||
| powerManagement.cpuFreqGovernor = lib.mkDefault "ondemand"; | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,103 @@ | ||
| { | ||
| config, | ||
| lib, | ||
| ... | ||
| }: let | ||
| domain = "lab.codedbearder.com"; | ||
| mkServiceConfig = name: url: { | ||
| http.routers."${name}" = { | ||
| rule = "Host(`${domain}`) && PathPrefix(`/${name}`)"; | ||
| service = "${name}"; | ||
| tls.certResolver = "letsencrypt"; | ||
| }; | ||
| http.services."${name}" = { | ||
| loadBalancer.servers = [{url = url;}]; | ||
| }; | ||
| }; | ||
| in | ||
| with lib; { | ||
| # Sonarr | ||
| services.sonarr.enable = true; | ||
| services.sonarr.dataDir = "/nix/persist/var/lib/sonarr/.config/NzbDrone"; | ||
| services.sonarr.group = "mediaowners"; | ||
|
|
||
| # Radarr | ||
| services.radarr.enable = true; | ||
| services.radarr.dataDir = "/nix/persist/var/lib/radarr/.config/NzbDrone"; | ||
| services.radarr.group = "mediaowners"; | ||
|
|
||
| # Transmission | ||
| services.transmission.enable = true; | ||
| services.transmission.settings = { | ||
| download-dir = "/nix/persist/var/lib/transmission/Downloads"; | ||
| incomplete-dir = "/nix/persist/var/lib/transmission/.incomplete"; | ||
| incomplete-dir-enabled = true; | ||
| rpc-bind-address = "0.0.0.0"; | ||
| rpc-host-whitelist = "lab.codedbearder.com,localhost"; | ||
| rpc-host-whitelist-enabled = true; | ||
| }; | ||
| services.transmission.group = "mediaowners"; | ||
|
|
||
| users.groups.mediaowners.members = ["sonarr"]; | ||
| users.groups.mediaowners.gid = 3000; | ||
|
|
||
| # Reverse Proxy | ||
| systemd.services.traefik.serviceConfig = { | ||
| EnvironmentFile = concatStrings ["-" config.services.traefik.dataDir "/acme.env"]; | ||
| }; | ||
| services.traefik.enable = true; | ||
| services.traefik.dataDir = "/nix/persist/var/lib/traefik"; | ||
| services.traefik.staticConfigOptions = { | ||
| # Entrypoints | ||
| entryPoints.http.address = ":80"; | ||
| entryPoints.http.http.redirections = { | ||
| entryPoint.to = "https"; | ||
| entryPoint.scheme = "https"; | ||
| entryPoint.permanent = true; | ||
| }; | ||
| entryPoints.https.address = ":443"; | ||
| # Let's encrypt | ||
| certificatesResolvers.letsencrypt.acme = { | ||
| email = "[email protected]"; | ||
| storage = concatStrings [config.services.traefik.dataDir "/acme.json"]; | ||
| dnsChallenge.provider = "cloudflare"; | ||
| }; | ||
| # Logging | ||
| log.level = "INFO"; | ||
| accessLog.bufferingSize = 1; | ||
| }; | ||
| services.traefik.dynamicConfigOptions = mkMerge [ | ||
| { | ||
| # Transmission doesn't redirect to /transmission/web | ||
| # after I proxy with https. Here I force that to happen. | ||
| http.middlewares.redirect-transmission.redirectregex = { | ||
| regex = "^https://${domain}/transmission/?$"; | ||
| replacement = "https://${domain}/transmission/web/"; | ||
| permanent = true; | ||
| }; | ||
| http.routers.transmission.middlewares = ["redirect-transmission"]; | ||
| } | ||
| (mkServiceConfig "sonarr" "http://127.0.0.1:8989/") | ||
| (mkServiceConfig "radarr" "http://127.0.0.1:7878/") | ||
| (mkServiceConfig "transmission" "http://127.0.0.1:9091/") | ||
| ]; | ||
|
|
||
| # Firewall | ||
| networking.firewall.allowedTCPPorts = [ | ||
| 80 # Traefik | ||
| 443 # Traefik | ||
| ]; | ||
|
|
||
| # Immutable | ||
| environment.persistence."/nix/persist".directories = [ | ||
| "/var/lib/plex" | ||
| ]; | ||
| local.immutable.links.tmpfiles = [ | ||
| "/etc/plex_exporter/environment" # Plex exporter | ||
| ]; | ||
|
|
||
| # Fix permissions between generations | ||
| systemd.tmpfiles.rules = [ | ||
| "z /nix/persist/var/lib/traefik/acme.json 0600 traefik traefik" | ||
| ]; | ||
| } |