starred/nix-config
1
0
Fork 0
mirror of https://github.com/ryan4yin/nix-config.git synced 2026-04-24 01:38:28 +02:00
Code Issues Packages Projects Releases 10 Wiki Activity

feat: migrate all nixos services from idols to 12kingdoms

Browse Source
This commit is contained in:
Ryan Yin
2024-03-29 11:58:48 +08:00
parent 4da995fa88
commit bf6bc4bee2
65 changed files with 422 additions and 446 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
hosts/idols-kana/README.md
View File

@@ -1,16 +1,3 @@
# Idols - Kana
Host running some common applications, such as hompage, file browser, torrent downloader, etc.
All the services assumes a reverse proxy to be setup in the front, they are all listening on
localhost, and a caddy service is listening on the local network interface and proxy the requests to
the services.
## Services
1. dashy: Homepage
1. ddns
1. transmission & AriaNg: Torrent downloader and HTTP downloader
1. uptime-kuma: uptime monitoring
1. alist/filebrower: File browser for local/SMB/Cloud
1. excalidraw/DDTV/owncast/jitsi-meet/...
TODO

48
hosts/idols-kana/caddy.nix
View File

@@ -1,48 +0,0 @@
{myvars, ...}: {
services.caddy = {
enable = true;
# Reload Caddy instead of restarting it when configuration file changes.
enableReload = true;
user = "caddy"; # User account under which caddy runs.
dataDir = "/var/lib/caddy";
logDir = "/var/log/caddy";
# Additional lines of configuration appended to the global config section of the Caddyfile.
# Refer to https://caddyserver.com/docs/caddyfile/options#global-options for details on supported values.
globalConfig = ''
http_port 80
https_port 443
auto_https off
'';
# ACME related settings.
# email = myvars.useremail;
# acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
virtualHosts."http://dashy.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:4000
'';
virtualHosts."http://transmission.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:9091
'';
virtualHosts."http://uptime-kuma.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:3001
'';
virtualHosts."http://sftpgo.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:5010
'';
virtualHosts."http://webdav.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:5005
'';
virtualHosts."http://home.writefor.fun".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:8082
'';
};
networking.firewall.allowedTCPPorts = [80 443];
}

3
hosts/idols-kana/homepage/README.md
View File

@@ -1,3 +0,0 @@
# Homepage for my Homelab
> WIP, just a demo for now

8
hosts/idols-kana/homepage/config/bookmarks.yaml
View File

@@ -1,8 +0,0 @@
---
- About Me:
- Blog:
- abbr: Blog
href: https://thiscute.world/
- Github:
- abbr: GH
href: https://github.com/ryan4yin

3
hosts/idols-kana/homepage/config/docker.yaml
View File

@@ -1,3 +0,0 @@
# kana-docker:
# socket: /var/run/docker.sock
#

BIN
hosts/idols-kana/homepage/config/images/rolling-girls.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 5.5 MiB

6
hosts/idols-kana/homepage/config/kubernetes.yaml
View File

@@ -1,6 +0,0 @@
# https://gethomepage.dev/latest/configs/kubernetes/
# uses the default kubeconfig to access the cluster
# read kubbecofig from $KUBECONFIG or $HOME/.kube/config
# mode: default
mode: disabled

68
hosts/idols-kana/homepage/config/services.yaml
View File

@@ -1,68 +0,0 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/services
- Proxmox VE 虚拟化集群:
- PVE-UM560:
icon: si-proxmox
href: https://192.168.5.173:8006/
description: "CPU: R5-5625U / MEM: 32G / DISK: 512G+4T*2"
siteMonitor: https://192.168.5.173:8006/
- PVE-S500Plus:
icon: si-proxmox
href: https://192.168.5.174:8006/
description: "CPU: R7-5825U / MEM: 64G / DISK: 1T"
siteMonitor: https://192.168.5.174:8006/
- PVE-GTR5:
icon: si-proxmox
href: https://192.168.5.172:8006/
description: "CPU: R9-5900HX / MEM: 64G / DISK: 1T"
siteMonitor: https://192.168.5.172:8006/
- Homelab Monitoring:
- Grafana:
icon: si-grafana
href: http://grafana.writefor.fun
description: Data visualised on dashboards
siteMonitor: http://grafana.writefor.fun
- Prometheus Dashboard:
icon: si-prometheus
href: http://prometheus.writefor.fun
description: Monitoring - Prometheus
siteMonitor: http://prometheus.writefor.fun
- Uptime Kuma:
icon: si-uptimekuma
href: http://uptime-kuma.writefor.fun
description: Uptime Checking
siteMonitor: http://uptime-kuma.writefor.fun
- Homelab Applications:
- SFTPGO:
icon: sftpgo.png
href: "http://sftpgo.writefor.fun/web/admin/folders"
description: WebDAV & SFTP server
siteMonitor: http://sftpgo.writefor.fun/
# - Kubernetes Monitoring:
# # TODO: Update this
# - Emby:
# icon: emby.png
# href: "http://emby.home/"
# description: Media server
# namespace: media # The kubernetes namespace the app resides in
# app: emby # The name of the deployed app
#
# - Element Chat:
# icon: matrix-light.png
# href: https://chat.example.com
# description: Matrix Synapse Powered Chat
# app: matrix-element
# namespace: comms
# pod-selector: >-
# app.kubernetes.io/instance in (
# matrix-element,
# matrix-media-repo,
# matrix-media-repo-postgresql,
# matrix-synapse
# )

82
hosts/idols-kana/homepage/config/settings.yaml
View File

@@ -1,82 +0,0 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/latest/configs/settings
title: Ryan Yin's Homelab
base: http://home.writefor.fun/
favicon: https://thiscute.world/favicon.ico
# https://developer.mozilla.org/en-US/docs/Web/Manifest/start_url
# Used by some browsers to determine the start page of the web application
startUrl: http://home.writefor.fun/
language: zh
# Define shared API provider options and secrets here,
# You can then pass provider instead of apiKey in your widget configuration.
providers:
# read api keys from environment variables
openweathermap: { { HOMEPAGE_VAR_WEATHERAPI_APIKEY } }
weatherapi: { { HOMEPAGE_VAR_WEATHERAPI_APIKEY } }
background:
image: /images/rolling-girls.png
blur: sm # sm, "", md, xl... see https://tailwindcss.com/docs/backdrop-blur
saturate: 50 # 0, 50, 100... see https://tailwindcss.com/docs/backdrop-saturate
brightness: 50 # 0, 50, 75... see https://tailwindcss.com/docs/backdrop-brightness
opacity: 50 # 0-100
theme: dark # or light
# Supported colors are:
# slate, gray, zinc, neutral, stone, amber,
# yellow, lime, green, emerald, teal, cyan,
# sky, blue, indigo, violet, purple, fuchsia, pink, rose, red, white
color: indigo
# make all cards in a row the same height.
useEqualHeights: true
# Groups and its layout
# Groups Name should match the name defined in your services.yaml or widgets.yaml
layout:
Proxmox VE 虚拟化集群:
icon: si-proxmox
tab: First
Group A:
initiallyCollapsed: true # collapsed by default
tab: First
style: row
columns: 4
Second Service Group:
useEqualHeights: true # overrides global setting
tab: Second
columns: 4
Third Service Group:
tab: Third
style: row
Bookmark Group on Fourth Tab:
tab: Fourth
Service Group on every Tab:
style: row
columns: 4
# https://gethomepage.dev/latest/configs/services/#icons
# iconStyle: theme # optional, defaults to gradient
# Typing in homepage to quick search
quicklaunch:
searchDescriptions: true
hideInternetSearch: true
showSearchSuggestions: true
hideVisitURL: true
# Show docker stats
showStats: true
hideErrors: false

21
hosts/idols-kana/homepage/config/widgets.yaml
View File

@@ -1,21 +0,0 @@
# TODO: add access to kubernetes cluster
# - kubernetes:
# cluster:
# show: true
# cpu: true
# memory: true
# showLabel: true
# label: "cluster"
# nodes:
# show: true
# cpu: true
# memory: true
# showLabel: true
# - resources:
# backend: resources
# expanded: true
# cpu: true
# memory: true
- search:
provider: google
target: _blank

25
hosts/idols-kana/homepage/default.nix
View File

@@ -1,25 +0,0 @@
{pkgs, ...}: let
configDir = "/var/lib/homepage-dashboard";
in {
# https://github.com/NixOS/nixpkgs/blob/nixos-unstable/nixos/modules/services/misc/homepage-dashboard.nix
services.homepage-dashboard = {
enable = true;
listenPort = 8082;
openFirewall = false;
};
systemd.services.homepage-dashboard.environment = {
HOMEPAGE_CONFIG_DIR = configDir;
# 1. The value of env var HOMEPAGE_VAR_XXX will replace {{HOMEPAGE_VAR_XXX}} in any config
# HOMEPAGE_VAR_XXX_APIKEY = "myapikey";
# 2. The value of env var HOMEPAGE_FILE_XXX must be a file path,
# the contents of which will be used to replace {{HOMEPAGE_FILE_XXX}} in any config
};
# Install the homepage-dashboard configuration files
system.activationScripts.installHomepageDashboardConfig = ''
mkdir -p configDir
${pkgs.rsync}/bin/rsync -avz --chmod=D2755,F600 ${./config}/ ${configDir}/
${pkgs.systemdMinimal}/bin/systemctl restart homepage-dashboard
'';
}

26
hosts/idols-kana/oci-containers/dashy/default.nix
View File

@@ -1,26 +0,0 @@
{
# Replace dashy with gethomepage, because dashy is too slow to start/reload.
# # Install the dashy configuration file instaed of symlink it
# system.activationScripts.installDashyConfig = ''
# install -Dm 600 ${./dashy_conf.yml} /etc/dashy/dashy_conf.yml
# '';
#
# # https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/virtualisation/oci-containers.nix
# virtualisation.oci-containers.containers = {
# # check its logs via `journalctl -u podman-dashy`
# dashy = {
# hostname = "dashy";
# image = "lissy93/dashy:latest";
# ports = ["127.0.0.1:4000:80"];
# environment = {
# "NODE_ENV" = "production";
# };
# volumes = [
# "/etc/dashy/dashy_conf.yml:/app/public/conf.yml"
# ];
# autoStart = true;
# # cmd = [];
# };
# };
}

28
hosts/idols-kana/oci-containers/default.nix
View File

@@ -1,28 +0,0 @@
{
lib,
mylib,
...
}: {
imports = mylib.scanPaths ./.;
virtualisation = {
docker.enable = lib.mkForce false;
podman = {
enable = true;
# Create a `docker` alias for podman, to use it as a drop-in replacement
dockerCompat = true;
# Required for containers under podman-compose to be able to talk to each other.
defaultNetwork.settings.dns_enabled = true;
# Periodically prune Podman resources
autoPrune = {
enable = true;
dates = "weekly";
flags = ["--all"];
};
};
oci-containers = {
backend = "podman";
};
};
}

90
hosts/idols-kana/proxy.nix
View File

@@ -1,90 +0,0 @@
{
# dae(running on aquamarine) do not provides http/socks5 proxy server; so we use v2ray here.
# https=//github.com/v2fly
services.v2ray = {
enable = true;
config = {
# for monitoring
"stats" = {};
"api" = {
"tag" = "api";
"services" = [
"StatsService"
];
};
"policy" = {
"levels" = {
"0" = {
"statsUserUplink" = true;
"statsUserDownlink" = true;
};
};
"system" = {
"statsInboundUplink" = true;
"statsInboundDownlink" = true;
"statsOutboundUplink" = true;
"statsOutboundDownlink" = true;
};
};
inbounds = [
# core inbound
{
listen = "0.0.0.0";
port = 7890;
protocol = "http";
}
{
listen = "0.0.0.0";
port = 7891;
protocol = "socks";
settings = {
auth = "noauth";
udp = true;
};
}
# for monitoring
{
"tag" = "api";
"listen" = "127.0.0.1";
"port" = 54321;
"protocol" = "dokodemo-door";
"settings" = {
"address" = "127.0.0.1";
};
}
];
outbounds = [
# forward traffic directly via system's default network(to dae proxy running on aquamarine)
{
protocol = "freedom";
tag = "freedom";
}
];
# for monitoring
"routing" = {
"rules" = [
{
"inboundTag" = [
"api"
];
"outboundTag" = "api";
"type" = "field";
}
];
};
};
};
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/prometheus/exporters/v2ray.nix
# https://github.com/wi1dcard/v2ray-exporter
services.prometheus.exporters.v2ray = {
enable = true;
listenAddress = "0.0.0.0";
port = 9153;
openFirewall = false;
v2rayEndpoint = "127.0.0.1:54321";
};
}

97
hosts/idols-kana/sftpgo.nix
View File

@@ -1,97 +0,0 @@
{config, ...}: {
# Read SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD from a file
systemd.services.sftpgo.serviceConfig.EnvironmentFile = config.age.secrets."sftpgo.env".path;
services.sftpgo = {
enable = true;
user = "sftpgo";
dataDir = "/var/lib/sftpgo";
extraArgs = [
"--log-level"
"info"
];
# https://github.com/drakkan/sftpgo/blob/2.5.x/docs/full-configuration.md
settings = {
common = {
# Auto-blocking policy for SFTPGo and thus helps to prevent DoS (Denial of Service) and brute force password guessing.
defender = {
enable = true;
};
};
# Where to store stfpgo's data
data_provider = {
driver = "sqlite";
name = "sftpgo.db";
password_hashing = {
algo = "argon2id";
# options for argon2id hashing algorithm.
# The memory and iterations parameters control the computational cost of hashing the password.
argon2_options = {
memory = 65536; # KiB
iterations = 2; # The number of iterations over the memory.
parallelism = 2; # The number of threads (or lanes) used by the algorithm.
};
};
password_validation = {
# What Entropy Value Should I Use?
# somewhere in the 50-70 range seems "reasonable".
# https://github.com/wagslane/go-password-validator#what-entropy-value-should-i-use
admins.min_entropy = 60;
users.min_entropy = 60;
};
# Cache passwords in memory to avoid hashing the same password multiple times(it costs).
password_caching = true;
# create the default admin user via environment variables
# SFTPGO_DEFAULT_ADMIN_USERNAME and SFTPGO_DEFAULT_ADMIN_PASSWORD
create_default_admin = true;
};
# WebDAV is a popular protocol for file sharing, better than CIFS/SMB, NFS, etc.
# it's save to use WebDAV over HTTPS on public networks.
webdavd.bindings = [
{
address = "127.0.0.1";
port = 5005;
}
];
# HTTP Server provides a simple web interface to manage the server.
httpd.bindings = [
{
address = "127.0.0.1";
enable_https = false;
port = 5010;
client_ip_proxy_header = "X-Forwarded-For";
# a basic built-in web interface that allows you to manage users,
# virtual folders, admins and connections.
# url: http://127.0.0.1:8080/web/admin
enable_web_admin = true;
# A basic front-end web interface for your users.
# It allows end-users to browse and manage their files and change their credentials.
enable_web_client = true;
enable_rest_api = true;
}
];
# prometheus metrics
telemetry = {
bind_port = 10000;
bind_address = "0.0.0.0";
# auth_user_file = "";
};
# multi-factor authentication settings
mfa.totp = [
{
# Unique configuration name, not visible to the authentication apps.
# Should not to be changed after the first user has been created.
name = "SFTPGo";
# Name of the issuing Organization/Company
issuer = "SFTPGo";
# Algorithm to use for HMAC
# Currently Google Authenticator app on iPhone seems to only support sha1
algo = "sha1";
}
];
# SMTP configuration enables SFTPGo email sending capabilities
# smtp = {};
};
};
}

117
hosts/idols-kana/transmission.nix
View File

@@ -1,117 +0,0 @@
{
config,
myvars,
...
}: let
dataDir = "/var/lib/transmission";
name = "transmission";
in {
# the headless Transmission BitTorrent daemon
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/torrent/transmission.nix
# https://wiki.archlinux.org/title/transmission
services.transmission = {
enable = true;
user = name;
group = name;
home = dataDir;
downloadDirPermissions = "0770";
# Whether to enable tweaking of kernel parameters to open many more connections at the same time.
# Note that you may also want to increase peer-limit-global.
# And be aware that these settings are quite aggressive and might not suite your regular desktop use.
# For instance, SSH sessions may time out more easily.
performanceNetParameters = true;
# Path to a JSON file to be merged with the settings.
# Useful to merge a file which is better kept out of the Nix store to set secret config parameters like `rpc-password`.
credentialsFile = config.age.secrets."transmission-credentials.json".path;
# Whether to open the RPC port in the firewall.
openRPCPort = false;
openPeerPorts = true;
# https://github.com/transmission/transmission/blob/main/docs/Editing-Configuration-Files.md
settings = {
# 0 = None, 1 = Critical, 2 = Error, 3 = Warn, 4 = Info, 5 = Debug, 6 = Trace;
message-level = 3;
# Encryption may help get around some ISP filtering,
# but at the cost of slightly higher CPU use.
# 0 = Prefer unencrypted connections,
# 1 = Prefer encrypted connections,
# 2 = Require encrypted connections; default = 1)
encryption = 2;
# rpc = Web Interface
rpc-port = 9091;
rpc-bind-address = "127.0.0.1";
anti-brute-force-enabled = true;
# After this amount of failed authentication attempts is surpassed,
# the RPC server will deny any further authentication attempts until it is restarted.
# This is not tracked per IP but in total.
anti-brute-force-threshold = 20;
rpc-authentication-required = true;
# Comma-delimited list of IP addresses.
# Wildcards allowed using '*'. Example: "127.0.0.*,192.168.*.*",
rpc-whitelist-enabled = true;
rpc-whitelist = "127.0.0.*,192.168.*.*";
# Comma-delimited list of domain names.
# Wildcards allowed using '*'. Example: "*.foo.org,example.com",
rpc-host-whitelist-enabled = true;
rpc-host-whitelist = "*.writefor.fun,localhost,192.168.5.*";
rpc-user = myvars.username;
rpc-username = myvars.username;
# rpc-password = "test"; # you'd better use the credentialsFile for this.
incomplete-dir-enabled = true;
incomplete-dir = "${dataDir}/incomplete";
download-dir = "${dataDir}/downloads";
# Watch a directory for torrent files and add them to transmission.
watch-dir-enabled = false;
watch-dir = "${dataDir}/watch";
# Whether to enable Micro Transport Protocol (µTP).
utp-enabled = true;
# Executable to be run at torrent completion.
script-torrent-done-enabled = false;
# script-torrent-done-filename = "/path/to/script";
# Enable Local Peer Discovery (LPD).
lpd-enabled = true;
# The peer port to listen for incoming connections.
peer-port = 51413;
# Enable UPnP or NAT-PMP to forward a port through your firewall(NAT).
# https://github.com/transmission/transmission/blob/main/docs/Port-Forwarding-Guide.md
port-forwarding-enabled = true;
# "normal" speed limits
speed-limit-down-enabled = true;
speed-limit-down = 30000; # KB/s
speed-limit-up-enabled = true;
speed-limit-up = 500; # KB/s
upload-slots-per-torrent = 8;
# Start torrents as soon as they are added
start-added-torrents = true;
# Queuing
# When true, Transmission will only download
# download-queue-size non-stalled torrents at once.
download-queue-enabled = true;
download-queue-size = 5;
# When true, torrents that have not shared data for
# queue-stalled-minutes are treated as 'stalled'
# and are not counted against the queue-download-size
# and seed-queue-size limits.
queue-stalled-enabled = true;
queue-stalled-minutes = 60;
# When true. Transmission will only seed seed-queue-size
# non-stalled torrents at once.
seed-queue-enabled = true;
seed-queue-size = 10;
};
};
}

12
hosts/idols-kana/uptime-kuma.nix
View File

@@ -1,12 +0,0 @@
{
# https://github.com/NixOS/nixpkgs/blob/nixos-23.11/nixos/modules/services/monitoring/uptime-kuma.nix
services.uptime-kuma = {
enable = true;
# https://github.com/louislam/uptime-kuma/wiki/Environment-Variables
settings = {
"UPTIME_KUMA_HOST" = "127.0.0.1";
"UPTIME_KUMA_PORT" = "3001";
"DATA_DIR" = "/var/lib/uptime-kuma/";
};
};
}