nftable-migration
1{
2 libx,
3 globals,
4 lib,
5 pkgs,
6 ...
7}:
8{
9
10 imports = [
11 ../common/services/containers.nix
12 ../common/services/docker.nix
13 ../common/desktop/binfmt.nix # TODO: move to something else than desktop
14 ../common/services/prometheus-exporters-node.nix
15 ];
16
17 # TODO make it an option ? (otherwise I'll add it for all)
18 users.users.vincent.linger = true;
19
20 systemd.services.n8n.environment = {
21 N8N_SECURE_COOKIE = "false";
22 PATH = lib.mkForce "/run/current-system/sw/bin";
23 };
24
25 services = {
26 atuin = {
27 enable = true;
28 host = "0.0.0.0";
29 openRegistration = false;
30 };
31
32 n8n = {
33 enable = true;
34 openFirewall = true;
35 # webhookUrl = "";
36 };
37 paperless = {
38 enable = true;
39 address = "${builtins.head globals.machines.sakhalin.net.vpn.ips}";
40 };
41 # services.postgresql.enable = true;
42 # services.postgresql.package = pkgs.postgresql_15;
43 # services.postgresql.dataDir = "/var/lib/postgresql/15";
44 # services.postgresqlBackup.databases = [ "atuin" "homepage_production" "nextcloud" ];
45 # services.postgresqlBackup.enable = true;
46 # services.postgresqlBackup.location = "/var/backup/postgresql";
47 # services.postgresqlBackup.startAt = "*-*-* 02:15:00";
48
49 grafana = {
50 enable = true;
51 settings = {
52 server = {
53 http_addr = "0.0.0.0";
54 http_port = 3000;
55 domain = "graphana.sbr.pm";
56 };
57 };
58 };
59 prometheus = {
60 enable = true;
61 port = 9001;
62 scrapeConfigs = [
63 {
64 job_name = "node";
65 static_configs = [
66 {
67 # TODO: make this dynamic
68 targets = [
69 "aion.sbr.pm:9100"
70 "aix.sbr.pm:9000"
71 "aomi.sbr.pm:9000"
72 "athena.sbr.pm:9000"
73 "demeter.sbr.pm:9000"
74 "kerkouane.sbr.pm:9000"
75 "sakhalin.sbr.pm:9000"
76 "shikoku.sbr.pm:9000"
77 ];
78 }
79 ];
80 }
81 {
82 job_name = "bind";
83 static_configs = [
84 {
85 targets = [
86 "demeter.sbr.pm:9009"
87 "athena.sbr.pm:9009"
88 ];
89 }
90 ];
91 }
92 {
93 job_name = "nginx";
94 static_configs = [
95 {
96 targets = [ "kerkouane.sbr.pm:9001" ];
97 }
98 ];
99 }
100 {
101 job_name = "exportarr";
102 static_configs = [
103 {
104 targets = [
105 "rhea.sbr.pm:9707" # sonarr
106 "rhea.sbr.pm:9708" # radarr
107 "rhea.sbr.pm:9709" # lidarr
108 "rhea.sbr.pm:9710" # prowlarr
109 "rhea.sbr.pm:9711" # readarr
110 "rhea.sbr.pm:9712" # bazarr
111 ];
112 }
113 ];
114 }
115 ];
116 exporters.node = {
117 enable = true;
118 port = 9000;
119 enabledCollectors = [
120 "systemd"
121 "processes"
122 ];
123 extraFlags = [
124 "--collector.ethtool"
125 "--collector.softirqs"
126 "--collector.tcpstat"
127 ];
128 };
129 };
130 tarsnap = {
131 enable = true;
132 archives = {
133 documents = {
134 directories = [ "/home/vincent/desktop/documents" ];
135 period = "daily";
136 keyfile = "/etc/nixos/assets/tarsnap.documents.key";
137 };
138 org = {
139 directories = [ "/home/vincent/desktop/org" ];
140 period = "daily";
141 keyfile = "/etc/nixos/assets/tarsnap.org.key";
142 };
143 };
144 };
145 nfs.server = {
146 enable = true;
147 exports = ''
148 /export 192.168.1.0/24(rw,fsid=0,no_subtree_check) 10.100.0.0/24(rw,fsid=0,no_subtree_check)
149 /export/gaia 192.168.1.0/24(rw,fsid=1,no_subtree_check) 10.100.0.0/24(rw,fsid=1,no_subtree_check)
150 /export/toshito 192.168.1.0/24(rw,fsid=2,no_subtree_check) 10.100.0.0/24(rw,fsid=2,no_subtree_check)
151 '';
152 };
153
154 wireguard = {
155 enable = true;
156 ips = libx.wg-ips globals.machines.sakhalin.net.vpn.ips;
157 endpoint = "${globals.net.vpn.endpoint}";
158 endpointPublicKey = "${globals.machines.kerkouane.net.vpn.pubkey}";
159 };
160 };
161 environment.systemPackages = with pkgs; [ yt-dlp ]; # -----------------------------------
162 environment.etc."vrsync".text = ''
163 /home/vincent/desktop/pictures/screenshots/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/screenshots/
164 /home/vincent/desktop/pictures/wallpapers/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/wallpapers/
165 /home/vincent/desktop/documents/ vincent@synodine.home:/volume1/documents/
166 /mnt/gaia/photos/ vincent@synodine.home:/volumeUSB2/usbshare/pictures/photos/
167 /mnt/gaia/music/ vincent@synodine.home:/volumeUSB2/usbshare/music/
168 '';
169 systemd.services.vrsync = {
170 description = "vrsync - sync folders to NAS";
171 requires = [ "network-online.target" ];
172 after = [ "network-online.target" ];
173
174 unitConfig.X-StopOnRemoval = false;
175 restartIfChanged = false;
176
177 path = with pkgs; [
178 rsync
179 coreutils
180 bash
181 openssh
182 ];
183 script = ''
184 ${pkgs.vrsync}/bin/vrsync
185 '';
186
187 startAt = "hourly";
188 serviceConfig = {
189 Type = "oneshot";
190 OnFailure = "status-email-root@%n.service";
191 };
192 };
193 # mr -i u daily
194 systemd.services.mr = {
195 description = "Update configs daily";
196 requires = [ "network-online.target" ];
197 after = [ "network-online.target" ];
198
199 restartIfChanged = false;
200 unitConfig.X-StopOnRemoval = false;
201
202 serviceConfig = {
203 Type = "oneshot";
204 User = "vincent";
205 OnFailure = "status-email-root@%n.service";
206 };
207
208 path = with pkgs; [
209 git
210 mr
211 ];
212 script = ''
213 set -e
214 cd /mnt/gaia/src/configs/
215 mr -t run git reset --hard
216 mr -t u
217 '';
218
219 startAt = "daily";
220 };
221 # Kiwix serve
222 systemd.services.kiwix-serve = {
223 description = "Kiwix offline content server";
224 wantedBy = [ "multi-user.target" ];
225 after = [ "network.target" ];
226
227 serviceConfig = {
228 Type = "simple";
229 User = "vincent";
230 ExecStart = "${pkgs.bash}/bin/bash -c '${pkgs.kiwix-tools}/bin/kiwix-serve --port=8080 /mnt/gaia/kiwix/*.zim'";
231 Restart = "on-failure";
232 RestartSec = "5s";
233 };
234 };
235}