diff --git a/hosts/franz/arion/dashboard/arion-compose.nix b/hosts/franz/arion/dashboard/arion-compose.nix index afaa54d..d3a3ea9 100644 --- a/hosts/franz/arion/dashboard/arion-compose.nix +++ b/hosts/franz/arion/dashboard/arion-compose.nix @@ -18,8 +18,8 @@ "traefik.http.routers.homarr.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/dashboard/homarr_data:/app/data/configs" - "/home/ghoscht/.docker/dashboard/homarr_icons:/app/public/imgs" + "/drives/hdd/docker/dashboard/homarr_data:/app/data/configs" + "/drives/hdd/docker/dashboard/homarr_icons:/app/public/imgs" ]; restart = "always"; networks = [ diff --git a/hosts/franz/arion/default.nix b/hosts/franz/arion/default.nix index eb96bb1..402e61b 100644 --- a/hosts/franz/arion/default.nix +++ b/hosts/franz/arion/default.nix @@ -16,6 +16,8 @@ ./media ./dashboard ./smarthome + ./signal + ./feed ]; environment.systemPackages = with pkgs; [arion]; diff --git a/hosts/franz/arion/dns/arion-compose.nix b/hosts/franz/arion/dns/arion-compose.nix index 5c60f48..0c7b0c6 100644 --- a/hosts/franz/arion/dns/arion-compose.nix +++ b/hosts/franz/arion/dns/arion-compose.nix @@ -22,6 +22,7 @@ pihole.service = { image = "pihole/pihole:latest"; container_name = "pihole"; + hostname = "pihole"; environment = { IPv6 = "True"; TZ = "Europe/Berlin"; @@ -29,8 +30,8 @@ VIRTUAL_HOST = "pihole.ghoscht.com"; }; volumes = [ - "/home/ghoscht/.docker/dns/pihole_data:/etc/pihole" - "/home/ghoscht/.docker/dns/pihole_dnsmasq:/etc/dnsmasq.d" + "/drives/hdd/docker/dns/pihole_data:/etc/pihole" + "/drives/hdd/docker/dns/pihole_dnsmasq:/etc/dnsmasq.d" ]; labels = { "traefik.enable" = "true"; @@ -65,7 +66,7 @@ container_name = "unbound"; useHostStore = true; volumes = [ - "/home/ghoscht/.docker/dns/unbound_data:/opt/unbound/etc/unbound" + "/drives/hdd/docker/dns/unbound_data:/opt/unbound/etc/unbound" ]; restart = "always"; networks = { diff --git a/hosts/franz/arion/feed/arion-compose.nix b/hosts/franz/arion/feed/arion-compose.nix index d9417a9..99c69a1 100644 --- a/hosts/franz/arion/feed/arion-compose.nix +++ b/hosts/franz/arion/feed/arion-compose.nix @@ -18,27 +18,29 @@ environment = { PUID = 1000; PGID = 1000; - DB_HOST = "db"; + DB_HOST = "feed-db"; }; env_file = [ "/home/ghoscht/.docker/feed/ttrss.env" ]; restart = "always"; + dns = ["1.1.1.1"]; networks = [ "dmz" + "transport" ]; }; - db.service = { + feed-db.service = { image = "postgres:13-alpine"; volumes = [ - "/home/ghoscht/.docker/feed/ttrss_db:/var/lib/postgresql/data" + "/drives/hdd/docker/feed/ttrss_db:/var/lib/postgresql/data" ]; env_file = [ "/home/ghoscht/.docker/feed/ttrss.env" ]; restart = "always"; networks = [ - "dmz" + "transport" ]; }; }; diff --git a/hosts/franz/arion/feed/default.nix b/hosts/franz/arion/feed/default.nix index 54fbe7c..852da88 100644 --- a/hosts/franz/arion/feed/default.nix +++ b/hosts/franz/arion/feed/default.nix @@ -7,7 +7,7 @@ in { }; }; - sops.secrets."ttrs/db_password" = { + sops.secrets."ttrss/db_password" = { owner = vars.user; }; diff --git a/hosts/franz/arion/git/arion-compose.nix b/hosts/franz/arion/git/arion-compose.nix index e6e19a7..5f81e5c 100644 --- a/hosts/franz/arion/git/arion-compose.nix +++ b/hosts/franz/arion/git/arion-compose.nix @@ -23,17 +23,18 @@ "traefik.http.routers.forgejo.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/git/forgejo_data:/data" + "/drives/hdd/docker/git/forgejo_data:/data" "/etc/localtime:/etc/localtime:ro" ]; ports = [ "2222:22" ]; + dns = ["1.1.1.1"]; environment = { USER_UID = 1000; USER_GID = 1000; GITEA__database__DB_TYPE = "postgres"; - GITEA__database__HOST = "db:5432"; + GITEA__database__HOST = "git-db:5432"; }; env_file = [ "/home/ghoscht/.docker/git/forgejo.env" @@ -44,12 +45,12 @@ "transport" ]; }; - db.service = { + git-db.service = { image = "postgres:15.3-bullseye"; env_file = [ "/home/ghoscht/.docker/git/forgejo-db.env" ]; - volumes = ["/home/ghoscht/.docker/git/forgejo_db:/var/lib/postgresql/data"]; + volumes = ["/drives/hdd/docker/git/forgejo_db:/var/lib/postgresql/data"]; restart = "unless-stopped"; networks = [ "transport" diff --git a/hosts/franz/arion/infrastructure/arion-compose.nix b/hosts/franz/arion/infrastructure/arion-compose.nix index 40ddba6..69bc730 100644 --- a/hosts/franz/arion/infrastructure/arion-compose.nix +++ b/hosts/franz/arion/infrastructure/arion-compose.nix @@ -43,18 +43,18 @@ "dmz" ]; }; - # cloudflared.service = { - # image = "cloudflare/cloudflared:latest"; - # container_name = "cloudflared"; - # env_file = [ - # "/home/ghoscht/.docker/infrastructure/cloudflared.env" - # ]; - # restart = "always"; - # command = "tunnel --no-autoupdate --protocol http2 run"; - # networks = [ - # "dmz" - # ]; - # }; + cloudflared.service = { + image = "cloudflare/cloudflared:latest"; + container_name = "cloudflared"; + env_file = [ + "/home/ghoscht/.docker/infrastructure/cloudflared.env" + ]; + restart = "always"; + command = "tunnel --no-autoupdate --protocol http2 run"; + networks = [ + "dmz" + ]; + }; scrutiny.service = { image = "ghcr.io/analogj/scrutiny:master-omnibus"; container_name = "scrutiny"; @@ -75,7 +75,10 @@ "scrutiny_data:/opt/scrutiny/config" "scrutiny_db:/opt/scrutiny/influxdb" ]; - devices = []; + devices = [ + "/dev/sda" + "/dev/nvme0n1" + ]; networks = [ "dmz" ]; diff --git a/hosts/franz/arion/media/arion-compose.nix b/hosts/franz/arion/media/arion-compose.nix index 429e074..99ea0c1 100644 --- a/hosts/franz/arion/media/arion-compose.nix +++ b/hosts/franz/arion/media/arion-compose.nix @@ -28,16 +28,17 @@ }; volumes = [ "jellyfin_cache:/cache" - "/home/ghoscht/.docker/media/jellyfin_data:/config" - "/home/ghoscht/.docker/media/data/tv:/tv" - "/home/ghoscht/.docker/media/data/anime:/anime" - "/home/ghoscht/.docker/media/data/movies:/movies" + "/drives/hdd/docker/media/jellyfin_data:/config" + "/drives/hdd/data/media/tv:/tv" + "/drives/hdd/data/media/anime:/anime" + "/drives/hdd/data/media/movies:/movies" ]; environment = { PUID = 1000; PGID = 1000; TZ = "Europe/Berlin"; }; + dns = ["1.1.1.1"]; restart = "always"; networks = [ "dmz" @@ -55,8 +56,8 @@ "traefik.http.routers.navidrome.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/navidrome_data:/data" - "/home/ghoscht/.docker/media/data/music:/music" + "/drives/hdd/docker/media/navidrome_data:/data" + "/drives/hdd/data/media/music:/music" ]; environment = { ND_SESSIONTIMEOUT = "336h"; @@ -64,6 +65,7 @@ env_file = [ "/home/ghoscht/.docker/media/navidrome.env" ]; + dns = ["1.1.1.1"]; restart = "always"; networks = [ "dmz" @@ -82,8 +84,8 @@ "traefik.http.routers.transmission.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/transmission_data:/config" - "/home/ghoscht/.docker/media/data:/data" + "/drives/hdd/docker/media/transmission_data:/config" + "/drives/hdd/data/:/data" ]; environment = { PUID = 1000; @@ -104,6 +106,7 @@ capabilities = { NET_ADMIN = true; }; + dns = ["1.1.1.1"]; restart = "always"; networks = [ "dmz" @@ -122,7 +125,7 @@ "traefik.http.routers.prowlarr.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/prowlarr_data:/config" + "/drives/hdd/docker/media/prowlarr_data:/config" ]; environment = { PUID = 1000; @@ -148,8 +151,8 @@ "traefik.http.routers.sonarr.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/sonarr_data:/config" - "/home/ghoscht/.docker/media/data:/data" + "/drives/hdd/docker/media/sonarr_data:/config" + "/drives/hdd/data/:/data" ]; environment = { PUID = 1000; @@ -176,8 +179,8 @@ "traefik.http.routers.radarr.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/radarr_data:/config" - "/home/ghoscht/.docker/media/data:/data" + "/drives/hdd/docker/media/radarr_data:/config" + "/drives/hdd/data/:/data" ]; environment = { PUID = 1000; @@ -205,10 +208,10 @@ "traefik.http.routers.lidarr.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/lidarr_data:/config" - "/home/ghoscht/.docker/media/data:/data" - "/home/ghoscht/.docker/media/lidarr_addons/custom-services.d:/custom-services.d" - "/home/ghoscht/.docker/media/lidarr_addons/custom-cont-init.d:/custom-cont-init.d" + "/drives/hdd/docker/media/lidarr_data:/config" + "/drives/hdd/data/:/data" + "/drives/hdd/docker/media/lidarr_addons/custom-services.d:/custom-services.d" + "/drives/hdd/docker/media/lidarr_addons/custom-cont-init.d:/custom-cont-init.d" ]; environment = { PUID = 1000; @@ -235,9 +238,10 @@ "traefik.http.routers.bazarr.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/bazarr_data:/config" - "/home/ghoscht/.docker/media/data:/data" + "/drives/hdd/docker/media/bazarr_data:/config" + "/drives/hdd/data/:/data" ]; + dns = ["1.1.1.1"]; environment = { PUID = 1000; PGID = 1000; @@ -259,13 +263,14 @@ "traefik.http.routers.jellyseerr.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/jellyseerr_data:/app/config" + "/drives/hdd/docker/media/jellyseerr_data:/app/config" ]; environment = { PUID = 1000; PGID = 1000; TZ = "Europe/Berlin"; }; + dns = ["1.1.1.1"]; networks = ["dmz"]; restart = "always"; }; @@ -282,7 +287,7 @@ "traefik.http.routers.autobrr.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/jellyseerr_data:/app/config" + "/drives/hdd/docker/media/autobrr_data:/config" ]; environment = { PUID = 1000; @@ -311,7 +316,7 @@ "traefik.http.routers.deemix.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/media/jellyseerr_data:/app/config" + "/drives/hdd/data/deemix:/downloads" ]; environment = { PUID = 1000; @@ -329,7 +334,7 @@ image = "golift/unpackerr"; container_name = "unpackerr"; volumes = [ - "/home/ghoscht/.docker/media/data:/data" + "/drives/hdd/data/:/data" ]; user = "1000:1000"; env_file = [ diff --git a/hosts/franz/arion/nas/arion-compose.nix b/hosts/franz/arion/nas/arion-compose.nix index 1461d58..fbcf64b 100644 --- a/hosts/franz/arion/nas/arion-compose.nix +++ b/hosts/franz/arion/nas/arion-compose.nix @@ -23,7 +23,7 @@ }; command = "-s 'public;/mount;yes;no;yes' -p"; volumes = [ - "/home/ghoscht:/mount" + "/drives/hdd/nas:/mount" ]; restart = "always"; networks = [ diff --git a/hosts/franz/arion/nextcloud/arion-compose.nix b/hosts/franz/arion/nextcloud/arion-compose.nix index 64a4daa..e713594 100644 --- a/hosts/franz/arion/nextcloud/arion-compose.nix +++ b/hosts/franz/arion/nextcloud/arion-compose.nix @@ -22,24 +22,22 @@ "traefik.http.routers.nextcloud.tls.certresolver" = "letsencrypt"; }; volumes = [ - "/home/ghoscht/.docker/nextcloud/nextcloud_data:/var/www/html" - ]; - environment = {MYSQL_HOST = "nextcloud-db";}; - env_file = [ - "/home/ghoscht/.docker/nextcloud/nextcloud.env" + "/drives/hdd/docker/nextcloud/nextcloud_data:/var/www/html" ]; + hostname = "nextcloud.ghoscht.com"; + dns = ["1.1.1.1"]; restart = "unless-stopped"; networks = [ "dmz" "transport" ]; }; - db.service = { - image = "mariadb:10.5"; + nextcloud-db.service = { + image = "mariadb:11.4.1-rc-jammy"; env_file = [ "/home/ghoscht/.docker/nextcloud/nextcloud.env" ]; - volumes = ["/home/ghoscht/.docker/nextcloud/nextcloud_db:/var/lib/mysql"]; + volumes = ["/drives/hdd/docker/nextcloud/nextcloud_db:/var/lib/mysql"]; restart = "unless-stopped"; command = "--transaction-isolation=READ-COMMITTED --binlog-format=ROW"; networks = [ diff --git a/hosts/franz/arion/passwords/arion-compose.nix b/hosts/franz/arion/passwords/arion-compose.nix index 2d6515e..e48a3c8 100644 --- a/hosts/franz/arion/passwords/arion-compose.nix +++ b/hosts/franz/arion/passwords/arion-compose.nix @@ -17,8 +17,9 @@ "traefik.http.routers.vaultwarden.tls" = "true"; "traefik.http.routers.vaultwarden.tls.certresolver" = "letsencrypt"; }; + dns = ["1.1.1.1"]; volumes = [ - "/home/ghoscht/.docker/infrastructure/vaultwarden_data/:/data" + "/drives/hdd/docker/passwords/vaultwarden_data/:/data" ]; environment = { DOMAIN = "http://vaultwarden.ghoscht.com"; diff --git a/hosts/franz/arion/signal/arion-compose.nix b/hosts/franz/arion/signal/arion-compose.nix index 61d5b5e..8643552 100644 --- a/hosts/franz/arion/signal/arion-compose.nix +++ b/hosts/franz/arion/signal/arion-compose.nix @@ -24,13 +24,10 @@ "traefik.http.routers.mollysocket.tls" = "true"; "traefik.http.routers.mollysocket.tls.certresolver" = "letsencrypt"; }; - volumes = [ - "/home/ghoscht/.docker/signal/mollysocket_data:/data" - ]; environment = { MOLLY_DB = "/data/mollysocket.db"; - MOLLY_ALLOWED_ENDPOINTS = "['https://push.ghoscht.com','*]"; - MOLLY_ALLOWED_UUIDS = "['*']"; + MOLLY_ALLOWED_ENDPOINTS = "[\"https://push.ghoscht.com\",\"*\"]"; + MOLLY_ALLOWED_UUIDS = "[\"*\"]"; MOLLY_HOST = "0.0.0.0"; MOLLY_PORT = 8020; RUST_LOG = "info"; diff --git a/hosts/franz/arion/signal/default.nix b/hosts/franz/arion/signal/default.nix index 504aadf..4aa25da 100644 --- a/hosts/franz/arion/signal/default.nix +++ b/hosts/franz/arion/signal/default.nix @@ -1,6 +1,6 @@ {config, ...}: { virtualisation.arion = { - projects.infrastructure.settings = { + projects.signal.settings = { imports = [./arion-compose.nix]; }; }; diff --git a/hosts/franz/arion/smarthome/arion-compose.nix b/hosts/franz/arion/smarthome/arion-compose.nix index c98ad5c..0f87816 100644 --- a/hosts/franz/arion/smarthome/arion-compose.nix +++ b/hosts/franz/arion/smarthome/arion-compose.nix @@ -20,7 +20,7 @@ "traefik.http.services.homeassistant.loadbalancer.server.port" = "8123"; }; volumes = [ - "/home/ghoscht/.docker/smarthome/homeassistant_data:/config" + "/drives/hdd/docker/smarthome/homeassistant_data:/config" "/etc/localtime:/etc/localtime:ro" "/run/dbus:/run/dbus:ro" ]; diff --git a/hosts/franz/default.nix b/hosts/franz/default.nix index 5a6c7e0..3c8db81 100644 --- a/hosts/franz/default.nix +++ b/hosts/franz/default.nix @@ -26,11 +26,21 @@ in { ]; users.mutableUsers = true; - users.users.${vars.user}.password = "changeme"; + users.users.${vars.user} = { + password = "changeme"; + openssh.authorizedKeys.keys = [ + #Desktop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJd6Gut34abkwlZ4tZVBO4Qt7CkIpPm/Z8R6JCisjnYy openpgp:0xBD0CFCA0" - nix.extraOptions = '' - download-speed = 4000 - ''; + #Convertible + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFlRsnLqm6Ap3yKEEhtFiWavo72df/X5Il1ZCmENUqev openpgp:0xDE189CA5" + ]; + }; + security.pam.enableSSHAgentAuth = true; + + fileSystems."/drives/hdd" = { + device = "/dev/disk/by-uuid/7d5eaff7-c17d-4fac-b7d7-7aa3c35b9a29"; + }; nixpkgs = { overlays = [ diff --git a/hosts/franz/hardware-configuration.nix b/hosts/franz/hardware-configuration.nix index 34177d3..d330b51 100644 --- a/hosts/franz/hardware-configuration.nix +++ b/hosts/franz/hardware-configuration.nix @@ -1,25 +1,28 @@ # Do not modify this file! It was generated by ‘nixos-generate-config’ # and may be overwritten by future invocations. Please make changes # to /etc/nixos/configuration.nix instead. -{ config, lib, pkgs, modulesPath, ... }: - { - imports = - [ (modulesPath + "/installer/scan/not-detected.nix") - ]; + config, + lib, + pkgs, + modulesPath, + ... +}: { + imports = [ + (modulesPath + "/installer/scan/not-detected.nix") + ]; - boot.initrd.availableKernelModules = [ "xhci_pci" "thunderbolt" "nvme" "usb_storage" "sd_mod" ]; - boot.initrd.kernelModules = [ "dm-snapshot" ]; - boot.kernelModules = [ "kvm-intel" ]; - boot.extraModulePackages = [ ]; + boot.initrd.availableKernelModules = ["nvme" "xhci_pci" "ahci" "usbhid" "sd_mod"]; + boot.initrd.kernelModules = ["dm-snapshot"]; + boot.kernelModules = ["kvm-amd"]; + boot.extraModulePackages = []; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking # (the default) this is the recommended approach. When using systemd-networkd it's # still possible to use this option, but it's recommended to use it in conjunction # with explicit per-interface declarations with `networking.interfaces..useDHCP`. networking.useDHCP = lib.mkDefault true; - # networking.interfaces.wlp166s0.useDHCP = lib.mkDefault true; nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; - hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; + hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware; }