adriangl
/
nix-dotfiles
mirror of https://github.com/adrlau/nix-dotfiles.git
1
2
Fork 0
Code Issues Packages Projects Releases Wiki Activity

refactoring + new services, profiles and updates

This commit is contained in:
Adrian Gunnar Lauterer 2024-04-19 14:22:06 +02:00
parent b4e97cb86e
commit c801e79f5e
22 changed files with 581 additions and 489 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
flake.nix
View File

@ -32,8 +32,7 @@
{
nixosConfigurations = {
# aragon = nixpkgs.lib.nixosSystem {
#aragon = nixpkgs.lib.nixosSystem {
# system = "x83_64-linux";
# specialArgs = {
# inherit inputs;
@ -41,7 +40,6 @@
# modules = [
# # Overlays-module makes "pkgs.unstable" available in configuration.nix
# ({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay-unstable ]; })
# ./machines/aragon/configuration.nix
# sops-nix.nixosModules.sops
# home-manager.nixosModules.home-manager {
@ -50,8 +48,7 @@
# home-manager.users."gunalx" = import ./home/home.nix;
# }
# ];
# };
#};
aragon = nixpkgs.lib.nixosSystem {
system = "x84_64-linux";
@ -67,7 +64,6 @@
};
galadriel = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = {

27
home/steam.nix
View File

@ -1,27 +0,0 @@
{pkgs, lib, ...}:
{
nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
"steam"
"steam-original"
"steam-run"
];
programs.steam = {
enable = true;
remotePlay.openFirewall = true; # Open ports in the firewall for Steam Remote Play
dedicatedServer.openFirewall = true; # Open ports in the firewall for Source Dedicated Server
};
environment.systemPackages = [
pkgs.steam-run
pkgs.unstable.alvr
pkgs.openvr
pkgs.openhmd
pkgs.sidequest
pkgs.mplayer
pkgs.appimage-run
];
}

108
machines/aragon/configuration.nix
View File

@ -10,15 +10,13 @@
#profiles
../../profiles/base.nix
../../profiles/desktop.nix
#home manager
#../../home/home.nix
#customised applications
../../home/steam.nix
../../services/podman.nix
];
@ -45,15 +43,10 @@
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Oslo";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Enable the X11 windowing system.
services.xserver.enable = true;
services.xserver.videoDrivers = [ "amdgou" ];
services.xserver.videoDrivers = [ "amdgpu" ];
hardware.opengl.extraPackages = with pkgs; [
rocm-opencl-icd
rocm-opencl-runtime
@ -64,52 +57,6 @@
# For 32 bit applications
hardware.opengl.driSupport32Bit = true;
# Enable the KDE Plasma Desktop Environment.
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "no";
xkbVariant = "";
};
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
liberation_ttf
fira-code
fira-code-symbols
mplus-outline-fonts.githubRelease
dina-font
proggyfonts
nerdfonts
ubuntu_font_family
];
# Enable CUPS to print documents.
services.printing.enable = true;
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
# If you want to use JACK applications, uncomment this
jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
#media-session.enable = true;
};
# Enable touchpad support (enabled default in most desktopManager).
# services.xserver.libinput.enable = true;
@ -140,27 +87,17 @@ fonts.packages = with pkgs; [
minecraft
prismlauncher
hmcl
appimage-run
#unstable.alvr
easyeffects
vscode-fhs
];
};
programs.dconf.enable = true; #needed for easyeffects for some reason
#allow electron 15 becasue of etcher
#allow electron 19 becasue of etcher
nixpkgs.config.permittedInsecurePackages = [
"electron-19.1.9"
];
# Allow unfree packages
nixpkgs.config.allowUnfree = true;
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
@ -181,7 +118,7 @@ fonts.packages = with pkgs; [
#python310Packages.torch
python310Packages.torchvision
python310Packages.torchWithRocm
gcc
gpp
gdb
cmake
@ -192,30 +129,19 @@ fonts.packages = with pkgs; [
prusa-slicer
openscad
htop
killall
docker-compose
];
hardware.bluetooth.enable = true;
services.blueman.enable=true;
services.tailscale.enable = true;
services.openssh.enable = true ;
services.openssh.settings = {
UseDns = true;
PasswordAuthentication = true;
};
fileSystems."/mnt/nas" = {
device = "truenas:/mnt/Main";
fsType = "nfs";
options = [ "x-systemd.automount" "noauto" ];
};
# fileSystems."/mnt/nas" = {
# device = "truenas:/mnt/Main";
# fsType = "nfs";
# options = [ "x-systemd.automount" "noauto" ];
# };
# sleep wakeup rules
@ -223,11 +149,11 @@ fonts.packages = with pkgs; [
ACTION=="add", SUBSYSTEM=="pci", DRIVER=="pcieport", ATTR{power/wakeup}="disabled"
'';
#comment out to enable sleep. Uncommented over vacations
# systemd.targets.sleep.enable = false;
# systemd.targets.suspend.enable = false;
# systemd.targets.hibernate.enable = false;
# systemd.targets.hybrid-sleep.enable = false;
#comment out to enable sleep. Uncommented over vacations
# systemd.targets.sleep.enable = false;
# systemd.targets.suspend.enable = false;
# systemd.targets.hibernate.enable = false;
# systemd.targets.hybrid-sleep.enable = false;
# Some programs need SUID wrappers, can be configured further or are
@ -238,10 +164,6 @@ fonts.packages = with pkgs; [
# enableSSHSupport = true;
# };
# List services that you want to enable:
# Enable the OpenSSH daemon.
# services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ ... ];

50
machines/elrond/configuration.nix
View File

@ -9,25 +9,18 @@
./hardware-configuration.nix
../../profiles/webhost.nix
../../profiles/base.nix
./routes.nix
];
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
# Set your time zone.
time.timeZone = "Europe/Oslo";
# The global useDHCP flag is deprecated, therefore explicitly set to false here.
# Per-interface useDHCP will be mandatory in the future, so this generated config
# replicates the default behaviour.
networking.useDHCP = false;
networking.interfaces.ens3.useDHCP = true; # lmao interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
networking.interfaces.ens3.useDHCP = true; # Interface is not constant. I really only want to use dhcp att all so could remove this in favor of the old way.
networking.hostName = "elrond"; # Define your hostname.
boot.kernel.sysctl = {
@ -35,14 +28,6 @@
"net.ipv6.conf.all.forwarding" = true;
};
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
# List packages installed in system profile. To search, run:
# $ nix search wget
@ -61,9 +46,6 @@
};
#add proxyserver to acme
#users.users.kanidm.extraGroups = [ "acme" ];
#sequrity managment through kanidm
# systemd.services.kanidm = let
# certName = config.services.nginx.virtualHosts.${config.services.kanidm.serverSettings.domain}.useACMEHost;
@ -133,31 +115,14 @@
# };
# };
#tailscale
services.tailscale.enable = true;
users.users."root".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
];
users.users."gunalx".openssh.authorizedKeys.keys = [
users.users."gunalx".openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHTExYoT3+flrd2wPYiT7sFFDmAUqi2YAz0ldQg7WMop"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEj+Y0RUrSaF8gUW8m2BY6i8e7/0bUWhu8u8KW+AoHDh gunalx@nixos"
];
#fail2ban moved to service file
#services.fail2ban = {
# enable = true;
# maxretry = 5;
# ignoreIP = [
# "127.0.0.0/8"
# "10.0.0.0/8"
# "100.64.0.0/8"
# "172.16.0.0/12"
# "192.168.0.0/16"
# "8.8.8.8"
# ];
# };
#firewall options
networking.firewall = {
enable = true;
@ -166,20 +131,13 @@ users.users."gunalx".openssh.authorizedKeys.keys = [
allowedUDPPorts = [
80
443
6969
#config.services.openssh.ports
config.services.tailscale.port
config.services.headscale.port
#config.services.headscale.port
];
allowedTCPPorts = config.networking.firewall.allowedUDPPorts;
};
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. It's perfectly fine and recommended to leave

45
machines/elrond/routes.nix Normal file
View File

@ -0,0 +1,45 @@
{ config, pkgs, lib, ... }:
{
services.nginx = {
virtualHosts."managment.funn-nas.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://100.104.182.48";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."funn-nas.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "https://100.104.182.48:30044";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."home.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://10.0.0.32:8123";
};
# ignorerer sikkerhet for littegran for å oprettholde lettvinthet og app kompatibilitet.
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
virtualHosts."jellyfin.lauterer.it" = {
forceSSL = true;
useACMEHost = config.networking.domain;
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://100.84.215.84:8096";
};
#basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
};
}

9
machines/galadriel/README.md
View File

@ -1,9 +0,0 @@
services
jellyfin
services in need of configuration
transmission
sonarr
to be implemented
calibre

31
machines/galadriel/backup.nix.bak
View File

@ -1,31 +0,0 @@
{ pkgs, ... }:
{
systemd.user.services = {
dataBackup = {
path = [
pkgs.rsync
];
Unit = {
Description = "/Data backup to /Main";
After = [ "network.target" ];
};
Service = {
Type = "oneshot";
ExecStart = "rsync --archive /Data/ /Main/Data";
};
Install.WantedBy = [ "default.target" ];
};
};
systemd.user.timers = {
dataBackup = {
Unit.Description = "/Data backup schedule";
Timer = {
Unit = "dataBackup";
OnCalendar = "06:00";
};
Install.WantedBy = [ "timers.target" ];
};
};
}

31
machines/galadriel/configuration.nix
View File

@ -8,19 +8,19 @@
imports =
[ # Include the results of the hardware scan.
./hardware-configuration.nix
./vim.nix
./zfs.nix
./nvidia.nix
./openvpn.nix
./backup.nix
../../profiles/base.nix
../../profiles/sops.nix
./zfs.nix
./backup.nix
#../../profiles/ai.nix
../../services/smb.nix
../../services/torrent.nix
#../../services/stableDiffusion.nix
#../../services/freshrrs.nix
#../../services/torrent.nix
];
# Bootloader.
@ -37,20 +37,7 @@
# Enable networking
networking.networkmanager.enable = true;
# Set your time zone.
time.timeZone = "Europe/Oslo";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
# Configure keymap in X11
services.xserver = {
layout = "no";
xkbVariant = "";
};
# Configure console keymap
console.keyMap = "no";
# Define a user account. Don't forget to set a password with passwd.
users.users.gunalx = {
@ -74,7 +61,6 @@
tailscale
nfs-utils
cifs-utils
tailscale
jellyfin
jellyfin-web
jellyfin-mpv-shim
@ -118,12 +104,6 @@
#services.calibre-server.enable = true;
##networking
# Enable the OpenSSH daemon.
services.openssh.enable = true;
#tailscale
services.tailscale.enable = true;
# Open ports in the firewall.
networking.firewall.allowedTCPPorts = [ 22 80 8090 8096 443 433 6969 1194 445 139];
networking.firewall.allowedUDPPorts = [ 22 80 8090 8096 443 433 6969 1194 137 138];
@ -162,7 +142,6 @@
# };
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave

1
machines/galadriel/hardware-configuration.nix
View File

@ -28,7 +28,6 @@
fsType = "ext4";
};
boot.initrd.luks.devices."luks-028e05b0-f079-41f6-b244-eb7ceda4f315".device = "/dev/disk/by-uuid/028e05b0-f079-41f6-b244-eb7ceda4f315";
swapDevices =

6
machines/galadriel/nvidia.nix
View File

@ -6,7 +6,6 @@
driSupport = true;
driSupport32Bit = true;
};
nixpkgs.config.allowUnfree = true;
# Load nvidia driver for Xorg and Wayland
services.xserver.videoDrivers = ["nvidia"];
@ -15,9 +14,8 @@
hardware.nvidia = {
# Modesetting is required.
modesetting.enable = true;
# Nvidia power management. Experimental, and can cause sleep/suspend to fail.
# powerManagement.enable = true;
#powerManagement.enable = true;
# Fine-grained power management. Turns off GPU when not in use.
# Experimental and only works on modern Nvidia GPUs (Turing or newer).
#powerManagement.finegrained = true;
@ -45,7 +43,7 @@
environment.systemPackages = with pkgs; [
cudaPackages.cudnn
cudaPackages.cudatoolkit
#cudaPackages.tensorrt_8_6_0
#cudaPackages.tensorrt_8_6_0 #needs to be added manually, to the store and is a pain because of the license agreement and garbage collection
];

25
machines/galadriel/vim.nix
View File

@ -1,25 +0,0 @@
{ pkgs, ... }:
{
programs.neovim = {
enable = true;
viAlias = true;
vimAlias = true;
defaultEditor = true;
configure = {
customRC = ''
" your custom vimrc
set nocompatible
set backspace=indent,eol,start
" Turn on syntax highlighting by default
syntax on
set autoindent
" ...
'';
packages.myplugins = with pkgs.vimPlugins; {
start = [ vim-nix vim-lastplace vim-yaml ];
opt = [];
};
};
};
}

49
profiles/ai.nix Normal file
View File

@ -0,0 +1,49 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./base.nix
../services/podman.nix
../services/ollama.nix
# ../services/whisper.nix
];
environment.systemPackages = with pkgs.unstable; [
# ollama
# openai-whisper
# openai-whisper-cpp
# wyoming-faster-whisper
# subtitlr
# piper-tts
# #piper-train #broken
# wyoming-piper
# python3
# python3Packages.torchWithCuda
# python3Packages.openai-whisper
# python3Packages.faster-whisper
# python3Packages.scipy
# python3Packages.numba-scipy
# python3Packages.scikit-image
# python3Packages.traittypes
# python3Packages.statsmodels
# python3Packages.scikits-odes
# python3Packages.sympy
# python3Packages.numpy
# python3Packages.pandas
# python3Packages.matplotlib
# python3Packages.tensorflow
# python3Packages.tensorboard
# python3Packages.keras
# python3Packages.transformers
# python3Packages.torch
# python3Packages.torchvision-bin
# python3Packages.torchsde
# python3Packages.torchaudio-bin
# python3Packages.torchWithRocm
# python3Packages.torchWithCuda
# python3Packages.scikit-learn-extra
];
}

31
profiles/base.nix
View File

@ -7,28 +7,45 @@ imports =
];
environment.systemPackages = with pkgs; [
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
git
wget
rsync
ripgrep
neofetch
htop
bottom
killall
foot.terminfo
tailscale
];
#just allow unfree, im fine with it.
nixpkgs.config.allowUnfree = true;
# Set your time zone.
time.timeZone = "Europe/Oslo";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
#system vide bash aliases.
# Configure console
console = {
font = "Lat2-Terminus16";
keyMap = "no";
};
#tailscale
services.tailscale.enable = true;
#system vide bash aliases. TODO: check if only one of these works so i dont need duplicates.
programs.bash.shellAliases = config.environment.shellAliases;
environment.shellAliases = {
gst="git status";
gcm="git commit -m";
gca="git commit --amend";
gsw="git switch";
gaa="git add -A";
gb="git branch";
@ -36,12 +53,10 @@ imports =
la="ls -la";
lls="ls";
};
programs.bash.shellAliases = config.environment.shellAliases;
environment.interactiveShellInit = ''
alias gst='git status'
alias gcm='git commit -m'
alias gca='git commit --amend'
alias gsw='git switch'
alias gaa='git add -A'
alias gb='git branch'
@ -50,6 +65,8 @@ imports =
alias lls='ls'
'';
#TODO: ssh hosts.
#nix stuff
nix.settings.experimental-features = [ "nix-command" "flakes" ];
nix.gc.automatic = true;

36
profiles/desktop.nix
View File

@ -3,10 +3,44 @@
imports =
[
./base.nix
./sound.nix #all i would ever need in sound.
../packages/vim.nix
../home/code.nix
#../home/home-full.nix
../packages/steam.nix
];
fonts.packages = with pkgs; [
noto-fonts
noto-fonts-cjk
noto-fonts-emoji
liberation_ttf
fira-code
fira-code-symbols
mplus-outline-fonts.githubRelease
dina-font
proggyfonts
nerdfonts
ubuntu_font_family
];
# Enable CUPS to print documents.
services.printing.enable = true;
services.xserver.displayManager.sddm.enable = true;
services.xserver.desktopManager.plasma5.enable = true;
# Configure keymap in X11
services.xserver = {
layout = "no";
xkbVariant = "";
};
#TODO: add sway with home manager to get proper dotfiles. Possibly in its own sway file.
#TODO: add hyperland.
}

82
profiles/sound.nix Normal file
View File

@ -0,0 +1,82 @@
{ config, pkgs, lib, ... }:
{
imports =
[
./base.nix
];
# Enable sound with pipewire.
sound.enable = true;
hardware.pulseaudio.enable = false;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
jack.enable = true;
wireplumber.enable = true;
};
environment.systemPackages = with pkgs; [
pavucontrol
wireplumber
easyeffects
ncpamixer
qpaeq
#more audio stuff, but not essential
#synths
qsynth
fluidsynth
synthesia
vital
picoloop
bespokesynth-with-vst2
fmsynth
polyphone #soundfont editor
#vocaloids
openutau
#daw
ardour
lmms
rosegarden
musescore
#playing audio
cmus
cmusfm
whistle
cozy
lollypop
deadbeef
deadbeef-with-plugins
libsForQt5.elisa
radiotray-ng
shortwave
radioboat
qradiolink
pithos
gnomeExtensions.internet-radio
gqrx
headset
nuclear
spotifyd
spotifywm
spotify-qt
spotify-tui
spotify-tray
tenacity
libsForQt5.soundkonverter
];
programs.dconf.enable = true; #needed for easyeffects for some reason
}

5
profiles/webhost.nix
View File

@ -1,12 +1,15 @@
{ config, pkgs, lib, ... }:
{
#in all practicality equvivalent with elrond, but i migth get another puplic facing machine, so nice to have. (would need to move nginx routes to machine specific in that case)
imports =
[
./base.nix
./sops.nix
../services/acme.nix
../services/nginx.nix
../services/fail2ban.nix
#../services/authelia.nix
#../services/fail2ban.nix
];
}

38
services/acme.nix Normal file
View File

@ -0,0 +1,38 @@
{ config, pkgs, lib, ... }:
{
#declare secrets
sops.secrets."acme/certs" = { };
networking.enableIPv6 = false; #For some reason acme only works without ipv6, probably because of missing AAAA records.
networking.domain = "lauterer.it";
#acme and certs helpful blog https://carjorvaz.com/posts/
security.acme = {
acceptTerms = true;
defaults.email = "adrian+acme@lauterer.it";
certs."${config.networking.domain}" = {
domain = "${config.networking.domain}";
extraDomainNames = [
"*.${config.networking.domain}"
#"256.no"
#"*.256.no"
#"*.addictedmaker.eu"
#"addictedmaker.eu"
];
## for testing.
#server = "https://acme-staging-v02.api.letsencrypt.org/directory";
#enableDebugLogs = true;
#legos registrar specific stuff.
dnsResolver = "ns1.hyp.net:53";
dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/
dnsPropagationCheck = true;
#need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
credentialsFile = config.sops.secrets."acme/certs".path;
};
};
#add proxyserver to acme group
users.users.nginx.extraGroups = [ "acme" ];
users.users.root.extraGroups = [ "acme" ];
}

37
services/nginx.nix
View File

@ -1,47 +1,10 @@
{ config, pkgs, lib, ... }:
{
#declare secrets
sops.secrets."acme/certs" = { };
sops.secrets."nginx/defaultpass" = {
restartUnits = [ "nginx.service" ];
owner = "nginx";
};
networking.enableIPv6 = false; # lol for some reason acme works without ipv6
networking.domain = "lauterer.it";
#acme and certs helpful blog https://carjorvaz.com/posts/
security.acme = {
acceptTerms = true;
defaults.email = "adrian+acme@lauterer.it";
certs."${config.networking.domain}" = {
domain = "*.${config.networking.domain}";
extraDomainNames = [
"${config.networking.domain}"
#"${config.networking.domain}"
#"lauterer.it"
#"*.lauterer.it"
#"*.256.no"
];
#server = "https://acme-staging-v02.api.letsencrypt.org/directory"; #for testing.
enableDebugLogs = true;
dnsResolver = "ns1.hyp.net:53";
dnsProvider = "domeneshop"; # from here according to provider https://go-acme.github.io/lego/dns/
dnsPropagationCheck = true;
#need to manually create this file according to dnsprovider secrets, and format of key according to lego in privider and add to secrets.yaml
credentialsFile = config.sops.secrets."acme/certs".path;
};
};
#add proxyserver to acme
users.users.nginx.extraGroups = [ "acme" ];
users.users.root.extraGroups = [ "acme" ];
# services.oauth2_proxy = {
# enable = true;
# }

29
services/ollama.nix Normal file
View File

@ -0,0 +1,29 @@
{ config, pkgs, lib, ... }:
{
environment.systemPackages = [
pkgs.ollama
];
services.ollama.enable = true;
services.ollama.listenAddress = "0.0.0.0:11434";
services.ollama.models = "/var/lib/ollama/models";
services.ollama.home = "/var/lib/ollama";
#possibly a flawed idea.
services.ollama.acceleration = lib.mkDefault ( let
hostname = config.networking.hostname;
in
if hostname == "galadriel" then "cuda"
else if hostname == "aragorn" then "rocm"
else null);
services.nginx.virtualHosts."ollama.${config.networking.hostName}.${config.networking.domain}" = {
forceSSL = true;
#useACMEHost = config.networking.domain; #not sure if this will work, unless
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://${config.services.ollama.listenAddress}";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
}

2
services/ssh.nix
View File

@ -26,5 +26,5 @@
port = 22;
openFirewall = true;
};
services.sshguard.enable = true; #protection against brute force attacks like fail2ban
services.sshguard.enable = true; #protection against brute force attacks
}

147
services/torrent.nix
View File

@ -5,82 +5,80 @@ let
savePath = "/Main/Data/media/Downloads/";
path = "/var/lib/qbittorrent";
contentLayout = "Subfolder";
configurationFile = ''
[Application]
FileLogger\Age=1
FileLogger\AgeType=1
FileLogger\Backup=true
FileLogger\DeleteOld=true
FileLogger\Enabled=true
FileLogger\MaxSizeBytes=66560
FileLogger\Path=/Main/Data/media/.qbittorrent/logs
MemoryWorkingSetLimit=8192
[Application]
FileLogger\Age=1
FileLogger\AgeType=1
FileLogger\Backup=true
FileLogger\DeleteOld=true
FileLogger\Enabled=true
FileLogger\MaxSizeBytes=66560
FileLogger\Path=/Main/Data/media/.qbittorrent/logs
MemoryWorkingSetLimit=8192
[BitTorrent]
Session\AddExtensionToIncompleteFiles=true
Session\AlternativeGlobalDLSpeedLimit=1000
Session\AlternativeGlobalUPSpeedLimit=1000
Session\AnonymousModeEnabled=false
Session\BTProtocol=Both
Session\BandwidthSchedulerEnabled=false
Session\DefaultSavePath=/Main/Data/media/Downloads
Session\Encryption=1
Session\ExcludedFileNames=
Session\FinishedTorrentExportDirectory=/Main/Data/media/Downloads/torrents-complete
Session\GlobalDLSpeedLimit=0
Session\GlobalMaxRatio=1.5
Session\GlobalUPSpeedLimit=0
Session\I2P\Enabled=true
Session\IgnoreLimitsOnLAN=true
Session\IncludeOverheadInLimits=true
Session\Interface=tun0
Session\InterfaceAddress=${config.sops.placeholder."qbittorrent/interfaceAddress"}
Session\InterfaceName=tun0
Session\LSDEnabled=true
Session\MaxActiveCheckingTorrents=15
Session\MaxRatioAction=1
Session\Port=44183
Session\Preallocation=true
Session\QueueingSystemEnabled=false
Session\SubcategoriesEnabled=true
Session\Tags=movie, anime
Session\TempPath=/Main/Data/media/Downloads/temp
Session\TempPathEnabled=true
Session\TorrentContentLayout=${contentLayout}
Session\TorrentExportDirectory=/Main/Data/media/Downloads/torrents
Session\UseAlternativeGlobalSpeedLimit=false
[BitTorrent]
Session\AddExtensionToIncompleteFiles=true
Session\AlternativeGlobalDLSpeedLimit=1000
Session\AlternativeGlobalUPSpeedLimit=1000
Session\AnonymousModeEnabled=false
Session\BTProtocol=Both
Session\BandwidthSchedulerEnabled=false
Session\DefaultSavePath=/Main/Data/media/Downloads
Session\Encryption=1
Session\ExcludedFileNames=
Session\FinishedTorrentExportDirectory=/Main/Data/media/Downloads/torrents-complete
Session\GlobalDLSpeedLimit=0
Session\GlobalMaxRatio=1.5
Session\GlobalUPSpeedLimit=0
Session\I2P\Enabled=true
Session\IgnoreLimitsOnLAN=true
Session\IncludeOverheadInLimits=true
Session\Interface=tun0
Session\InterfaceAddress=${config.sops.placeholder."qbittorrent/interfaceAddress"}
Session\InterfaceName=tun0
Session\LSDEnabled=true
Session\MaxActiveCheckingTorrents=15
Session\MaxRatioAction=1
Session\Port=44183
Session\Preallocation=true
Session\QueueingSystemEnabled=false
Session\SubcategoriesEnabled=true
Session\Tags=movie, anime
Session\TempPath=/Main/Data/media/Downloads/temp
Session\TempPathEnabled=true
Session\TorrentContentLayout=Subfolder
Session\TorrentExportDirectory=/Main/Data/media/Downloads/torrents
Session\UseAlternativeGlobalSpeedLimit=false
[Core]
AutoDeleteAddedTorrentFile=Never
[Core]
AutoDeleteAddedTorrentFile=Never
[LegalNotice]
Accepted=true
[LegalNotice]
Accepted=true
[Meta]
MigrationVersion=6
[Meta]
MigrationVersion=6
[Network]
PortForwardingEnabled=true
[Network]
PortForwardingEnabled=true
[Preferences]
General\Locale=en
MailNotification\req_auth=true
Scheduler\days=Weekday
Scheduler\end_time=@Variant(\0\0\0\xf\x5%q\xa0)
WebUI\AuthSubnetWhitelist=192.168.1.0/24, 100.0.0.0/8
WebUI\AuthSubnetWhitelistEnabled=true
WebUI\Port=${toString port}
WebUI\UseUPnP=false
[RSS]
AutoDownloader\DownloadRepacks=true
AutoDownloader\EnableProcessing=true
AutoDownloader\SmartEpisodeFilter=s(\\d+)e(\\d+), (\\d+)x(\\d+), "(\\d{4}[.\\-]\\d{1,2}[.\\-]\\d{1,2})", "(\\d{1,2}[.\\-]\\d{1,2}[.\\-]\\d{4})"
Session\EnableProcessing=true
'';
[Preferences]
General\Locale=en
MailNotification\req_auth=true
Scheduler\days=Weekday
Scheduler\end_time=@Variant(\0\0\0\xf\x5%q\xa0)
WebUI\AuthSubnetWhitelist=192.168.1.0/24, 100.0.0.0/8
WebUI\AuthSubnetWhitelistEnabled=true
WebUI\Port=${toString port}
WebUI\UseUPnP=false
[RSS]
AutoDownloader\DownloadRepacks=true
AutoDownloader\EnableProcessing=true
AutoDownloader\SmartEpisodeFilter=s(\\d+)e(\\d+), (\\d+)x(\\d+), "(\\d{4}[.\\-]\\d{1,2}[.\\-]\\d{1,2})", "(\\d{1,2}[.\\-]\\d{1,2}[.\\-]\\d{4})"
Session\EnableProcessing=true
'';
in
{
@ -94,18 +92,17 @@ in
sops.secrets."qbittorrent/interfaceAddress" = {
restartUnits = [ "qbittorrent-nox.service" ];
owner = "qbittorrent";
mode = "0755";
};
sops.templates."qbittorrent/configuration" = {
content = configurationFile;
#path = "${path}/.config/qBittorrent/qBittorrent.conf";
#path = "${path}/.config/qBittorrent/qBittorrent.conf"; #did not seem to work
owner = "qbittorrent";
mode = "0755";
};
users.users.qbittorrent = {
isNormalUser = true; #make this a normal user to be able to make files
home = path;
@ -129,6 +126,14 @@ in
ProtectKernelModules = true;
NoNewPrivileges = true;
};
};
services.nginx.virtualHosts."qbittorrent.${config.networking.hostName}.${config.networking.domain}" = {
forceSSL = true;
#useACMEHost = config.networking.domain; #not sure if this will work, unless
locations."/" = {
proxyWebsockets = true;
proxyPass = "http://localhost:${port}";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
}

67
services/whisper.nix Normal file
View File

@ -0,0 +1,67 @@
{ config, pkgs, lib, ... }:
{
environment.systemPackages = [
pkgs.wyoming-faster-whisper
pkgs.whisper
pkgs.openai-whisper
pkgs.openai-whisper-cpp
];
services.wyoming.faster-whisper = {
package = pkgs.wyoming-faster-whisper;
servers = {
fast = {
enable = true;
model = "tiny-int8";
uri = "tcp://0.0.0.0:10300";
device = "cuda";
language = "en";
beamSize = 1;
};
fast-no = {
enable = true;
model = "tiny-int8";
uri = "tcp://0.0.0.0:10301";
device = "cuda";
language = "no";
beamSize = 1;
};
fast-auto = {
enable = true;
model = "tiny-int8";
uri = "tcp://0.0.0.0:10302";
device = "cuda";
language = "auto";
beamSize = 1;
};
fast-cpu = {
enable = true;
model = "tiny-int8";
uri = "tcp://0.0.0.0:10303";
device = "cpu";
language = "auto";
beamSize = 1;
};
slow = {
enable = true;
model = "small";
uri = "tcp://0.0.0.0:10304";
device = "auto";
language = "auto";
beamSize = 5;
};
};
};
services.nginx.virtualHosts."whisper.${config.networking.hostName}.${config.networking.domain}" = {
forceSSL = true;
#useACMEHost = config.networking.domain; #not sure if this will work, unless
locations."/" = {
proxyWebsockets = true;
proxyPass = "${config.services.services.wyoming.faster-whisper.servers.fast.uri}";
};
basicAuthFile = config.sops.secrets."nginx/defaultpass".path;
};
}