Blunkall-Technologies/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

probably broken

Browse Source
This commit is contained in:
Nathan
2025-12-31 12:24:43 -06:00
parent 0c1f0a4639
commit d8058560b1
158 changed files with 1198 additions and 423 deletions
Download Patch File Download Diff File Expand all files Collapse all files

75
system/services/containers/authentik/default.nix Normal file
View File

@@ -0,0 +1,75 @@
{ config, lib, inputs, ... }: {
options.sysconfig.virtualization.authentik.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
imports = [
inputs.sops-nix.nixosModules.sops
];
config = lib.mkIf config.sysconfig.virtualization.authentik.enable {
sops.secrets."authentik/dbpass" = {};
networking = {
nat.internalInterfaces = [ "ve-authentik" ];
};
containers.authentik = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.35";
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."authentik/dbpass".path}"
];
bindMounts = {
"/etc/authentik" = {
hostPath = "/ssd1/Authentik";
isReadOnly = false;
};
};
config = {
networking.firewall.allowedTCPPorts = [ 9001 ];
systemd.services.secrets_setup = {
wantedBy = [ "authentik.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/authentik/dbpass
chown postgres:postgres /etc/authentik/dbpass
'';
};
services.authentik = {
enable = true;
environmentFile = "/etc/authentik/authentik.env";
settings = {
disable_startup_analytics = true;
avatars = "initials";
};
worker.listenHTTP = "0.0.0.0:9001";
};
system.stateVersion = "25.05";
};
};
};
}

41
system/services/containers/code-server/default.nix Normal file
View File

@@ -0,0 +1,41 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.code-server.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.code-server.enable {
containers.code-server = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.31";
config = {
services.code-server = {
enable = true;
#hashedPassword = "1$WFYzcW1TNmpYM1ZKU3lielNCaXAyRkF2K3FjPQ$bSeeV4bvL2uiDYKiQjBLJPAO13/gNjYVgw8YKFtTQDI";
disableUpdateCheck = true;
disableTelemetry = true;
disableGettingStartedOverride = true;
auth = "none";
host = "0.0.0.0";
};
networking.firewall.allowedTCPPorts = [ 4444 ];
system.stateVersion = "25.05";
};
};
};
}

25
system/services/containers/default.nix Normal file
View File

@@ -0,0 +1,25 @@
{ ... }: {
imports = [
./gitlab
./gitea
./traefik
./nginx
./jellyfin
./pihole
./nextcloud
./ntfy
./homeassistant
./rustdesk
./netbird
./keycloak
./ollama
./openwebui
./n8n
./wyoming
./code-server
./novnc
./minecraft
./sandbox
];
}

121
system/services/containers/gitea/default.nix Normal file
View File

@@ -0,0 +1,121 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.virtualization.gitea.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.gitea.enable {
networking = {
hosts."192.168.100.20" = [ "gitea.esotericbytes.com" ];
nat.internalInterfaces = [ "ve-gitea" ];
};
sops.secrets = {
"gitea/dbpass" = {};
};
services.openssh.ports = [
2222
];
networking.firewall.allowedTCPPorts = [
22
];
containers.gitea = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.20";
forwardPorts = [
{
containerPort = 22;
hostPort = 22;
}
];
bindMounts = {
"/etc/gitea/data" = {
hostPath = "/ssd1/Gitea/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."gitea/dbpass".path}"
];
config = {
systemd.services.secrets_setup = {
wantedBy = [ "gitea.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitea/dbpass
chown gitea:gitea /etc/gitea/*
'';
};
services.gitea = {
enable = true;
stateDir = "/etc/gitea/data";
dump.enable = false;
appName = "Gitea";
settings = {
server = {
DOMAIN = "gitea.esotericbytes.com";
HTTP_PORT = 3000;
ROOT_URL = "https://gitea.esotericbytes.com/";
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
};
session.COOKIE_SECURE = true;
cron = {
ENABLED = true;
RUN_AT_START = true;
};
};
database = {
passwordFile = "/etc/gitea/dbpass";
type = "postgres";
};
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
networking.firewall.allowedTCPPorts = [ 22 3000 ];
system.stateVersion = "24.11";
};
};
};
}

172
system/services/containers/gitlab/default.nix Normal file
View File

@@ -0,0 +1,172 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.virtualization.gitlab.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.gitlab.enable {
sops.secrets = {
"gitlab/db_pass" = {};
"gitlab/root_pass" = {};
"gitlab/secrets/secret" = {};
"gitlab/secrets/otp" = {};
"gitlab/secrets/db" = {};
"gitlab/secrets/jws" = {};
"gitlab/oidc/id" = {};
"gitlab/oidc/secret" = {};
};
services.openssh.ports = [
2222
];
networking.firewall.allowedTCPPorts = [
22
2222
];
containers.gitlab = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.16";
forwardPorts = [
{
containerPort = 22;
hostPort = 22;
}
];
bindMounts = {
"/etc/gitlab/data" = {
hostPath = "/ssd1/Gitlab/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."gitlab/db_pass".path}"
"--load-credential=rootpass:${config.sops.secrets."gitlab/root_pass".path}"
"--load-credential=secret:${config.sops.secrets."gitlab/secrets/secret".path}"
"--load-credential=otp:${config.sops.secrets."gitlab/secrets/otp".path}"
"--load-credential=db:${config.sops.secrets."gitlab/secrets/db".path}"
"--load-credential=jws:${config.sops.secrets."gitlab/secrets/jws".path}"
"--load-credential=oidc_id:${config.sops.secrets."gitlab/oidc/id".path}"
"--load-credential=oidc_secret:${config.sops.secrets."gitlab/oidc/secret".path}"
];
config = {
systemd.services.secrets_setup = {
wantedBy = [ "gitlab.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
"rootpass"
"secret"
"db"
"otp"
"jws"
"oidc_id"
"oidc_secret"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitlab/dbpass
cat ''${CREDENTIALS_DIRECTORY}/rootpass > /etc/gitlab/rootpass
cat ''${CREDENTIALS_DIRECTORY}/secret > /etc/gitlab/secret
cat ''${CREDENTIALS_DIRECTORY}/db > /etc/gitlab/db
cat ''${CREDENTIALS_DIRECTORY}/otp > /etc/gitlab/otp
cat ''${CREDENTIALS_DIRECTORY}/jws > /etc/gitlab/jws
cat ''${CREDENTIALS_DIRECTORY}/oidc_id > /etc/gitlab/oidc-id
cat ''${CREDENTIALS_DIRECTORY}/oidc_secret > /etc/gitlab/oidc-secret
chown gitlab:gitlab /etc/gitlab/*
'';
};
services.gitlab = {
enable = true;
#https = true;
#port = 443;
host = "gitlab.blunkall.us";
databasePasswordFile = "/etc/gitlab/dbpass";
initialRootPasswordFile = "/etc/gitlab/rootpass";
statePath = "/etc/gitlab/data";
secrets = {
secretFile = "/etc/gitlab/secret";
otpFile = "/etc/gitlab/otp";
dbFile = "/etc/gitlab/db";
jwsFile = "/etc/gitlab/jws";
};
extraConfig = {
gitlab = {
default_project_features = {
builds = false;
};
};
omniauth = {
enabled = true;
auto_sign_in_with_provider = "openid_connect";
allow_single_sign_on = [ "openid_connect" ];
sync_email_from_provider = "openid_connect";
sync_profile_from_provider = [ "openid_connect" ];
sync_profile_attributes = [ "email" ];
auto_link_saml_user = true;
auto_link_user = [ "openid_connect" ];
block_auto_created_users = false;
providers = [
{
name = "openid_connect";
label = "Authentik SSO";
args = {
name = "openid_connect";
scope = [ "openid" "profile" "email" ];
response_type = "code";
issuer = "https://auth.blunkall.us/application/o/gitlab/";
discovery = true;
client_auth_method = "query";
uid_field = "preferred_username";
send_scope_to_token_endpoint = true;
pkce = true;
client_options = {
identifier = { _secret = "/etc/gitlab/oidc-id"; };
secret = { _secret = "/etc/gitlab/oidc-secret"; };
redirect_uri = "https://gitlab.blunkall.us/users/auth/openid_connect/callback";
};
};
}
];
};
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
virtualHosts = {
"gitlab.blunkall.us" = {
locations."/".proxyPass = "http://unix:/run/gitlab/gitlab-workhorse.socket";
};
};
};
services.openssh.enable = true;
systemd.services.gitlab-backup.environment.BACKUP = "dump";
networking.firewall.allowedTCPPorts = [ 22 80 ];
system.stateVersion = "24.05";
};
};
};
}

52
system/services/containers/homeassistant/default.nix Normal file
View File

@@ -0,0 +1,52 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.homeassistant = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
configvol = lib.options.mkOption {
type = lib.types.str;
default = "/ssd1/Home-Assistant/data:/config";
};
};
config = lib.mkIf config.sysconfig.virtualization.homeassistant.enable {
networking = {
hosts."192.168.100.25" = [ "hass.local" ];
nat.internalInterfaces = [ "ve-home-assnHYM" ];
};
containers.home-assistant = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.25";
config = {
services.home-assistant = {
enable = true;
openFirewall = true;
extraComponents = [
"wyoming"
"ollama"
];
config = {
homeassistant.unit_system = "us_customary";
};
configWritable = true;
};
system.stateVersion = "25.05";
};
};
};
}

39
system/services/containers/jellyfin/default.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.jellyfin.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.jellyfin.enable {
containers.jellyfin = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.14";
bindMounts = {
"/etc/jellyfin" = {
hostPath = "/ssd1/Jellyfin";
isReadOnly = false;
};
};
config = {
services.jellyfin = {
enable = true;
dataDir = "/etc/jellyfin/data";
configDir = "/etc/jellyfin/config";
logDir = "/etc/jellyfin/log";
openFirewall = true;
};
system.stateVersion = "24.05";
};
};
};
}

81
system/services/containers/keycloak/default.nix Normal file
View File

@@ -0,0 +1,81 @@
{ config, lib, inputs, ... }: {
options.sysconfig.virtualization.keycloak.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
imports = [
inputs.sops-nix.nixosModules.sops
];
config = lib.mkIf config.sysconfig.virtualization.keycloak.enable {
sops.secrets."keycloak/dbpass" = {};
networking = {
nat.internalInterfaces = [ "ve-keycloak" ];
};
containers.keycloak = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.22";
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."keycloak/dbpass".path}"
];
bindMounts = {
"/etc/keycloak" = {
hostPath = "/ssd1/Keycloak";
isReadOnly = false;
};
};
config = {
networking.firewall.allowedTCPPorts = [ 80 ];
systemd.services.secrets_setup = {
wantedBy = [ "keycloak.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/keycloak/dbpass
chown postgres:postgres /etc/keycloak/dbpass
'';
};
services.keycloak = {
enable = true;
database.passwordFile = "/etc/keycloak/dbpass";
settings = {
hostname = "auth.esotericbytes.com";
http-enabled = true;
proxy-headers = "xforwarded";
proxy-trusted-addresses = "192.168.100.11";
};
initialAdminPassword = "7567";
};
system.stateVersion = "25.05";
};
};
};
}

109
system/services/containers/minecraft/default.nix Normal file
View File

@@ -0,0 +1,109 @@
{ config, lib, pkgs, inputs, ... }: {
options.sysconfig.virtualization.minecraft.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.minecraft.enable {
networking = {
firewall = {
allowedTCPPorts = [ 25565 ];
allowedUDPPorts = [ 25565 ];
};
nat.internalInterfaces = [ "ve-minecraft" ];
};
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
containers.minecraft = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.29";
forwardPorts = [
{
containerPort = 25565;
hostPort = 25565;
protocol = "tcp";
}
{
containerPort = 25565;
hostPort = 25565;
protocol = "udp";
}
];
config = {
imports = [
inputs.nix-minecraft.nixosModules.minecraft-servers
];
environment.systemPackages = with pkgs; [ tmux ];
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/var/lib/mcservers";
managementSystem.systemd-socket.enable = true; #temp
servers = {
vanilla = {
enable = true;
package = pkgs.fabricServers.fabric-1_21_8;
serverProperties = {
server-port = 25565;
gamemode = "survival";
difficulty = 2;
white-list = true;
motd = "Didn't see that coming huh?";
};
whitelist = {
"MeasureTwice66" = "a4032062-293d-484d-a790-9f52475836bb";
"651sonic" = "936a3fb0-4548-4557-975b-7794e97a3afc";
"Griffin12_" = "6a1f56d9-f712-4723-a031-e5437a389bb3";
};
autoStart = true;
};
modded = {
enable = false;
#package = pkgs.fabricServers.fabric-1_21_1.override { loaderVersion = "0.16.14"; };
package = pkgs.fabricServers.fabric-1_21_1;
jvmOpts = [ "-Xms8000M" "-Xmx12000M" ];
serverProperties = {
server-port = 25566;
gamemode = "survival";
white-list = true;
allow-flight = true;
motd = "Ex-plo-sion!!!";
};
whitelist = {
"MeasureTwice66" = "a4032062-293d-484d-a790-9f52475836bb";
"651sonic" = "936a3fb0-4548-4557-975b-7794e97a3afc";
"Griffin12_" = "6a1f56d9-f712-4723-a031-e5437a389bb3";
};
autoStart = true;
symlinks = {
"mods" = ./mods;
};
};
};
};
system.stateVersion = "25.05";
};
};
};
}

64
system/services/containers/n8n/default.nix Normal file
View File

@@ -0,0 +1,64 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.n8n.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.n8n.enable {
networking = {
hosts."192.168.100.21" = [ "n8n.local" ];
nat.internalInterfaces = [ "ve-n8n" ];
};
containers.n8n = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.21";
config = {
nixpkgs.config.allowUnfree = true;
services.n8n = {
enable = true;
openFirewall = true;
environment = {
N8N_DIAGNOSTICS_ENABLED = "false";
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
N8N_TEMPLATES_ENABLED = "false";
EXTERNAL_FRONTEND_HOOKS_URLS = "";
N8N_DIAGNOSTICS_CONFIG_FRONTEND = "";
N8N_DIAGNOSTICS_CONFIG_BACKEND = "";
N8N_SECURE_COOKIE = "false";
};
#webhookUrl = "https://n8n.blunkall.us/";
};
/*
systemd.services.n8n = {
environment = {
N8N_DIAGNOSTICS_ENABLED = "false";
N8N_VERSION_NOTIFICATIONS_ENABLED = "false";
N8N_TEMPLATES_ENABLED = "false";
EXTERNAL_FRONTEND_HOOKS_URLS = "";
N8N_DIAGNOSTICS_CONFIG_FRONTEND = "";
N8N_DIAGNOSTICS_CONFIG_BACKEND = "";
N8N_SECURE_COOKIE = "false";
};
};
*/
system.stateVersion = "25.05";
};
};
};
}

246
system/services/containers/netbird/default.nix Normal file
View File

@@ -0,0 +1,246 @@
{ config, lib, inputs, ... }: {
options.sysconfig = {
services.netbird.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
virtualization.netbird = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
};
config = let
pkgs-com = import inputs.nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in {
services.netbird = {
enable = config.sysconfig.services.netbird.enable;
ui = {
enable = true;
#package = pkgs-com.netbird-ui;
};
#package = pkgs-com.netbird;
};
networking = {
firewall = lib.mkIf config.sysconfig.virtualization.netbird.enable {
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 51100; to = 56100; }];
};
nat.internalInterfaces = [ "ve-netbird" ];
};
sops.secrets."netbird/coturnPass" = lib.mkIf config.sysconfig.virtualization.netbird.enable {};
containers.netbird = lib.mkIf config.sysconfig.virtualization.netbird.enable {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.23";
forwardPorts = [
{
hostPort = 3478;
containerPort = 3478;
protocol = "udp";
}
] ++ map (x: { hostPort = x; containerPort = x; protocol = "udp"; }) (builtins.genList (y: 51100 + y) (56100 - 51100));
extraFlags = [
"--load-credential=coturnPass:${config.sops.secrets."netbird/coturnPass".path}"
];
config = {
services.nginx.virtualHosts."vpn.esotericbytes.com" = {
listen = [
{
addr = "0.0.0.0";
port = 80;
ssl = false;
}
];
};
services.netbird = {
server = {
enable = true;
enableNginx = true;
domain = "vpn.esotericbytes.com";
dashboard = {
enable = true;
enableNginx = true;
settings = {
AUTH_AUTHORITY = "https://auth.esotericbytes.com/realms/General";
AUTH_CLIENT_ID = "netbird";
AUTH_SUPPORTED_SCOPES = "openid profile email offline_access api";
AUTH_AUDIENCE = "netbird";
USE_AUTH0 = false;
NETBIRD_TOKEN_SOURCE = "accessToken";
};
package = pkgs-com.netbird-dashboard;
};
management = {
enable = true;
enableNginx = true;
disableAnonymousMetrics = true;
dnsDomain = "vpn";
turnDomain = "vpn.esotericbytes.com";
turnPort = 3478;
logLevel = "DEBUG";
oidcConfigEndpoint = "https://auth.esotericbytes.com/realms/General/.well-known/openid-configuration";
settings = {
"TURNConfig" = {
"Turns" = [
{
"Proto" = "udp";
"URI" = "turn:vpn.esotericbytes.com:3478";
"Username" = "netbird";
"Password"._secret = "/etc/netbird/coturnPass";
}
];
"Secret"._secret = "/etc/netbird/coturnPass";
};
"DataStoreEncryptionKey" = null;
"HttpConfig" = {
"Address" = "0.0.0.0:443";
"AuthIssuer" = "https://auth.esotericbytes.com/realms/General";
"AuthAudience" = "netbird";
"AuthKeysLocation" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/certs";
"AuthUserIDClaim" = "";
"CertFile" = "";
"CertKey" = "";
"IdpSignKeyRefreshEnabled" = false;
"OIDCConfigEndpoint" = "https://auth.esotericbytes.com/realms/General/.well-known/openid-configuration";
};
"DeviceAuthorizationFlow" = {
"Provider" = "none";
"ProviderConfig" = {
"Audience" = "netbird";
"AuthorizationEndpoint" = "";
"Domain" = "";
"ClientID" = "";
"ClientSecret" = "";
"TokenEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/token";
"DeviceAuthEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/auth/device";
"Scope" = "openid";
"UseIDToken" = false;
"RedirectURLs" = null;
};
};
"IdpManagerConfig" = {
"ManagerType" = "keycloak";
"ClientConfig" = {
"Issuer" = "https://auth.esotericbytes.com/realms/General";
"TokenEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/token";
"ClientID" = "netbird-backend";
"ClientSecret" = "QuqjTOAHKE6N6jJqkB1F1RGo3kqUhEdg";
"GrantType" = "client_credentials";
};
"ExtraConfig" = {
"AdminEndpoint" = "https://auth.esotericbytes.com/admin/realms/General";
};
"Auth0ClientCredentials" = null;
"AzureClientCredentials" = null;
"KeycloakClientCredentials" = null;
"ZitadelClientCredentials" = null;
};
"PKCEAuthorizationFlow" = {
"ProviderConfig" = {
"Audience" = "netbird";
"ClientID" = "netbird";
"ClientSecret" = "";
"Domain" = "";
"AuthorizationEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/auth";
"TokenEndpoint" = "https://auth.esotericbytes.com/realms/General/protocol/openid-connect/token";
"Scope" = "openid profile email offline_access api";
"RedirectURLs" = [
"http://localhost:53000"
];
"UseIDToken" = false;
"DisablePromptLogin" = false;
};
};
};
port = 443;
};
coturn = {
enable = true;
user = "netbird";
passwordFile = "/etc/netbird/coturnPass";
openPorts = map (x: x) (builtins.genList (y: 51100 + y) (56100 - 51100));
};
signal = {
enable = true;
enableNginx = true;
};
};
};
systemd.services.secrets_setup = {
wantedBy = [ "netbird-management.service" "coturn.service" ];
serviceConfig = {
LoadCredential = [
"coturnPass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/coturnPass > /etc/netbird/coturnPass
'';
};
networking.firewall = {
allowedTCPPorts = [ 80 ];
allowedUDPPorts = [ 3478 ];
allowedUDPPortRanges = [{ from = 51100; to = 56100; }];
};
system.stateVersion = "25.05";
};
};
};
}

81
system/services/containers/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,81 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.nextcloud.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.nextcloud.enable {
sops.secrets."nextcloud/pass" = {};
containers.nextcloud = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.15";
bindMounts = {
"/var/lib/nextcloud" = {
hostPath = "/ssd1/Nextcloud/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=nextcloud-admin-pass:${config.sops.secrets."nextcloud/pass".path}"
];
config = { config, lib, pkgs, ... }: {
systemd.services.secrets_setup = {
wantedBy = [ "nextcloud-setup.service" ];
serviceConfig = {
LoadCredential = [
"nextcloud-admin-pass"
];
};
script = ''
cat $CREDENTIALS_DIRECTORY/nextcloud-admin-pass > /etc/nextcloud-admin-pass
chown nextcloud:nextcloud /etc/nextcloud-admin-pass
'';
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts."192.168.100.15".listen = [ { addr = "0.0.0.0"; port = 80; } ];
services.nextcloud = {
enable = true;
package = pkgs.nextcloud31;
hostName = "192.168.100.15";
config = {
adminpassFile = "/etc/nextcloud-admin-pass";
adminuser = "root";
dbtype = "mysql";
};
https = true;
home = "/var/lib/nextcloud";
appstoreEnable = true;
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit mail contacts calendar tasks user_oidc;
inherit impersonate end_to_end_encryption notes spreed music memories phonetrack;
};
extraAppsEnable = true;
settings = {
overwriteprotocol = "https";
trusted_domains = [ "nextcloud.esotericbytes.com" ];
trusted_proxies = [ "192.168.100.11" ];
default_phone_region = "US";
};
database.createLocally = true;
};
system.stateVersion = "24.05";
};
};
};
}

48
system/services/containers/nginx/default.nix Normal file
View File

@@ -0,0 +1,48 @@
{ config, lib, ... }: {
options.sysconfig.virtualization."esotericbytes.com".enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization."esotericbytes.com".enable {
containers.esotericbytes-com = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.13";
bindMounts = {
"/var/www/data" = {
hostPath = "/ssd1/esotericbytes-com/data";
isReadOnly = false;
};
};
config = {
services.nginx = {
enable = true;
virtualHosts = {
"esotericbytes.com" = {
enableACME = false;
forceSSL = false;
root = "/var/www/data";
};
"homebox.vpn/esotericbytes" = {
enableACME = false;
forceSSL = false;
root = "/var/www/data";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "24.05";
};
};
};
}

54
system/services/containers/novnc/default.nix Normal file
View File

@@ -0,0 +1,54 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.virtualization.novnc.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.novnc.enable {
networking = {
hosts."192.168.100.30" = [ "novnc.local" ];
firewall.interfaces."ve-novnc" = lib.mkIf config.sysconfig.virtualization.novnc.enable {
allowedTCPPorts = [ 5900 ];
allowedUDPPorts = [ 5900 ];
};
};
containers.novnc = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.30";
config = {
systemd.services.novnc = {
enable = true;
path = with pkgs; [
novnc
ps
];
script = ''
novnc --listen 80 --vnc 192.168.100.10:5900
'';
serviceConfig = {
Type = "exec";
};
wantedBy = [ "multi-user.target" ];
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "25.05";
};
};
};
}

43
system/services/containers/ntfy/default.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.ntfy.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.ntfy.enable {
containers.ntfy = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.19";
config = {
services.ntfy-sh = {
enable = true;
settings = {
base-url = "https://ntfy.blunkall.us";
listen-http = ":80";
behind-proxy = true;
upstream-base-url = "https://ntfy.sh";
auth-default-access = "deny-all";
};
};
networking.firewall.allowedTCPPorts = [ 80 ];
system.stateVersion = "24.05";
};
};
};
}

89
system/services/containers/ollama/default.nix Normal file
View File

@@ -0,0 +1,89 @@
{ config, lib, inputs, ... }: {
options = {
sysconfig.virtualization.ollama.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtualization.ollama.enable {
containers.ollama = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.24";
bindMounts = {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
};
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rw";
}
{
node = "/dev/nvidiactl";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm";
modifier = "rw";
}
{
node = "/dev/nvidia-modeset";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm-tools";
modifier = "rw";
}
];
config = {
services.ollama = {
enable = true;
acceleration = "cuda";
package = let
pkgs-us = import inputs.nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.ollama;
host = "0.0.0.0";
loadModels = [ "llama3.1:8b" ];
openFirewall = true;
};
system.stateVersion = "25.05";
};
};
};
}

33
system/services/containers/openwebui/default.nix Normal file
View File

@@ -0,0 +1,33 @@
{ config, lib, pkgs, ... }: {
options = {
sysconfig.virtualization.openwebui.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtualization.openwebui.enable {
containers.openwebui = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.33";
config = {
services.open-webui = {
enable = true;
package = pkgs.open-webui;
openFirewall = true;
host = "0.0.0.0";
};
system.stateVersion = "25.05";
};
};
};
}

118
system/services/containers/pihole/default.nix Normal file
View File

@@ -0,0 +1,118 @@
{ config, lib, pkgs, inputs, ... }: {
options.sysconfig.virtualization.pihole.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.pihole.enable {
/* sops.secrets."pihole/pass" = {};
sops.templates."pihole.env" = {
content = ''
WEBPASSWORD=${config.sops.placeholder."pihole/pass"}
'';
path = "/ssd1/Pihole/.env";
};
*/
networking = {
nat.internalInterfaces = [ "ve-pihole" ];
nameservers = [ "192.168.100.28" ];
};
containers.pihole = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.28";
timeoutStartSec = "infinity";
config = let
pkgs-us = import inputs.nixpkgs-us { system = "x86_64-linux"; };
in {
/*imports = [
(import "${inputs.nixpkgs-us}/nixos/modules/services/networking/pihole-ftl.nix" { config = config.containers.pihole.config; inherit lib; pkgs = pkgs-us;})
(import "${inputs.nixpkgs-us}/nixos/modules/services/web-apps/pihole-web.nix" { config = config.containers.pihole.config; inherit lib; pkgs = pkgs-us;})
];*/
services = {
pihole-web = {
enable = true;
package = pkgs-us.pihole-web;
#hostName = "192.168.100.28";
ports = [ 80 ];
};
pihole-ftl = {
enable = true;
package = pkgs-us.pihole-ftl;
openFirewallDNS = true;
openFirewallWebserver = true;
lists = [
{
url = "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts";
}
];
settings = {
dns.upstreams = [ "127.0.0.1#5335" ];
files.macvendor = lib.mkForce "/var/lib/pihole/macvendor.db";
};
};
unbound = {
enable = true;
resolveLocalQueries = true;
settings = {
server = {
interface = [ "127.0.0.1" ];
port = 5335;
};
};
};
};
users.users."root" = {
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICe6Ito5m9c4Tij8zI74L8hnd/QRchEO/cc5CH94mjMC nathan@homebox"
];
};
networking = {
firewall.allowedTCPPorts = [ 22 ];
#nameservers = [ "1.1.1.1" "1.0.0.1" ];
};
services.openssh = {
enable = true;
settings = {
PermitRootLogin = lib.mkForce "yes";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
system.stateVersion = "25.05";
};
};
};
}

85
system/services/containers/rustdesk/default.nix Normal file
View File

@@ -0,0 +1,85 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.rustdesk.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.rustdesk.enable {
/*networking = {
firewall.allowedTCPPorts = [ 21115 21116 21117 21118 21119 ];
firewall.allowedUDPPorts = [ 21116 ];
};*/
containers.rustdesk = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.27";
/* forwardPorts = [
{
containerPort = 21115;
hostPort = 21115;
protocol = "tcp";
}
{
containerPort = 21116;
hostPort = 21116;
protocol = "tcp";
}
{
containerPort = 21116;
hostPort = 21116;
protocol = "udp";
}
{
containerPort = 21117;
hostPort = 21117;
protocol = "tcp";
}
{
containerPort = 21118;
hostPort = 21118;
protocol = "tcp";
}
{
containerPort = 21119;
hostPort = 21119;
protocol = "tcp";
}
];*/
config = {
services.rustdesk-server = {
enable = true;
openFirewall = true;
relay = {
enable = true;
extraArgs = [
"-k"
"AAAAC3NzaC1lZDI1NTE5AAAAIIPztDjwgB3xCza5+p5z1jpGVYoVQNl3fqD69pPCm0NA"
];
};
signal = {
enable = true;
#relayHosts = [ "blunkall.us" ];
relayHosts = [ "192.168.100.27" ];
extraArgs = [
"-k"
"AAAAC3NzaC1lZDI1NTE5AAAAIIPztDjwgB3xCza5+p5z1jpGVYoVQNl3fqD69pPCm0NA"
];
};
};
system.stateVersion = "24.05";
};
};
};
}

89
system/services/containers/sandbox/default.nix Normal file
View File

@@ -0,0 +1,89 @@
{ config, lib, inputs, ... }: {
options.sysconfig.virtualization.sandbox.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
disabledModules = [
"virtualisation/nixos-containers.nix"
];
imports = [
(import "${inputs.nixpkgs-us}/nixos/modules/virtualisation/nixos-containers.nix" {
inherit config lib;
pkgs = (import inputs.nixpkgs-us {
system = "x86_64-linux";
});
})
];
config = lib.mkIf config.sysconfig.virtualization.sandbox.enable {
networking = {
nat.internalInterfaces = [ "ve-sandbox" ];
};
containers.sandbox = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.32";
ephemeral = true;
timeoutStartSec = "3min";
flake = "${inputs.self}";
bindMounts = {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
};
allowedDevices = [
{
node = "/dev/nvidia0";
modifier = "rw";
}
{
node = "/dev/nvidiactl";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm";
modifier = "rw";
}
{
node = "/dev/nvidia-modeset";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm-tools";
modifier = "rw";
}
];
};
};
}

243
system/services/containers/traefik/default.nix Normal file
View File

@@ -0,0 +1,243 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.traefik.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.virtualization.traefik.enable {
networking = {
hosts."192.168.100.11" = [ "esotericbytes.com" "*.esotericbytes.com" "traefik.local" ];
firewall.allowedTCPPorts = [ 22 80 443];
nat.internalInterfaces = [ "ve-traefik" ];
};
containers.traefik = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.11";
forwardPorts = [
{
containerPort = 80;
hostPort = 80;
}
{
containerPort = 443;
hostPort = 443;
}
];
bindMounts = {
"/etc/traefik/data" = {
hostPath = "/ssd1/Traefik/data";
isReadOnly = false;
};
};
config = {
services.traefik = {
enable = true;
dataDir = "/etc/traefik/data";
environmentFiles = [
"/etc/traefik/data/traefik.env"
];
staticConfigOptions = {
serversTransport.insecureSkipVerify = true;
api = {
dashboard = true;
debug = true;
};
global = {
checknewversion = false;
sendanonymoususage = false;
};
entryPoints = {
web = {
address = ":80";
http.redirections.entryPoint = {
to = "websecure";
scheme = "https";
};
};
websecure = {
address = ":443";
asDefault = true;
http.tls = {
certResolver = "cloudflare";
domains = {
main = "esotericbytes.com";
sans = [ "*.esotericbytes.com" ];
};
};
};
};
log = {
level = "DEBUG";
filePath = "/etc/traefik/data/traefik.log";
format = "json";
};
certificatesResolvers = {
cloudflare = {
acme = {
email = "nathanblunkall5@gmail.com";
storage = "/etc/traefik/data/acme.json";
keyType = "EC256";
dnsChallenge = {
provider = "cloudflare";
resolvers = [ "1.1.1.1:53" "1.0.0.1:53" ];
};
};
};
};
};
dynamicConfigOptions = {
http = {
routers = {
homepageSecure = {
entryPoints = [ "websecure" ];
rule = "Host(`esotericbytes.com`) || Host(`www.esotericbytes.com`)";
service = "homepage";
tls.certResolver = "cloudflare";
};
/*remote = {
entryPoints = [ "websecure" ];
rule = "Host(`remote.esotericbytes.com`)";
service = "novnc";
tls.certResolver = "cloudflare";
#middlewares = [ "authentik" ];
};*/
/*homeassistant = {
entryPoints = [ "websecure" ];
rule = "Host(`hass.esotericbytes.com`)";
service = "homeassistant";
tls.certResolver = "cloudflare";
};*/
jellyfin = {
entryPoints = [ "websecure" ];
rule = "Host(`jellyfin.esotericbytes.com`)";
service = "jellyfin";
tls.certResolver = "cloudflare";
};
auth = {
entryPoints = [ "websecure" ];
rule = "Host(`auth.esotericbytes.com`)";
service = "keycloak";
tls.certResolver = "cloudflare";
};
/*gitlab = {
entryPoints = [ "websecure" ];
rule = "Host(`gitlab.esotericbytes.com`)";
service = "gitlab";
tls.certResolver = "cloudflare";
};*/
gitea = {
entryPoints = [ "websecure" ];
rule = "Host(`gitea.esotericbytes.com`)";
service = "gitea";
tls.certResolver = "cloudflare";
};
nextcloud = {
entryPoints = [ "websecure" ];
rule = "Host(`nextcloud.esotericbytes.com`)";
service = "nextcloud";
tls.certResolver = "cloudflare";
middlewares = [
"nextcloud_redirectregex"
];
};
/*traefik = {
entryPoints = [ "websecure" ];
rule = "Host(`192.168.100.11`) || Host(`homebox.vpn`)";
service = "api@internal";
tls.certResolver = "cloudflare";
#middlewares = [ "authentik" ];
};*/
/*ntfy = {
entryPoints = [ "websecure" ];
rule = "Host(`ntfy.esotericbytes.com`)";
service = "ntfy";
tls.certResolver = "cloudflare";
};*/
/*pihole = {
entryPoints = [ "localsecure" ];
rule = "Host(`pihole.esotericbytes.com`)";
service = "pihole";
tls.certResolver = "cloudflare";
};*/
netbird = {
entryPoints = [ "websecure" ];
rule = "Host(`vpn.esotericbytes.com`)";
service = "netbird";
tls.certResolver = "cloudflare";
};
/*n8n = {
entryPoints = [ "websecure" ];
rule = "Host(`n8n.esotericbytes.com`)";
service = "n8n";
tls.certResolver = "cloudflare";
};*/
};
middlewares = {
nextcloud_redirectregex.redirectregex = {
permanent = true;
regex = "https://nextcloud.esotericbytes.com/.well-known/(?:card|cal)dav";
replacement = "https://nextcloud.esotericbytes.com/remote.php/dav";
};
};
services = {
#gitlab.loadBalancer.servers = [ { url = "http://192.168.100.16:80"; } ];
gitea.loadBalancer.servers = [ { url = "http://192.168.100.20:3000"; } ];
homepage.loadBalancer.servers = [ { url = "http://192.168.100.13:80"; } ];
jellyfin.loadBalancer.servers = [ { url = "http://192.168.100.14:8096"; } ];
authentik.loadBalancer.servers = [ { url = "http://192.168.100.10:9000"; } ];
#pihole.loadBalancer.servers = [ { url = "http://192.168.100.10:8080"; } ];
keycloak.loadBalancer.servers = [ { url = "http://192.168.100.22:80"; } ];
#novnc.loadBalancer.servers = [ { url = "http://192.168.100.10:6080"; } ];
nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.15:80"; } ];
#ntfy.loadBalancer.servers = [ { url = "http://192.168.100.19"; } ];
netbird.loadBalancer = {
passHostHeader = true;
servers = [ { url = "http://192.168.100.23:80"; } ];
};
#n8n.loadBalancer.servers = [ { url = "http://192.168.100.21:5678"; } ];
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 80 443 ];
system.stateVersion = "24.05";
};
};
};
}

131
system/services/containers/wyoming/default.nix Normal file
View File

@@ -0,0 +1,131 @@
{ config, lib, ... }: {
options.sysconfig.virtualization.wyoming = {
enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
piper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
openwakeword = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
faster-whisper = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
satellite = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.virtualization.wyoming.enable {
containers.wyoming = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.26";
bindMounts = lib.mkIf config.sysconfig.virtualization.wyoming.faster-whisper {
"/dev/nvidia0" = {
hostPath = "/dev/nvidia0";
isReadOnly = false;
};
"/dev/nvidiactl" = {
hostPath = "/dev/nvidiactl";
isReadOnly = false;
};
"/dev/nvidia-uvm" = {
hostPath = "/dev/nvidia-uvm";
isReadOnly = false;
};
"/dev/nvidia-modeset" = {
hostPath = "/dev/nvidia-modeset";
isReadOnly = false;
};
"/dev/nvidia-uvm-tools" = {
hostPath = "/dev/nvidia-uvm-tools";
isReadOnly = false;
};
};
allowedDevices = lib.mkIf config.sysconfig.virtualization.wyoming.faster-whisper [
{
node = "/dev/nvidia0";
modifier = "rw";
}
{
node = "/dev/nvidiactl";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm";
modifier = "rw";
}
{
node = "/dev/nvidia-modeset";
modifier = "rw";
}
{
node = "/dev/nvidia-uvm-tools";
modifier = "rw";
}
];
config = {
networking.firewall = {
allowedTCPPorts = [ 11431 11432 11433 11435 ];
};
services.wyoming = {
piper = lib.mkIf config.sysconfig.virtualization.wyoming.piper {
servers.piper = {
enable = true;
voice = "en-us-ryan-medium";
uri = "tcp://0.0.0.0:11435";
};
};
openwakeword = lib.mkIf config.sysconfig.virtualization.wyoming.openwakeword {
enable = true;
uri = "tcp://0.0.0.0:11432";
threshold = 0.5;
customModelsDirectories = [
#./wake_words
];
};
faster-whisper = lib.mkIf config.sysconfig.virtualization.wyoming.faster-whisper {
servers.whisper = {
enable = true;
device = "auto";
language = "en";
model = "medium.en";
uri = "tcp://0.0.0.0:11433";
};
};
satellite = lib.mkIf config.sysconfig.virtualization.wyoming.satellite {
enable = true;
uri = "tcp://0.0.0.0:11431";
#user = "nathan";
vad.enable = false;
};
};
system.stateVersion = "25.05";
};
};
};
}

13
system/services/default.nix Normal file
View File

@@ -0,0 +1,13 @@
{ ... }: {
imports = [
./ollama
./openssh
./pipewire
./containers
./minecraft
./sddm
./novnc
./kdePlasma6
];
}

40
system/services/dynamicDNS/default.nix Normal file
View File

@@ -0,0 +1,40 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.services.dynamicDNS.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.services.dynamicDNS {
systemd.timers.dynamicDNS = {
wantedBy = [ "timers.target" ];
timerConfig = {
OnBootSec = "5m";
OnUnitActiveSec = "1h";
Unit = "dynamicDNS.service";
};
};
systemd.services.dynamicDNS = {
name = "dynamicDNS.service";
serviceConfig = {
Type = "oneshot";
LoadCredential = [ "cloudflare-api-key" ];
};
script = '''';
};
};
}

31
system/services/kdePlasma6/default.nix Normal file
View File

@@ -0,0 +1,31 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.services.kdePlasma6.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.services.kdePlasma6.enable {
services.desktopManager.plasma6.enable = true;
sysconfig.services.sddm.enable = lib.mkDefault true;
environment.systemPackages = with pkgs; [
kdePackages.discover # Optional: Install if you use Flatpak or fwupd firmware update sevice
kdePackages.kcalc # Calculator
kdePackages.kcharselect # Tool to select and copy special characters from all installed fonts
kdePackages.kcolorchooser # A small utility to select a color
kdePackages.kolourpaint # Easy-to-use paint program
kdePackages.ksystemlog # KDE SystemLog Application
kdePackages.sddm-kcm # Configuration module for SDDM
kdiff3 # Compares and merges 2 or 3 files or directories
kdePackages.isoimagewriter # Optional: Program to write hybrid ISO files onto USB disks
kdePackages.partitionmanager # Optional Manage the disk devices, partitions and file systems on your computer
hardinfo2 # System information and benchmarks for Linux systems
haruna # Open source video player built with Qt/QML and libmpv
wayland-utils # Wayland utilities
wl-clipboard # Command-line copy/paste utilities for Wayland
];
};
}

70
system/services/minecraft/default.nix Normal file
View File

@@ -0,0 +1,70 @@
{ config, lib, pkgs, inputs, ... }: {
options.sysconfig.services.minecraft.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
imports = [
inputs.nix-minecraft.nixosModules.minecraft-servers
];
config = lib.mkIf config.sysconfig.services.minecraft.enable {
nixpkgs.overlays = [ inputs.nix-minecraft.overlay ];
services.minecraft-servers = {
enable = true;
eula = true;
openFirewall = true;
dataDir = "/var/lib/mcservers";
#managementSystem.systemd-socket.enable = true; #temp
servers = {
bedrock = {
enable = true;
package = pkgs.fabricServers.fabric-1_21_8;
serverProperties = {
server-port = 25566;
gamemode = "survival";
difficulty = 2;
white-list = true;
motd = "Test";
};
whitelist = {
"MeasureTwice66" = "a4032062-293d-484d-a790-9f52475836bb";
"651sonic" = "936a3fb0-4548-4557-975b-7794e97a3afc";
"Griffin12_" = "6a1f56d9-f712-4723-a031-e5437a389bb3";
};
autoStart = true;
};
modded = {
enable = false;
#package = pkgs.fabricServers.fabric-1_21_1.override { loaderVersion = "0.16.14"; };
package = pkgs.fabricServers.fabric-1_21_1;
jvmOpts = [ "-Xms8000M" "-Xmx12000M" ];
serverProperties = {
server-port = 25566;
gamemode = "survival";
white-list = true;
allow-flight = true;
motd = "Ex-plo-sion!!!";
};
whitelist = {
"MeasureTwice66" = "a4032062-293d-484d-a790-9f52475836bb";
"651sonic" = "936a3fb0-4548-4557-975b-7794e97a3afc";
"Griffin12_" = "6a1f56d9-f712-4723-a031-e5437a389bb3";
};
autoStart = true;
symlinks = {
"mods" = ./mods;
};
};
};
};
};
}

30
system/services/novnc/default.nix Normal file
View File

@@ -0,0 +1,30 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.services.novnc.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.services.novnc.enable {
systemd.services.novnc = {
enable = true;
path = with pkgs; [
novnc
ps
];
script = ''
novnc --listen 80 --vnc 127.0.0.1:5900
'';
serviceConfig = {
Type = "exec";
};
wantedBy = [ "multi-user.target" ];
};
networking.firewall.allowedTCPPorts = [ 80 ];
};
}

22
system/services/ollama/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, lib, inputs, ... }: {
options = {
sysconfig.services.ollama.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.services.ollama.enable {
services.ollama = {
enable = true;
acceleration = "cuda";
package = let
pkgs-us = import inputs.nixpkgs-us {
system = "x86_64-linux";
config.allowUnfree = true;
};
in pkgs-us.ollama;
};
};
}

22
system/services/openssh/default.nix Normal file
View File

@@ -0,0 +1,22 @@
{ config, lib, ... }: {
options = {
sysconfig.services.openssh.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf (config.sysconfig.services.openssh.enable || config.sysconfig.remoteBuildHost) {
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
};
};
}

51
system/services/pipewire/default.nix Normal file
View File

@@ -0,0 +1,51 @@
{ config, lib, pkgs, ... }: {
options = {
sysconfig.services.pipewire.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.services.pipewire.enable {
# Enable sound with pipewire.
#sound.enable = true;
security.rtkit.enable = true;
services.pipewire = {
enable = true;
package = pkgs.pipewire;
alsa.enable = true;
alsa.support32Bit = true;
pulse.enable = true;
extraConfig.pipewire-pulse."92-low-latency" = {
context.modules = [
{
name = "libpipewire-module-protocol-pulse";
args = {
pulse.min.req = "32/48000";
pulse.default.req = "32/48000";
pulse.max.req = "32/48000";
pulse.min.quantum = "32/48000";
pulse.max.quantum = "32/48000";
};
}
];
stream.properties = {
node.latency = "32/48000";
resample.quality = 1;
};
};
# If you want to use JACK applications, uncomment this
#jack.enable = true;
# use the example session manager (no others are packaged yet so this is enabled by default,
# no need to redefine it in your config for now)
wireplumber.enable = true;
};
};
}

34
system/services/sddm/default.nix Normal file
View File

@@ -0,0 +1,34 @@
{ config, lib, pkgs, ... }: {
options.sysconfig.services.sddm.enable = lib.mkOption {
type = lib.types.bool;
default = false;
};
config = lib.mkIf config.sysconfig.services.sddm.enable {
qt.enable = true;
environment.systemPackages = with pkgs; [ (sddm-astronaut.override { embeddedTheme = "pixel_sakura"; }) ];
services.displayManager.sddm = {
enable = true;
wayland.enable = true;
autoNumlock = true;
theme = "sddm-astronaut-theme"; #"${inputs.tokyo-night-sddm-theme { inherit pkgs; }}";
enableHidpi = true;
/*extraPackages = with pkgs; [
libsForQt5.qtsvg
libsForQt5.qtquickcontrols2
libsForQt5.qtgraphicaleffects
];*/
package = lib.mkDefault pkgs.kdePackages.sddm;
extraPackages = with pkgs; [
kdePackages.qtsvg
kdePackages.qtvirtualkeyboard
kdePackages.qtmultimedia
];
};
};
}

17
system/services/wireguard/default.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config, lib, ... }: {
options = {
sysconfig.wireguard.enable = lib.options.mkOption {
type = lib.types.bool;
default = false;
};
};
config = lib.mkIf config.sysconfig.wireguard.enable {
networking.wireguard = {
enable = true;
interfaces.wg0 = {
};
};
};
}