From 35676b7383af575dbf4a7ef1cb2a72ba84865976 Mon Sep 17 00:00:00 2001 From: uttarayan21 Date: Sun, 5 Jan 2025 23:16:00 +0530 Subject: [PATCH] feat: Split all the services into their own files --- nixos/mirai/configuration.nix | 3 +- nixos/mirai/services.nix | 286 ------------------------ nixos/mirai/services/atuin.nix | 12 + nixos/mirai/services/authelia.nix | 91 ++++++++ nixos/mirai/services/default.nix | 33 +++ nixos/mirai/services/home-assistant.nix | 41 ++++ nixos/mirai/services/jellyfin.nix | 13 ++ nixos/mirai/services/llama.nix | 98 ++++++++ nixos/mirai/services/navidrome.nix | 21 ++ nixos/mirai/services/nextcloud.nix | 31 +++ server/facter.json | 14 +- 11 files changed, 348 insertions(+), 295 deletions(-) delete mode 100644 nixos/mirai/services.nix create mode 100644 nixos/mirai/services/atuin.nix create mode 100644 nixos/mirai/services/authelia.nix create mode 100644 nixos/mirai/services/default.nix create mode 100644 nixos/mirai/services/home-assistant.nix create mode 100644 nixos/mirai/services/jellyfin.nix create mode 100644 nixos/mirai/services/llama.nix create mode 100644 nixos/mirai/services/navidrome.nix create mode 100644 nixos/mirai/services/nextcloud.nix diff --git a/nixos/mirai/configuration.nix b/nixos/mirai/configuration.nix index 5a836e39..02a8d082 100644 --- a/nixos/mirai/configuration.nix +++ b/nixos/mirai/configuration.nix @@ -6,8 +6,8 @@ }: { imports = [ # Include the results of the hardware scan. + ./services ./mirai.nix - ./services.nix ./docker.nix ]; security.sudo.wheelNeedsPassword = false; @@ -15,7 +15,6 @@ defaultSopsFile = ../../secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/fs0c131y/.config/sops/age/keys.txt"; - secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name; secrets."llama/user".owner = config.services.caddy.user; secrets."builder/mirai/cache/private" = {}; secrets."llama/api_key".owner = config.services.caddy.user; diff --git a/nixos/mirai/services.nix b/nixos/mirai/services.nix deleted file mode 100644 index 6ec0d304..00000000 --- a/nixos/mirai/services.nix +++ /dev/null @@ -1,286 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: { - sops = { - secrets = { - "authelia/servers/darksailor/jwtSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - "authelia/servers/darksailor/storageEncryptionSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - "authelia/servers/darksailor/sessionSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - "authelia/users/servius".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - users.owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - }; - }; - services = { - nix-serve = { - enable = true; - }; - home-assistant = { - enable = false; - extraComponents = [ - "esphome" - "met" - "radio_browser" - "wiz" - ]; - customComponents = [ - pkgs.home-assistant-custom-components.auth-header - ]; - config = { - default_config = {}; - http = { - server_host = "::1"; - trusted_proxies = ["::1"]; - use_x_forwarded_for = true; - }; - auth_header = { - username_header = "Remote-User"; - }; - }; - }; - jellyfin = { - enable = true; - openFirewall = true; - }; - authelia = { - instances.darksailor = { - enable = true; - settings = { - authentication_backend = { - password_reset.disable = false; - file = { - path = "/run/secrets/users"; - }; - }; - session = { - cookies = [ - { - domain = "darksailor.dev"; - authelia_url = "https://auth.darksailor.dev"; - name = "authelia_session"; - } - ]; - }; - access_control = { - default_policy = "one_factor"; - rules = [ - { - domain = "darksailor.dev"; - policy = "one_factor"; - } - { - domain = "media.darksailor.dev"; - policy = "one_factor"; - } - { - domain = "music.darksailor.dev"; - policy = "one_factor"; - } - { - domain = "music.darksailor.dev"; - policy = "bypass"; - resources = [ - "^/rest([/?].*)?$" - "^/share([/?].*)?$" - ]; - } - ]; - }; - storage = { - local = { - path = "/var/lib/authelia-darksailor/authelia.sqlite3"; - }; - }; - theme = "dark"; - notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log"; - server = { - address = "127.0.0.1:5555"; - endpoints.authz = { - forward-auth = { - implementation = "ForwardAuth"; - }; - auth-request = { - implementation = "AuthRequest"; - }; - }; - }; - # log = { - # file_path = "/tmp/authelia.log"; - # }; - }; - secrets = { - jwtSecretFile = config.sops.secrets."authelia/servers/darksailor/jwtSecret".path; - storageEncryptionKeyFile = config.sops.secrets."authelia/servers/darksailor/storageEncryptionSecret".path; - sessionSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path; - }; - }; - }; - fail2ban = { - enable = true; - bantime = "24h"; # Ban IPs for one day on the first ban - bantime-increment = { - enable = true; # Enable increment of bantime after each violation - # formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; - multipliers = "1 2 4 8 16 32 64"; - maxtime = "168h"; # Do not ban for more than 1 week - overalljails = true; # Calculate the bantime based on all the violations - }; - # jails.apache-nohome-iptables.settings = { - # # Block an IP address if it accesses a non-existent - # # home directory more than 5 times in 10 minutes, - # # since that indicates that it's scanning. - # filter = "apache-nohome"; - # action = ''iptables-multiport[name=HTTP, port="http,https"]''; - # logpath = "/var/log/httpd/error_log*"; - # backend = "auto"; - # findtime = 600; - # bantime = 600; - # maxretry = 5; - # }; - }; - tailscale = { - enable = true; - }; - navidrome = { - enable = false; - settings = { - MusicFolder = "/media/music"; - ReverseProxyUserHeader = "Remote-User"; - ReverseProxyWhitelist = "127.0.0.1/32"; - }; - }; - atuin = { - enable = true; - }; - nextcloud = { - enable = true; - package = pkgs.nextcloud30; - hostName = "cloud.darksailor.dev"; - config.adminuser = "servius"; - config.adminpassFile = config.sops.secrets."nextcloud/adminpass".path; - configureRedis = true; - https = true; - }; - ollama = { - enable = true; - loadModels = ["RobinBially/nomic-embed-text-8k" "mistral"]; - port = 11434; - host = "0.0.0.0"; - environmentVariables = { - OLLAMA_ORIGINS = "*"; - }; - }; - nextjs-ollama-llm-ui = { - enable = true; - port = 5096; - ollamaUrl = "https://llama.darksailor.dev/api/ollama"; - }; - llama-cpp = { - enable = false; - host = "127.0.0.1"; - port = 3000; - model = builtins.fetchurl { - name = "qwen_2.5.1_coder_7b_instruct_gguf"; - sha256 = "61834b88c1a1ce5c277028a98c4a0c94a564210290992a7ba301bbef96ef8eba"; - url = "https://huggingface.co/bartowski/Qwen2.5.1-Coder-7B-Instruct-GGUF/resolve/main/Qwen2.5.1-Coder-7B-Instruct-Q8_0.gguf?download=true"; - }; - }; - nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ - { - addr = "127.0.0.1"; - port = 8080; # NOT an exposed port - } - ]; - - caddy = { - enable = true; - virtualHosts."music.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - reverse_proxy localhost:4533 - ''; - virtualHosts."media.darksailor.dev".extraConfig = '' - reverse_proxy localhost:8096 - ''; - virtualHosts."atuin.darksailor.dev".extraConfig = '' - reverse_proxy localhost:8888 - ''; - virtualHosts."cloud.darksailor.dev".extraConfig = '' - reverse_proxy localhost:8080 - ''; - virtualHosts."llama.darksailor.dev".extraConfig = '' - handle /api/v1/* { - uri strip_prefix /api/v1 - reverse_proxy localhost:3000 - - @apikey { - header Authorization "Bearer {env.LLAMA_API_KEY}" - } - - handle @apikey { - header { - # Set response headers or proxy to a different service if API key is valid - Access-Control-Allow-Origin * - -Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation - } - reverse_proxy localhost:11434 - } - - handle { - respond "Unauthorized" 403 - } - } - - handle /api/ollama/* { - uri strip_prefix /api/ollama - reverse_proxy localhost:11434 - - @apikey { - header Authorization "Bearer {env.LLAMA_API_KEY}" - } - - handle @apikey { - header { - # Set response headers or proxy to a different service if API key is valid - Access-Control-Allow-Origin * - -Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation - } - reverse_proxy localhost:11434 - } - - handle { - respond "Unauthorized" 403 - } - } - - handle { - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - reverse_proxy localhost:5096 - } - ''; - virtualHosts."auth.darksailor.dev".extraConfig = '' - reverse_proxy localhost:5555 - ''; - virtualHosts."home.darksailor.dev".extraConfig = '' - forward_auth localhost:5555 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - } - reverse_proxy localhost:8123 - - ''; - }; - }; - systemd.services.caddy = { - serviceConfig = { - EnvironmentFile = config.sops.templates."LLAMA_API_KEY.env".path; - }; - }; -} diff --git a/nixos/mirai/services/atuin.nix b/nixos/mirai/services/atuin.nix new file mode 100644 index 00000000..8a332377 --- /dev/null +++ b/nixos/mirai/services/atuin.nix @@ -0,0 +1,12 @@ +{...}: { + services = { + atuin = { + enable = true; + }; + caddy = { + virtualHosts."atuin.darksailor.dev".extraConfig = '' + reverse_proxy localhost:8888 + ''; + }; + }; +} diff --git a/nixos/mirai/services/authelia.nix b/nixos/mirai/services/authelia.nix new file mode 100644 index 00000000..c4749ec5 --- /dev/null +++ b/nixos/mirai/services/authelia.nix @@ -0,0 +1,91 @@ +{config, ...}: { + sops = { + secrets = { + "authelia/servers/darksailor/jwtSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + "authelia/servers/darksailor/storageEncryptionSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + "authelia/servers/darksailor/sessionSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + "authelia/users/servius".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + users.owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + }; + }; + services = { + authelia = { + instances.darksailor = { + enable = true; + settings = { + authentication_backend = { + password_reset.disable = false; + file = { + path = "/run/secrets/users"; + }; + }; + session = { + cookies = [ + { + domain = "darksailor.dev"; + authelia_url = "https://auth.darksailor.dev"; + name = "authelia_session"; + } + ]; + }; + access_control = { + default_policy = "one_factor"; + rules = [ + { + domain = "darksailor.dev"; + policy = "one_factor"; + } + # { + # domain = "media.darksailor.dev"; + # policy = "one_factor"; + # } + { + domain = "music.darksailor.dev"; + policy = "one_factor"; + } + { + domain = "music.darksailor.dev"; + policy = "bypass"; + resources = [ + "^/rest([/?].*)?$" + "^/share([/?].*)?$" + ]; + } + ]; + }; + storage = { + local = { + path = "/var/lib/authelia-darksailor/authelia.sqlite3"; + }; + }; + theme = "dark"; + notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log"; + server = { + address = "127.0.0.1:5555"; + endpoints.authz = { + forward-auth = { + implementation = "ForwardAuth"; + }; + auth-request = { + implementation = "AuthRequest"; + }; + }; + }; + # log = { + # file_path = "/tmp/authelia.log"; + # }; + }; + secrets = { + jwtSecretFile = config.sops.secrets."authelia/servers/darksailor/jwtSecret".path; + storageEncryptionKeyFile = config.sops.secrets."authelia/servers/darksailor/storageEncryptionSecret".path; + sessionSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path; + }; + }; + }; + caddy = { + virtualHosts."auth.darksailor.dev".extraConfig = '' + reverse_proxy localhost:5555 + ''; + }; + }; +} diff --git a/nixos/mirai/services/default.nix b/nixos/mirai/services/default.nix new file mode 100644 index 00000000..9ed4718e --- /dev/null +++ b/nixos/mirai/services/default.nix @@ -0,0 +1,33 @@ +{...}: { + imports = [ + ./atuin.nix + ./authelia.nix + ./home-assistant.nix + ./navidrome.nix + ./llama.nix + # ./nextcloud.nix + # ./jellyfin.nix + ]; + services = { + nix-serve = { + enable = true; + }; + fail2ban = { + enable = true; + bantime = "24h"; # Ban IPs for one day on the first ban + bantime-increment = { + enable = true; # Enable increment of bantime after each violation + # formula = "ban.Time * math.exp(float(ban.Count+1)*banFactor)/math.exp(1*banFactor)"; + multipliers = "1 2 4 8 16 32 64"; + maxtime = "168h"; # Do not ban for more than 1 week + overalljails = true; # Calculate the bantime based on all the violations + }; + }; + tailscale = { + enable = true; + }; + caddy = { + enable = true; + }; + }; +} diff --git a/nixos/mirai/services/home-assistant.nix b/nixos/mirai/services/home-assistant.nix new file mode 100644 index 00000000..a23316d8 --- /dev/null +++ b/nixos/mirai/services/home-assistant.nix @@ -0,0 +1,41 @@ +{ + config, + pkgs, + ... +}: { + services = { + home-assistant = { + enable = false; + extraComponents = [ + "esphome" + "met" + "radio_browser" + "wiz" + ]; + customComponents = [ + pkgs.home-assistant-custom-components.auth-header + ]; + config = { + default_config = {}; + http = { + server_host = "::1"; + trusted_proxies = ["::1"]; + use_x_forwarded_for = true; + }; + auth_header = { + username_header = "Remote-User"; + }; + }; + }; + caddy = { + virtualHosts."home.darksailor.dev".extraConfig = '' + forward_auth localhost:5555 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + reverse_proxy localhost:8123 + + ''; + }; + }; +} diff --git a/nixos/mirai/services/jellyfin.nix b/nixos/mirai/services/jellyfin.nix new file mode 100644 index 00000000..c38f97d9 --- /dev/null +++ b/nixos/mirai/services/jellyfin.nix @@ -0,0 +1,13 @@ +{...}: { + services = { + jellyfin = { + enable = true; + openFirewall = true; + }; + caddy = { + virtualHosts."media.darksailor.dev".extraConfig = '' + reverse_proxy localhost:8096 + ''; + }; + }; +} diff --git a/nixos/mirai/services/llama.nix b/nixos/mirai/services/llama.nix new file mode 100644 index 00000000..1f73caba --- /dev/null +++ b/nixos/mirai/services/llama.nix @@ -0,0 +1,98 @@ +{config, ...}: { + sops = { + secrets."llama/api_key".owner = config.services.caddy.user; + secrets."llama/user".owner = config.services.caddy.user; + }; + services = { + ollama = { + enable = true; + loadModels = ["RobinBially/nomic-embed-text-8k" "mistral"]; + port = 11434; + host = "0.0.0.0"; + environmentVariables = { + OLLAMA_ORIGINS = "*"; + }; + }; + nextjs-ollama-llm-ui = { + enable = true; + port = 5096; + ollamaUrl = "https://llama.darksailor.dev/api/ollama"; + }; + # llama-cpp = { + # enable = false; + # host = "127.0.0.1"; + # port = 3000; + # model = builtins.fetchurl { + # name = "qwen_2.5.1_coder_7b_instruct_gguf"; + # sha256 = "61834b88c1a1ce5c277028a98c4a0c94a564210290992a7ba301bbef96ef8eba"; + # url = "https://huggingface.co/bartowski/Qwen2.5.1-Coder-7B-Instruct-GGUF/resolve/main/Qwen2.5.1-Coder-7B-Instruct-Q8_0.gguf?download=true"; + # }; + # }; + # nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ + # { + # addr = "127.0.0.1"; + # port = 8080; # NOT an exposed port + # } + # ]; + caddy = { + virtualHosts."llama.darksailor.dev".extraConfig = '' + handle /api/v1/* { + uri strip_prefix /api/v1 + reverse_proxy localhost:3000 + + @apikey { + header Authorization "Bearer {env.LLAMA_API_KEY}" + } + + handle @apikey { + header { + # Set response headers or proxy to a different service if API key is valid + Access-Control-Allow-Origin * + -Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation + } + reverse_proxy localhost:11434 + } + + handle { + respond "Unauthorized" 403 + } + } + + handle /api/ollama/* { + uri strip_prefix /api/ollama + reverse_proxy localhost:11434 + + @apikey { + header Authorization "Bearer {env.LLAMA_API_KEY}" + } + + handle @apikey { + header { + # Set response headers or proxy to a different service if API key is valid + Access-Control-Allow-Origin * + -Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation + } + reverse_proxy localhost:11434 + } + + handle { + respond "Unauthorized" 403 + } + } + + handle { + forward_auth localhost:5555 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + reverse_proxy localhost:5096 + } + ''; + }; + }; + systemd.services.caddy = { + serviceConfig = { + EnvironmentFile = config.sops.templates."LLAMA_API_KEY.env".path; + }; + }; +} diff --git a/nixos/mirai/services/navidrome.nix b/nixos/mirai/services/navidrome.nix new file mode 100644 index 00000000..0bc48634 --- /dev/null +++ b/nixos/mirai/services/navidrome.nix @@ -0,0 +1,21 @@ +{...}: { + services = { + navidrome = { + enable = true; + settings = { + MusicFolder = "/media/music"; + ReverseProxyUserHeader = "Remote-User"; + ReverseProxyWhitelist = "127.0.0.1/32"; + }; + }; + caddy = { + virtualHosts."music.darksailor.dev".extraConfig = '' + forward_auth localhost:5555 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + reverse_proxy localhost:4533 + ''; + }; + }; +} diff --git a/nixos/mirai/services/nextcloud.nix b/nixos/mirai/services/nextcloud.nix new file mode 100644 index 00000000..48d12ec3 --- /dev/null +++ b/nixos/mirai/services/nextcloud.nix @@ -0,0 +1,31 @@ +{ + config, + pkgs, + ... +}: { + sops = { + secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name; + }; + services = { + nextcloud = { + enable = true; + package = pkgs.nextcloud30; + hostName = "cloud.darksailor.dev"; + config.adminuser = "servius"; + config.adminpassFile = config.sops.secrets."nextcloud/adminpass".path; + configureRedis = true; + https = true; + }; + caddy = { + virtualHosts."cloud.darksailor.dev".extraConfig = '' + reverse_proxy localhost:8080 + ''; + }; + }; + nginx.virtualHosts."${config.services.nextcloud.hostName}".listen = [ + { + addr = "127.0.0.1"; + port = 8080; # NOT an exposed port + } + ]; +} diff --git a/server/facter.json b/server/facter.json index 06194725..b910dba3 100644 --- a/server/facter.json +++ b/server/facter.json @@ -2032,7 +2032,7 @@ "[13]", "[14]" ], - "bogo": 7585.36, + "bogo": 7585.32, "cache": 1024, "units": 16, "physical_id": 0, @@ -3232,7 +3232,7 @@ "resources": [ { "type": "irq", - "base": 121, + "base": 126, "triggered": 0, "enabled": true }, @@ -3250,7 +3250,7 @@ "command": 7, "header_type": 0, "secondary_bus": 0, - "irq": 121, + "irq": 126, "prog_if": 0 }, "driver": "snd_rpl_pci_acp6x", @@ -3712,7 +3712,7 @@ "resources": [ { "type": "irq", - "base": 48, + "base": 47, "triggered": 0, "enabled": true }, @@ -3730,7 +3730,7 @@ "command": 1030, "header_type": 0, "secondary_bus": 0, - "irq": 48, + "irq": 47, "prog_if": 2 }, "driver": "nvme", @@ -3795,7 +3795,7 @@ "resources": [ { "type": "irq", - "base": 47, + "base": 48, "triggered": 0, "enabled": true }, @@ -3813,7 +3813,7 @@ "command": 1030, "header_type": 0, "secondary_bus": 0, - "irq": 47, + "irq": 48, "prog_if": 2 }, "driver": "nvme",