From 8e31bd6c02c81b38e762762f6977404775151856 Mon Sep 17 00:00:00 2001 From: emptyynes Date: Sun, 19 Oct 2025 11:14:51 +0700 Subject: [PATCH] temporary chaos --- debug.sh | 1 - desktops/aqore-nix/bootloader.nix | 9 -- desktops/aqore-nix/packages.nix | 9 +- docker-compose.yml | 68 +++++++++++ flake.nix | 80 +++++++++++-- secret.nix | 1 + servers/artemisia/main.nix | 6 +- servers/artemisia/nginx.nix | 6 +- servers/common/ssh.nix | 4 +- servers/common/xray.nix | 5 +- servers/ivan/nginx.nix | 4 +- .../hardware-configuration.nix | 4 +- servers/kotori/hysteria.nix | 11 ++ servers/kotori/main.nix | 37 ++++++ servers/kotori/nginx.nix | 35 ++++++ servers/kristine/hardware-configuration.nix | 27 +++++ servers/{vanessa => kristine}/main.nix | 8 +- servers/{vanessa => kristine}/nginx.nix | 8 +- servers/mio/hardware-configuration.nix | 27 ++++- servers/mio/main.nix | 47 +------- servers/mio/nginx.nix | 12 +- servers/reine/firewall.nix | 2 +- servers/reine/jellyfin.nix | 18 ++- servers/reine/main.nix | 22 +++- servers/reine/n8n.nix | 108 ++++++++++++++++++ servers/reine/nginx.nix | 15 ++- servers/reine/qbittorrent.nix | 22 ++++ 27 files changed, 490 insertions(+), 106 deletions(-) delete mode 100644 debug.sh create mode 100644 docker-compose.yml rename servers/{vanessa => kotori}/hardware-configuration.nix (91%) create mode 100644 servers/kotori/hysteria.nix create mode 100644 servers/kotori/main.nix create mode 100644 servers/kotori/nginx.nix create mode 100644 servers/kristine/hardware-configuration.nix rename servers/{vanessa => kristine}/main.nix (79%) rename servers/{vanessa => kristine}/nginx.nix (71%) create mode 100644 servers/reine/n8n.nix create mode 100644 servers/reine/qbittorrent.nix diff --git a/debug.sh b/debug.sh deleted file mode 100644 index f0afaba..0000000 --- a/debug.sh +++ /dev/null @@ -1 +0,0 @@ -nix repl --extra-experimental-features 'flakes' . \ No newline at end of file diff --git a/desktops/aqore-nix/bootloader.nix b/desktops/aqore-nix/bootloader.nix index c0c1fb1..36227f6 100644 --- a/desktops/aqore-nix/bootloader.nix +++ b/desktops/aqore-nix/bootloader.nix @@ -22,14 +22,5 @@ ''; }; }; - - binfmt.registrations.appimage = { - wrapInterpreterInShell = false; - interpreter = "${pkgs.appimage-run}/bin/appimage-run"; - recognitionType = "magic"; - offset = 0; - mask = ''\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff''; - magicOrExtension = ''\x7fELF....AI\x02''; - }; }; } \ No newline at end of file diff --git a/desktops/aqore-nix/packages.nix b/desktops/aqore-nix/packages.nix index 7a83a8b..24bfccf 100644 --- a/desktops/aqore-nix/packages.nix +++ b/desktops/aqore-nix/packages.nix @@ -1,4 +1,4 @@ -{ config, pkgs, emptypkgs, ... }: +{ config, pkgs, pkgs-unstable, ... }: { nixpkgs.config.allowUnfree = true; @@ -10,6 +10,10 @@ programs = { amnezia-vpn.enable = true; + appimage = { + enable = true; + binfmt = true; + }; nekoray = { enable = true; tunMode.enable = true; @@ -22,9 +26,7 @@ }; firefox = { enable = true; - preferencesStatus = "user"; }; - chromium.enable = true; fish.enable = true; screen.enable = true; bat.enable = true; @@ -41,6 +43,7 @@ qbittorrent nicotine-plus mumble + chromium # media gimp krita diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..29390c2 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,68 @@ +name: mythictable + +version: '3.8' + +services: + mythictable-backend: + build: + context: . + dockerfile: server/src/MythicTable/Dockerfile + ports: + - "5000:80" + environment: + - NODE_ENV=development + - MTT_AUTH_SERVICE_URL=http://keycloak:80 + - MTT_MONGODB_CONNECTIONSTRING=mongodb://admin:abc123!@mongodb:28017 + - MTT_MONGODB_DATABASENAME=mythictable + - MTT_REDIS_CONN_STRING=redis://redis:6479 + depends_on: + - mongodb + - redis + - keycloak + + mythictable-frontend: + build: + context: . + dockerfile: html/Dockerfile + ports: + - "3000:3000" + environment: + - NODE_ENV=development + depends_on: + - mythictable-backend + + keycloak: + build: + context: ./mythic-key + dockerfile: Dockerfile + ports: + - "5002:80" + environment: + - KEYCLOAK_USER=admin + - KEYCLOAK_PASSWORD=admin + depends_on: + - mongodb + + mongodb: + image: mongo:latest + ports: + - "28017:27017" + - "28018:27018" + - "28019:27019" + volumes: + - mongodb_data:/data/db + environment: + - MONGO_INITDB_ROOT_USERNAME=admin + - MONGO_INITDB_ROOT_PASSWORD=abc123! + command: ["--auth"] + + redis: + image: redis:latest + ports: + - "6479:6379" + volumes: + - redis_data:/data + +volumes: + mongodb_data: + redis_data: \ No newline at end of file diff --git a/flake.nix b/flake.nix index 0542514..dd94908 100644 --- a/flake.nix +++ b/flake.nix @@ -5,8 +5,16 @@ nixpkgs.url = "nixpkgs/nixos-25.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; secret.url = "git+ssh://forgejo@git.project-a.space/Project-A/project-secret.git"; - project-a-software.url = "git+ssh://forgejo@git.project-a.space/Project-A/project-software.git"; + deploy-rs = { + url = "github:serokell/deploy-rs"; + inputs.nixpkgs.follows = "nixpkgs"; + }; + project-a-software = { + url = "git+ssh://forgejo@git.project-a.space/Project-A/project-software.git"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.nixpkgs-unstable.follows = "nixpkgs-unstable"; + }; home-manager = { url = "github:nix-community/home-manager/release-25.05"; inputs.nixpkgs.follows = "nixpkgs"; @@ -22,6 +30,7 @@ nixpkgs, nixpkgs-unstable, project-a-software, + deploy-rs, home-manager, winapps, secret, @@ -31,9 +40,12 @@ nixosServer = { name, system ? linux64, modules ? [] }: nixpkgs.lib.nixosSystem { system = system; - specialArgs.pkgs-unstable = nixpkgs-unstable.legacyPackages.${system}; - specialArgs.secret = secret.${name}; - specialArgs.common-secret = secret.common; + specialArgs = { + pkgs-unstable = import nixpkgs-unstable { system = linux64; config.allowUnfree = true; }; + pkgs-projecta = project-a-software.packages.${system}; + secret = secret.${name}; + common-secret = secret.common; + }; modules = [ ./servers/common/main.nix ./servers/${name}/main.nix @@ -41,17 +53,18 @@ }; in { nixosConfigurations = { - artemisia = nixosServer { name = "artemisia"; modules = [ project-a-software.marzban ]; }; - reine = nixosServer { name = "reine"; modules = [ project-a-software.affine ]; }; - mio = nixosServer { name = "mio"; modules = [ project-a-software.marzban ]; }; - ivan = nixosServer { name = "ivan"; modules = [ project-a-software.marzban ]; }; - vanessa = nixosServer { name = "vanessa"; modules = [ project-a-software.marzban ]; }; + artemisia = nixosServer { name = "artemisia"; modules = [ project-a-software.nixosModules.marzban ]; }; + reine = nixosServer { name = "reine"; modules = [ project-a-software.nixosModules.affine ]; }; + ivan = nixosServer { name = "ivan"; modules = [ project-a-software.nixosModules.marzban ]; }; + kotori = nixosServer { name = "kotori"; modules = [ project-a-software.nixosModules.marzban ]; }; + mio = nixosServer { name = "mio"; modules = [ ]; }; + kristine = nixosServer { name = "kristine"; modules = [ project-a-software.nixosModules.marzban ]; }; aqore-nix = nixpkgs.lib.nixosSystem { system = linux64; specialArgs = { inherit winapps; - pkgs-unstable = nixpkgs-unstable.legacyPackages.${linux64}; + pkgs-unstable = import nixpkgs-unstable { system = linux64; config.allowUnfree = true; }; }; modules = [ ./desktops/aqore-nix/main.nix @@ -64,10 +77,57 @@ environment.systemPackages = [ winapps.packages."${linux64}".winapps winapps.packages."${linux64}".winapps-launcher + deploy-rs.packages."${linux64}".deploy-rs ]; }) ]; }; }; + + deploy.nodes = let serverNode = name: { + hostname = "${name}.project-a.space"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.${name}; + }; + sshUser = "in5ar"; + sshOpts = [ "-p" "1004" ]; + }; + in { + artemisia = serverNode "artemisia"; + reine = { + hostname = "192.168.0.3"; + profiles.system = { + user = "root"; + path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations.reine; + }; + sshUser = "in5ar"; + sshOpts = [ "-p" "1004" ]; + }; + ivan = serverNode "ivan"; + kotori = serverNode "kotori"; + mio = serverNode "mio"; + kristine = serverNode "kristine"; + }; + + devShells = nixpkgs.lib.genAttrs [ "x86_64-linux" ] (system: { + default = let + pkgs = nixpkgs.legacyPackages.${system}; + prompt = ''function fish_prompt; set_color red; echo -n "Project-A/debug> "; set_color normal; end''; + inspect = ''function inspect; nix repl .; end;''; + inspect-nixpkgs = ''function inspect-nixpkgs; nix repl nixpkgs; end;''; + included-functions = "${inspect} ${inspect-nixpkgs}"; + in pkgs.mkShell { + buildInputs = []; + shellHook = '' + printf "Welcome to the \033[1;31mProject-A\033[0m dev shell!\n" + + if [ -z "$FISH_VERSION" ] && [ -x "${pkgs.fish}/bin/fish" ]; then + exec ${pkgs.fish}/bin/fish --init-command '${prompt}; ${included-functions}' + fi + ''; + }; + } + ); }; } \ No newline at end of file diff --git a/secret.nix b/secret.nix index e0269bd..bf133c3 100644 --- a/secret.nix +++ b/secret.nix @@ -37,6 +37,7 @@ in { reine = { yggdrasil.PrivateKey = mkOption { type = str; default = ""; }; affine = affine-config; + qbt-password = mkOption { type = str; default = ""; }; }; common = { yggdrasil = { diff --git a/servers/artemisia/main.nix b/servers/artemisia/main.nix index 7f8aa8d..b78e38d 100644 --- a/servers/artemisia/main.nix +++ b/servers/artemisia/main.nix @@ -33,5 +33,9 @@ }; }; - networking.firewall.allowedTCPPorts = [ secret.marzban.port ]; + environment.systemPackages = with pkgs; [ + temurin-jre-bin-24 + ]; + + networking.firewall.allowedTCPPorts = [ secret.marzban.port 4001 ]; } \ No newline at end of file diff --git a/servers/artemisia/nginx.nix b/servers/artemisia/nginx.nix index b610554..11b42d4 100644 --- a/servers/artemisia/nginx.nix +++ b/servers/artemisia/nginx.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - security.acme.defaults.email = "porject-a@project-a.space"; + security.acme.defaults.email = "project-a@project-a.space"; security.acme.acceptTerms = true; services.nginx = { @@ -36,9 +36,11 @@ server { listen 0.0.0.0:443; - listen [::0]:443; proxy_pass $name; ssl_preread on; + + proxy_connect_timeout 5s; + proxy_timeout 60s; } ''; }; diff --git a/servers/common/ssh.nix b/servers/common/ssh.nix index ae9bb56..078f5f8 100644 --- a/servers/common/ssh.nix +++ b/servers/common/ssh.nix @@ -6,7 +6,7 @@ ports = [ 1004 ]; settings = { AllowGroups = [ "remote" ]; - PasswordAuthentication = false; + PasswordAuthentication = true; }; }; -} \ No newline at end of file +} diff --git a/servers/common/xray.nix b/servers/common/xray.nix index f3940fc..71d6741 100644 --- a/servers/common/xray.nix +++ b/servers/common/xray.nix @@ -33,11 +33,8 @@ show = false; dest = dest; xver = 0; - serverNames = [ - sni - ]; + serverNames = sni; privateKey = privateKey; - SpiderX = spiderX; shortIds = [ shortId ]; diff --git a/servers/ivan/nginx.nix b/servers/ivan/nginx.nix index 834f6ef..bd21fb1 100644 --- a/servers/ivan/nginx.nix +++ b/servers/ivan/nginx.nix @@ -19,9 +19,11 @@ server { listen 0.0.0.0:443; - listen [::0]:443; proxy_pass $name; ssl_preread on; + + proxy_connect_timeout 5s; + proxy_timeout 60s; } ''; }; diff --git a/servers/vanessa/hardware-configuration.nix b/servers/kotori/hardware-configuration.nix similarity index 91% rename from servers/vanessa/hardware-configuration.nix rename to servers/kotori/hardware-configuration.nix index b672a51..b25b7e7 100644 --- a/servers/vanessa/hardware-configuration.nix +++ b/servers/kotori/hardware-configuration.nix @@ -7,12 +7,12 @@ fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; }; networking = { - hostName = "vanessa"; + hostName = "kotori"; interfaces.ens3 = { useDHCP = false; ipv4 = { addresses = [{ - address = "138.124.112.127"; + address = "82.117.84.90"; prefixLength = 32; }]; routes = [{ diff --git a/servers/kotori/hysteria.nix b/servers/kotori/hysteria.nix new file mode 100644 index 0000000..0208769 --- /dev/null +++ b/servers/kotori/hysteria.nix @@ -0,0 +1,11 @@ +# { config, pkgs, secret, ... }: + +# { +# # services.hysteria = { +# # enable = true; +# # server = { +# # enable = true; +# # openFirewall = true; +# # }; +# # }; +# } \ No newline at end of file diff --git a/servers/kotori/main.nix b/servers/kotori/main.nix new file mode 100644 index 0000000..62f4dd6 --- /dev/null +++ b/servers/kotori/main.nix @@ -0,0 +1,37 @@ +{ config, pkgs, secret, ... }: + +{ + imports = [ + ./hardware-configuration.nix + ./nginx.nix + # ./hysteria.nix + ]; + + environment.systemPackages = with pkgs; [ + hysteria + ]; + + services.yggdrasil.persistentKeys = true; + marzban = { + env = { + UVICORN_HOST = "kotori.project-a.space"; + UVICORN_PORT = secret.marzban.port; + SUDO_USERNAME = secret.marzban.sudo-username; + SUDO_PASSWORD = secret.marzban.sudo-password; + DOCS = true; + }; + cert = true; + domain = "kotori.project-a.space"; + xray = import ../common/xray.nix { + server-domain = "kotori.project-a.space"; + port = secret.marzban.vless-port; + dest = secret.marzban.dest; + privateKey = secret.marzban.privateKey; + shortId = secret.marzban.shortId; + spiderX = secret.marzban.spiderX; + sni = secret.marzban.sni; + }; + }; + + networking.firewall.allowedTCPPorts = [ secret.marzban.port secret.marzban.vless-port ]; +} \ No newline at end of file diff --git a/servers/kotori/nginx.nix b/servers/kotori/nginx.nix new file mode 100644 index 0000000..22e08cd --- /dev/null +++ b/servers/kotori/nginx.nix @@ -0,0 +1,35 @@ +{ config, pkgs, ... }: + +{ + security.acme.defaults.email = "project-a@project-a.space"; + security.acme.acceptTerms = true; + + services.nginx = { + enable = true; + defaultSSLListenPort = 444; + + streamConfig = '' + map $ssl_preread_server_name $name { + nya.project-a.space hysteria; + default marzban; + } + + upstream marzban { + server 127.0.0.1:1080; + } + + upstream hysteria { + server 127.0.0.1:445; + } + + server { + listen 0.0.0.0:443; + proxy_pass $name; + ssl_preread on; + + proxy_connect_timeout 5s; + proxy_timeout 60s; + } + ''; + }; +} \ No newline at end of file diff --git a/servers/kristine/hardware-configuration.nix b/servers/kristine/hardware-configuration.nix new file mode 100644 index 0000000..c614ee7 --- /dev/null +++ b/servers/kristine/hardware-configuration.nix @@ -0,0 +1,27 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/vda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; }; + + networking = { + hostName = "kristine"; + interfaces.ens3 = { + useDHCP = false; + ipv4 = { + addresses = [{ + address = "147.45.49.65"; + prefixLength = 24; + }]; + }; + }; + defaultGateway = "147.45.49.1"; + nameservers = ["1.1.1.1"]; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + system.stateVersion = "25.05"; +} \ No newline at end of file diff --git a/servers/vanessa/main.nix b/servers/kristine/main.nix similarity index 79% rename from servers/vanessa/main.nix rename to servers/kristine/main.nix index b1ed2dc..89d67a0 100644 --- a/servers/vanessa/main.nix +++ b/servers/kristine/main.nix @@ -5,20 +5,22 @@ ./hardware-configuration.nix ./nginx.nix ]; + + environment.systemPackages = with pkgs; []; services.yggdrasil.persistentKeys = true; marzban = { env = { - UVICORN_HOST = "vanessa.project-a.space"; + UVICORN_HOST = "kristine.project-a.space"; UVICORN_PORT = secret.marzban.port; SUDO_USERNAME = secret.marzban.sudo-username; SUDO_PASSWORD = secret.marzban.sudo-password; DOCS = true; }; cert = true; - domain = "vanessa.project-a.space"; + domain = "kristine.project-a.space"; xray = import ../common/xray.nix { - server-domain = "vanessa.project-a.space"; + server-domain = "kristine.project-a.space"; port = secret.marzban.vless-port; dest = secret.marzban.dest; privateKey = secret.marzban.privateKey; diff --git a/servers/vanessa/nginx.nix b/servers/kristine/nginx.nix similarity index 71% rename from servers/vanessa/nginx.nix rename to servers/kristine/nginx.nix index 0441481..2af6b61 100644 --- a/servers/vanessa/nginx.nix +++ b/servers/kristine/nginx.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - security.acme.defaults.email = "porject-a@project-a.space"; + security.acme.defaults.email = "project-a@project-a.space"; security.acme.acceptTerms = true; services.nginx = { @@ -10,7 +10,7 @@ streamConfig = '' map $ssl_preread_server_name $name { - default marzban; + default marzban; } upstream marzban { @@ -19,9 +19,11 @@ server { listen 0.0.0.0:443; - listen [::0]:443; proxy_pass $name; ssl_preread on; + + proxy_connect_timeout 5s; + proxy_timeout 60s; } ''; }; diff --git a/servers/mio/hardware-configuration.nix b/servers/mio/hardware-configuration.nix index 9865255..3555492 100644 --- a/servers/mio/hardware-configuration.nix +++ b/servers/mio/hardware-configuration.nix @@ -1,8 +1,31 @@ { modulesPath, ... }: { imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - boot.loader.grub.device = "/dev/sda"; + boot.loader.grub.device = "/dev/vda"; boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "xen_blkfront" "vmw_pvscsi" ]; boot.initrd.kernelModules = [ "nvme" ]; - fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + fileSystems."/" = { device = "/dev/vda2"; fsType = "ext4"; }; + + networking = { + hostName = "mio"; + interfaces.ens3 = { + useDHCP = false; + ipv4 = { + addresses = [{ + address = "62.60.177.69"; + prefixLength = 32; + }]; + routes = [{ + address = "10.0.0.1"; + prefixLength = 32; + }]; + }; + }; + defaultGateway = "10.0.0.1"; + nameservers = ["1.1.1.1"]; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + system.stateVersion = "25.05"; } \ No newline at end of file diff --git a/servers/mio/main.nix b/servers/mio/main.nix index 684b0d7..3fcb0f0 100644 --- a/servers/mio/main.nix +++ b/servers/mio/main.nix @@ -1,50 +1,15 @@ -{ config, pkgs, secret, ... }: +{ config, pkgs, pkgs-unstable, secret, ... }: { imports = [ ./hardware-configuration.nix ./nginx.nix ]; - networking = { - hostName = "mio"; - interfaces.ens18 = { - useDHCP = false; - ipv4.addresses = [{ - address = "66.78.40.227"; - prefixLength = 24; - }]; - }; - defaultGateway = "66.78.40.1"; - nameservers = ["1.1.1.1"]; - }; + + environment.systemPackages = with pkgs; [ + pkgs-unstable.sing-box + ]; - services.openssh.enable = true; - boot.tmp.cleanOnBoot = true; - zramSwap.enable = true; - - system.stateVersion = "25.05"; services.yggdrasil.persistentKeys = true; - - marzban = { - env = { - UVICORN_HOST = "mio.project-a.space"; - UVICORN_PORT = secret.marzban.port; - SUDO_USERNAME = secret.marzban.sudo-username; - SUDO_PASSWORD = secret.marzban.sudo-password; - DOCS = true; - }; - cert = true; - domain = "mio.project-a.space"; - xray = import ../common/xray.nix { - server-domain = "mio.project-a.space"; - port = secret.marzban.vless-port; - dest = secret.marzban.dest; - privateKey = secret.marzban.privateKey; - shortId = secret.marzban.shortId; - spiderX = secret.marzban.spiderX; - sni = secret.marzban.sni; - }; - }; - - networking.firewall.allowedTCPPorts = [ secret.marzban.port secret.marzban.vless-port ]; + networking.firewall.allowedTCPPorts = [ 443 ]; } \ No newline at end of file diff --git a/servers/mio/nginx.nix b/servers/mio/nginx.nix index 47e6014..2af6b61 100644 --- a/servers/mio/nginx.nix +++ b/servers/mio/nginx.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - security.acme.defaults.email = "porject-a@project-a.space"; + security.acme.defaults.email = "project-a@project-a.space"; security.acme.acceptTerms = true; services.nginx = { @@ -10,11 +10,7 @@ streamConfig = '' map $ssl_preread_server_name $name { - default marzban; - } - - upstream git { - server 127.0.0.1:444; + default marzban; } upstream marzban { @@ -23,9 +19,11 @@ server { listen 0.0.0.0:443; - listen [::0]:443; proxy_pass $name; ssl_preread on; + + proxy_connect_timeout 5s; + proxy_timeout 60s; } ''; }; diff --git a/servers/reine/firewall.nix b/servers/reine/firewall.nix index 793ae67..b7737cd 100644 --- a/servers/reine/firewall.nix +++ b/servers/reine/firewall.nix @@ -2,4 +2,4 @@ { networking.firewall.allowedTCPPorts = [ 80 443 ]; -} +} \ No newline at end of file diff --git a/servers/reine/jellyfin.nix b/servers/reine/jellyfin.nix index 60092a1..e7c0570 100644 --- a/servers/reine/jellyfin.nix +++ b/servers/reine/jellyfin.nix @@ -1,17 +1,15 @@ -{config, pkgs, pkgs-unstable, ...}: +{ config, pkgs, pkgs-unstable, ... }: { - - services.jellyfin = { enable = true; openFirewall = true; }; - services.jellyseerr = { - enable = true; - port = 5055; - openFirewall = true; - package = pkgs-unstable.jellyseerr; # Use the unstable package if stable is not up-to-date - }; -} + # services.jellyseerr = { + # enable = true; + # port = 5055; + # openFirewall = true; + # package = pkgs-unstable.jellyseerr; # Use the unstable package if stable is not up-to-date + # }; +} \ No newline at end of file diff --git a/servers/reine/main.nix b/servers/reine/main.nix index 60ad402..b4a6d8e 100644 --- a/servers/reine/main.nix +++ b/servers/reine/main.nix @@ -1,11 +1,13 @@ -{ config, pkgs, secret, ... }: +{ config, pkgs, pkgs-projecta, secret, ... }: { imports = [ ./hardware-configuration.nix ./jellyfin.nix ./nginx.nix + ./qbittorrent.nix ./firewall.nix + ./n8n.nix ]; networking.hostName = "reine"; services.yggdrasil.settings.PrivateKey = secret.yggdrasil.PrivateKey; @@ -19,6 +21,22 @@ hardware.graphics.enable32Bit = true; hardware.amdgpu.overdrive.enable = true; hardware.amdgpu.overdrive.ppfeaturemask = "0xffffffff"; - environment.systemPackages = with pkgs; [ clinfo mesa.opencl ]; + time.timeZone = "Asia/Novosibirsk"; + environment.systemPackages = with pkgs; [ + clinfo + mesa.opencl + temurin-jre-bin-24 + ]; system.stateVersion = "25.05"; + + services.affine = { + enable = true; + env = secret.affine.env; + revision = secret.affine.revision; + }; + + networking.firewall.allowedTCPPorts = [ 4001 ]; + networking.firewall.allowedUDPPorts = [ 4001 ]; + + nixpkgs.config.allowUnfree = true; } \ No newline at end of file diff --git a/servers/reine/n8n.nix b/servers/reine/n8n.nix new file mode 100644 index 0000000..acc83d1 --- /dev/null +++ b/servers/reine/n8n.nix @@ -0,0 +1,108 @@ +{ pkgs, lib, ... }: + +{ + services.n8n = { + enable = true; + openFirewall = true; + webhookUrl = "https://n8n.project-a.space/"; + settings.port = 3030; + }; + systemd.services.n8n.environment.GENERIC_TIMEZONE = "Asia/Novosibirsk"; + + + virtualisation.docker = { + enable = true; + autoPrune.enable = true; + }; + virtualisation.oci-containers.backend = "docker"; + + virtualisation.oci-containers.containers."mongodb" = { + image = "mongo:latest"; + environment = { + "MONGO_INITDB_ROOT_PASSWORD" = "maria"; + "MONGO_INITDB_ROOT_USERNAME" = "admin"; + }; + volumes = [ "/var/lib/n8n_mongodb_data:/data/db:rw" ]; + ports = [ + "27017:27017/tcp" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=mongodb" + "--network=n8n_default" + ]; + }; + systemd.services."docker-mongodb" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ "docker-network-n8n_default.service" ]; + requires = [ "docker-network-n8n_default.service" ]; + partOf = [ "docker-compose-n8n-root.target" ]; + wantedBy = [ "docker-compose-n8n-root.target" ]; + }; + virtualisation.oci-containers.containers."redis" = { + image = "redis:latest"; + volumes = [ "n8n_redis_data:/data:rw" ]; + ports = [ "6379:6379/tcp" ]; + cmd = [ "redis-server" "--requirepass" "maria" ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=redis" + "--network=n8n_default" + ]; + }; + systemd.services."docker-redis" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ + "docker-network-n8n_default.service" + "docker-volume-n8n_redis_data.service" + ]; + requires = [ + "docker-network-n8n_default.service" + "docker-volume-n8n_redis_data.service" + ]; + partOf = [ "docker-compose-n8n-root.target" ]; + wantedBy = [ "docker-compose-n8n-root.target" ]; + }; + + systemd.services."docker-network-n8n_default" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "docker network rm -f n8n_default"; + }; + script = '' + docker network inspect n8n_default || docker network create n8n_default + ''; + partOf = [ "docker-compose-n8n-root.target" ]; + wantedBy = [ "docker-compose-n8n-root.target" ]; + }; + + systemd.services."docker-volume-n8n_redis_data" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + docker volume inspect n8n_redis_data || docker volume create n8n_redis_data + ''; + partOf = [ "docker-compose-n8n-root.target" ]; + wantedBy = [ "docker-compose-n8n-root.target" ]; + }; + + systemd.targets."docker-compose-n8n-root" = { + unitConfig.Description = "Root target generated by compose2nix."; + wantedBy = [ "multi-user.target" ]; + }; +} \ No newline at end of file diff --git a/servers/reine/nginx.nix b/servers/reine/nginx.nix index efc7f08..6a5ee43 100644 --- a/servers/reine/nginx.nix +++ b/servers/reine/nginx.nix @@ -1,7 +1,7 @@ { config, pkgs, ... }: { - security.acme.defaults.email = "porject-a@project-a.space"; + security.acme.defaults.email = "project-a@project-a.space"; security.acme.acceptTerms = true; services.nginx = { @@ -12,12 +12,23 @@ virtualHosts = { "affine.project-a.space" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:3010"; + }; + "n8n.project-a.space" = { forceSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://localhost:3010"; + proxyPass = "http://localhost:5678"; + proxyWebsockets = true; }; }; + "cinema.project-a.space" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:8096"; + }; }; }; } \ No newline at end of file diff --git a/servers/reine/qbittorrent.nix b/servers/reine/qbittorrent.nix new file mode 100644 index 0000000..8fa815c --- /dev/null +++ b/servers/reine/qbittorrent.nix @@ -0,0 +1,22 @@ +{ secret, pkgs-unstable, ... }: + +{ + # services.qbittorrent = { + # enable = true; + # package = pkgs-unstable.qbittorrent; + # openFirewall = true; + # webuiPort = 7777; + # user = "in5ar"; + # group = "users"; + # serverConfig = { + # LegalNotice.Accepted = true; + # Preferences = { + # WebUI = { + # Username = "in5ar"; + # Password_PBKDF2 = secret.qbt-password; + # }; + # General.Locale = "en"; + # }; + # }; + # }; +} \ No newline at end of file