2 last months

hosts/greatyamada/nixos.nix

@@ -13,28 +13,31 @@
       device = "/dev/disk/by-uuid/61050e8d-41c6-4c37-98a9-d8b0cdce6903";
       fsType = "btrfs";
       options = [ "compress=zstd:15" "subvol=/home" ];
-    }
+    };
     "/mnt/Datos" = {
-        device = "/dev/disk/by-uuid/6a5274fc-8ee8-41ae-b7a0-867e5bbc25f4";
-        fsType = "btrfs";
-        options = [ "compress=zstd:15" ];
-    }
+      device = "/dev/disk/by-uuid/6a5274fc-8ee8-41ae-b7a0-867e5bbc25f4";
+      fsType = "btrfs";
+      options = [ "compress=zstd:15" ];
+    };
+    "/mnt/Datos/minecraft" = {
+      device = "/dev/disk/by-uuid/6a5274fc-8ee8-41ae-b7a0-867e5bbc25f4";
+      fsType = "btrfs";
+      options = [ "compress=zstd:4" "subvol=/minecraft" ];
+    };
     "/mnt/Datos/music" = {
-        device = "/dev/disk/by-uuid/6a5274fc-8ee8-41ae-b7a0-867e5bbc25f4";
-        fsType = "btrfs";
-        options = [ "compress=zstd:15" "subvol=/music" ];
-    }
+      device = "/dev/disk/by-uuid/6a5274fc-8ee8-41ae-b7a0-867e5bbc25f4";
+      fsType = "btrfs";
+      options = [ "subvol=/music" ];
+    };
     "/var/www" = {
-        device = "/dev/disk/by-uuid/6a5274fc-8ee8-41ae-b7a0-867e5bbc25f4";
-        fsType = "btrfs";
-        options = [ "compress=zstd:15" "subvol=/html" ];
-    }
+      device = "/dev/disk/by-uuid/6a5274fc-8ee8-41ae-b7a0-867e5bbc25f4";
+      fsType = "btrfs";
+      options = [ "compress=zstd:15" "subvol=/html" ];
+    };
   };
 
   networking = {
-    firewall = {
-        enable = true;
-    };
+    firewall.enable = true;
     hostName = "greatyamada";
     networkmanager.enable = true;
     useDHCP = lib.mkDefault false;

hosts/greatyamada/services/default.nix

@@ -1 +1,12 @@
-{ ... }: { imports = [ ./nginx.nix ./forgejo.nix ]; }
+{ ... }: {
+  imports = [
+    ./nginx.nix
+    ./forgejo.nix
+    ./invidious.nix
+    ./jellyfin.nix
+    ./postgresql.nix
+    ./radicale.nix
+  ];
+  # TODO: adguardhome matrix matrix-second minecraft terraria factorio coturn mautrix-whatsapp wireguard
+  # paperlessngx
+}

hosts/greatyamada/services/forgejo.nix

@@ -40,12 +40,10 @@ in {
         };
       };
     };
-    nginx = {
-      virtualHosts."git.rcia.dev" = {
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:3000";
-          clientMaxBodySize = "200M";
-        };
+    nginx.virtualHosts."git.rcia.dev" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        clientMaxBodySize = "200M";
       };
     };
   };

hosts/greatyamada/services/invidious.nix

@@ -0,0 +1,40 @@
+{ ... }:
+let nginxLocalServiceConfig = import ./nginx-local-config.nix;
+in {
+  services = {
+    invidious = {
+      enable = true;
+      settings = {
+        check_tables = true;
+        db.user = "invidious";
+        default_user_preferences = {
+          locale = "es";
+          dark_mode = "dark";
+          autoplay = true;
+          video_loop = true;
+          quality = "dash";
+          volume = 20;
+        };
+      };
+      database = {
+        createLocally = false;
+        passwordFile = "/var/lib/invidious/db_password";
+      };
+      hmacKeyFile = "/var/lib/invidious/hmac_key";
+    };
+    nginx.virtualHosts."iv.rcia.dev" = {
+      locations."/" = { proxyPass = "http://127.0.0.1:3000"; };
+      extraConfig = nginxLocalServiceConfig;
+    };
+  };
+  sops.secrets = {
+    "invidious/db_password" = {
+      path = "/var/lib/invidious/db_password";
+      owner = "invidious";
+    };
+    "invidious/hmac" = {
+      path = "/var/lib/invidious/hmac_key";
+      owner = "invidious";
+    };
+  };
+}

hosts/greatyamada/services/jellyfin.nix

@@ -0,0 +1,20 @@
+{ pkgs, ... }:
+let
+  jellyfinPath = "/mnt/Datos/jellyfin/";
+  nginxLocalServiceConfig = import ./nginx-local-config.nix;
+in {
+  services = {
+    jellyfin = {
+      enable = true;
+      configDir = jellyfinPath + "config/";
+      dataDir = jellyfinPath + "data/";
+    };
+    nginx.virtualHosts."jellyfin.rcia.dev" = {
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8096";
+        clientMaxBodySize = "10M";
+      };
+      extraConfig = nginxLocalServiceConfig;
+    };
+  };
+}

hosts/greatyamada/services/matrix-internal.nix

@@ -0,0 +1,14 @@
+{ }: {
+  containers.matrix-bridges = {
+    autoStart = true;
+    config = { config, pkgs }: {
+      services.matrix-synapse = {
+        enable = true;
+        settings = {
+          server_name = "matrix-int.rcia.dev";
+          listeners = [ { } ];
+        };
+      };
+    };
+  };
+}

hosts/greatyamada/services/matrix.nix

@@ -0,0 +1,34 @@
+{ pkgs, ... }:
+let dataDir = "/mnt/Datos/synapse";
+in {
+  services.matrix-synapse = {
+    enable = true;
+    settings = {
+      server_name = "rcia.dev";
+      listeners = [{
+        port = 8008;
+        bind_addresses = [ "synapse" ];
+        tls = false;
+        type = http;
+        x_forwarded = true;
+        resources = [{
+          names = [ "client" "federation" ];
+          compress = false;
+        }];
+      }];
+      media_store_path = dataDir + "/media_store";
+      max_upload_size = "100M";
+      enable_registration = false;
+      report_stats = true;
+      signing_key_path = "/var/lib/matrix-synapse/matrix.rcia.dev.signing.key";
+      turn_user_lifetime = "1h";
+      turn_uris = [ "turn:rcia.dev:3478" "turn:rcia.dev:3479" ];
+    };
+  };
+  sops.secrets = {
+    "matrix/secrets" = {
+        path = "/var/lib/matrix-synapse/secrets";
+        owner = "matrix-synapse";
+    }
+  }
+}

hosts/greatyamada/services/minecraft/bukkit.yml

@@ -0,0 +1,33 @@
+# Managed by NixOS configuration
+settings:
+  use-map-color-cache: true
+  allow-end: true
+  warn-on-overload: true
+  permissions-file: permissions.yml
+  update-folder: update
+  plugin-profiling: false
+  connection-throttle: 4000
+  query-plugins: true
+  deprecated-verbose: default
+  shutdown-message: Servidor cerrado
+  minimum-api: none
+spawn-limits:
+  axolotls: 5
+  water-underground-creature: 5
+  monsters: 120
+  animals: 20
+  water-animals: 5
+  water-ambient: 20
+  ambient: 15
+chunk-gc:
+  period-in-ticks: 600
+ticks-per:
+  axolotl-spawns: 1
+  water-underground-creature-spawns: 1
+  animal-spawns: 400
+  monster-spawns: 1
+  water-spawns: 1
+  water-ambient-spawns: 1
+  ambient-spawns: 1
+  autosave: 6000
+aliases: now-in-commands.yml

hosts/greatyamada/services/minecraft/data-directory.nix

@@ -0,0 +1 @@
+"/minecraft"

hosts/greatyamada/services/minecraft/default.nix

@@ -0,0 +1,82 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.services.minecraft-server;
+
+  bukkitConfigFile = ./bukkit.yml;
+
+  spigotConfigFile = ./spigot.yml;
+
+  cfgToString = v: if builtins.isBool v then lib.boolToString v else toString v;
+
+  eulaFile = builtins.toFile "eula.txt" ''
+    # eula.txt managed by NixOS configuration
+    eula=true
+  '';
+
+  opsFile = builtins.toFile "ops.json" (builtins.toJSON [{
+    name = "aveeeeryy";
+    uuid = "b65a1bc3-c6a0-4e8c-99b8-3538cfec0cfc";
+    level = 4;
+    bypassesPlayerLimit = true;
+  }]);
+
+  serverPropertiesFile = pkgs.writeText "server.properties" (''
+    # server.properties managed by NixOS configuration
+  '' + lib.concatStringsSep "\n"
+    (lib.mapAttrsToList (n: v: "${n}=${cfgToString v}") cfg.serverProperties));
+
+  serverIcon = ./server-icon.png;
+
+in {
+  imports = [ ./plugins ];
+  services.minecraft-server = {
+    enable = true;
+    package = pkgs.papermc.override {
+      mcVersion = "1.20.6";
+      buildNum = "147";
+    };
+    declarative = true;
+    eula = true;
+    openFirewall = true;
+    jvmOpts =
+      "-Xms4G -Xmx4G -XX:+UseG1GC -XX:+ParallelRefProcEnabled -XX:MaxGCPauseMillis=200 -XX:+UnlockExperimentalVMOptions -XX:+DisableExplicitGC -XX:+AlwaysPreTouch -XX:G1NewSizePercent=30 -XX:G1MaxNewSizePercent=40 -XX:G1HeapRegionSize=8M -XX:G1ReservePercent=20 -XX:G1HeapWastePercent=5 -XX:G1MixedGCCountTarget=4 -XX:InitiatingHeapOccupancyPercent=15 -XX:G1MixedGCLiveThresholdPercent=90 -XX:G1RSetUpdatingPauseTimePercent=5 -XX:SurvivorRatio=32 -XX:+PerfDisableSharedMem -XX:MaxTenuringThreshold=1 -Dusing.aikars.flags=https://mcflags.emc.gs -Daikars.new.flags=true";
+    serverProperties = {
+      difficulty = "hard";
+      enable-rcon = false;
+      enforce-secure-profile = false;
+      enforce-whitelist = true;
+      hide-online-players = true;
+      motd = "NixOS server";
+      online-mode = true;
+      pvp = false;
+      server-port = 13914;
+      spawn-protection = 0;
+      white-list = true;
+    };
+    dataDir = import ./data-directory.nix;
+  };
+  # Overriden to have a non-declarative whitelist
+  systemd.services.minecraft-server.preStart = lib.mkForce ''
+    ln -sf ${eulaFile} eula.txt
+    cp -f ${bukkitConfigFile} bukkit.yml
+    chmod +w bukkit.yml
+    cp -f ${spigotConfigFile} spigot.yml
+    chmod +w spigot.yml
+    cp -f ${opsFile} ops.json
+    chmod +w ops.json
+    ln -sf ${serverIcon} server-icon.png
+    if [ -e .declarative ]; then
+      # Was declarative before, no need to back up anything
+      cp -f ${serverPropertiesFile} server.properties
+    else
+      # Declarative for the first time, backup stateful files
+      cp -b --suffix=.stateful ${serverPropertiesFile} server.properties
+
+      # server.properties must have write permissions, because every time
+      # the server starts it first parses the file and then regenerates it..
+      chmod +w server.properties
+      echo "Autogenerated file that signifies that this server configuration is managed declaratively by NixOS" \
+        > .declarative
+    fi
+  '';
+}

hosts/greatyamada/services/minecraft/plugins/default.nix

@@ -0,0 +1,4 @@
+{ pkgs, ... }: {
+  environment.systemPackages = with pkgs;
+    [ (callPackage ./packages/essentialsx.nix { }) ];
+}

hosts/greatyamada/services/minecraft/plugins/packages/essentialsx.nix

@@ -0,0 +1,24 @@
+{ config, lib, stdenv, fetchurl }:
+
+stdenv.mkDerivation rec {
+  pname = "EssentialsX";
+  version = "2.20.1";
+
+  src = fetchurl {
+    url =
+      "https://github.com/EssentialsX/Essentials/releases/download/${version}/EssentialsX-${version}.jar";
+    hash = "sha256-gC6jC9pGDKRZfoGJJYFpM8EjsI2BJqgU+sKNA6Yb9UI=";
+  };
+
+  unpackPhase = ":";
+
+  installPhase = ''
+    ln -sf EssentialsX-${version}.jar $out
+  '';
+
+  meta = {
+    description = "The modern Essentials suite for Spigot and Paper.";
+    homepage = "https://essentialsx.net/";
+    license = lib.licenses.gpl3Plus;
+  };
+}

hosts/greatyamada/services/minecraft/spigot.yml

@@ -0,0 +1,169 @@
+# Managed by NixOS configuration
+config-version: 12
+settings:
+  debug: false
+  bungeecord: false
+  sample-count: 12
+  player-shuffle: 0
+  user-cache-size: 1000
+  save-user-cache-on-stop-only: false
+  moved-wrongly-threshold: 0.0625
+  moved-too-quickly-multiplier: 10.0
+  timeout-time: 60
+  restart-on-crash: false
+  restart-script: ./start.sh
+  netty-threads: 4
+  log-villager-deaths: true
+  log-named-deaths: true
+  attribute:
+    maxHealth:
+      max: 2048.0
+    movementSpeed:
+      max: 2048.0
+    attackDamage:
+      max: 2048.0
+messages:
+  whitelist: No estas en la whitelist
+  unknown-command:
+    Comando desconocido. Escribe "/help" para ver una lista con todos
+    los comandos.
+  server-full: El servidor esta lleno
+  outdated-client: Tu cliente de Minecraft está desactualizado, actualiza a la version {0}
+  outdated-server: El servidor está desactualizado, utiliza la version {0}
+  restart: El servidor se esta reiniciando
+advancements:
+  disable-saving: false
+  disabled:
+    - minecraft:story/disabled
+commands:
+  replace-commands:
+    - setblock
+    - summon
+    - testforblock
+    - tellraw
+  log: true
+  tab-complete: 0
+  send-namespaced: true
+  spam-exclusions:
+    - /skill
+  silent-commandblock-console: false
+players:
+  disable-saving: false
+stats:
+  disable-saving: false
+  forced-stats: {}
+world-settings:
+  default:
+    seed-ancientcity: 20083232
+    seed-buriedtreasure: 10387320
+    seed-mineshaft: default
+    below-zero-generation-in-existing-chunks: true
+    simulation-distance: default
+    hopper-can-load-chunks: false
+    seed-nether: 30084232
+    seed-stronghold: default
+    thunder-chance: 100000
+    verbose: false
+    hopper-amount: 1
+    dragon-death-sound-radius: 0
+    seed-village: 10387312
+    seed-desert: 14357617
+    seed-igloo: 14357618
+    seed-jungle: 14357619
+    seed-swamp: 14357620
+    seed-monument: 10387313
+    seed-shipwreck: 165745295
+    seed-ocean: 14357621
+    seed-outpost: 165745296
+    seed-endcity: 10387313
+    seed-slime: 987234911
+    seed-bastion: 30084232
+    seed-fortress: 30084232
+    seed-mansion: 10387319
+    seed-fossil: 14357921
+    seed-portal: 34222645
+    max-tnt-per-tick: 100
+    hanging-tick-frequency: 100
+    zombie-aggressive-towards-villager: true
+    enable-zombie-pigmen-portal-spawns: true
+    item-despawn-rate: 6000
+    view-distance: default
+    arrow-despawn-rate: 1200
+    trident-despawn-rate: 1200
+    wither-spawn-sound-radius: 0
+    mob-spawn-range: 8
+    end-portal-sound-radius: 0
+    nerf-spawner-mobs: false
+    max-entity-collisions: 8
+    growth:
+      twistingvines-modifier: 100
+      weepingvines-modifier: 100
+      cavevines-modifier: 100
+      glowberry-modifier: 100
+      cactus-modifier: 100
+      cane-modifier: 100
+      melon-modifier: 100
+      mushroom-modifier: 100
+      pumpkin-modifier: 100
+      sapling-modifier: 100
+      beetroot-modifier: 100
+      carrot-modifier: 100
+      potato-modifier: 100
+      wheat-modifier: 100
+      netherwart-modifier: 100
+      vine-modifier: 100
+      cocoa-modifier: 100
+      bamboo-modifier: 100
+      sweetberry-modifier: 100
+      kelp-modifier: 100
+    entity-activation-range:
+      ignore-spectators: false
+      animals: 32
+      monsters: 32
+      raiders: 48
+      misc: 16
+      water: 16
+      villagers: 32
+      flying-monsters: 32
+      villagers-work-immunity-after: 100
+      villagers-work-immunity-for: 20
+      villagers-active-for-panic: true
+      tick-inactive-villagers: true
+      wake-up-inactive:
+        animals-max-per-tick: 4
+        animals-every: 1200
+        animals-for: 100
+        monsters-max-per-tick: 8
+        monsters-every: 400
+        monsters-for: 100
+        villagers-max-per-tick: 4
+        villagers-every: 600
+        villagers-for: 100
+        flying-monsters-max-per-tick: 8
+        flying-monsters-every: 200
+        flying-monsters-for: 100
+    ticks-per:
+      hopper-transfer: 8
+      hopper-check: 1
+    hunger:
+      jump-walk-exhaustion: 0.05
+      jump-sprint-exhaustion: 0.2
+      combat-exhaustion: 0.1
+      regen-exhaustion: 6.0
+      swim-multiplier: 0.01
+      sprint-multiplier: 0.1
+      other-multiplier: 0.0
+    max-tick-time:
+      tile: 50
+      entity: 50
+    squid-spawn-range:
+      min: 45.0
+    merge-radius:
+      exp: 3.0
+      item: 2.5
+    entity-tracking-range:
+      players: 48
+      animals: 48
+      monsters: 48
+      misc: 32
+      other: 64

hosts/greatyamada/services/nginx-local-config.nix

@@ -0,0 +1,7 @@
+# Configuration for local-only services
+''
+  error_page 403 https://rcia.dev;
+  allow 10.0.0.0/24;
+  allow 10.10.0.0/24;
+  deny all;
+''

hosts/greatyamada/services/nginx.nix

@@ -0,0 +1,19 @@
+{ pkgs, ... }: {
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      "rcia.dev" = {
+        forceSSL = true;
+        locations = {
+          "/" = { root = /var/www/public; };
+          "/profile_picture" = { };
+        };
+      };
+      "ichi-prod.rcia.dev" = {
+        locations."/" = {
+            proxyPass = "http://127.0.0.1:3000";
+        }
+      };
+    };
+  };
+}

hosts/greatyamada/services/postgresql.nix

@@ -0,0 +1 @@
+{ lib, pkgs, ... }: { services.postgresql = { enable = true; }; }

hosts/greatyamada/services/radicale.nix

@@ -0,0 +1,28 @@
+{ ... }:
+let
+  radicalePath = "/mnt/Datos/radicale";
+  nginxLocalServiceConfig = import ./nginx-local-config.nix;
+in {
+  services = {
+    radicale = {
+      enable = true;
+      settings = {
+        server.hosts = [ "127.0.0.1:5232" ];
+        auth = {
+          type = "htpasswd";
+          htpasswd_filename = "/etc/radicale/users";
+          htpasswd_encryption = "bcrypt";
+        };
+        storage.filesystem_folder = radicalePath;
+      };
+    };
+    nginx.virtualHosts."radicale.rcia.dev" = {
+      locations."/" = { proxyPass = "http://127.0.0.1:5232"; };
+      extraConfig = nginxLocalServiceConfig;
+    };
+  };
+  sops.secrets."radicale/users" = {
+    path = "/etc/radicale/users";
+    owner = "radicale";
+  };
+}