initial commit

hosts/artemis/default.nix

@@ -0,0 +1,6 @@
+{
+  modules = [./hardware-configuration.nix];
+  extraArgs = {};
+  specialArgs = {};
+  system = "x86_64-linux";
+}

hosts/artemis/hardware-configuration.nix

@@ -0,0 +1,29 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [(modulesPath + "/installer/scan/not-detected.nix")];
+
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "thunderbolt" "nvme" "usb_storage" "rtsx_pci_sdmmc"];
+    initrd.kernelModules = [];
+    kernelModules = ["kvm-intel"];
+    extraModulePackages = [];
+  };
+
+  #boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/5488764f-a50a-4ea2-ac8d-bfe565199018";
+    fsType = "ext4";
+  };
+
+  swapDevices = [];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/default.nix

@@ -0,0 +1,6 @@
+{utils}: let
+  hosts = utils.lib.exportModules [
+    #   ./artemis
+    ./hermes
+  ];
+in {inherit hosts;}

hosts/hermes/configuration.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  lib,
+  pkgs,
+  inputs,
+  ...
+}: let
+  inherit (inputs.self.nixosModules) keys;
+in {
+  services.remote-deploy = {
+    enable = true;
+    host = "media.cleslie.uk";
+    port = 62480;
+    keys = keys.c;
+    buildOn = "local";
+  };
+
+  time.timeZone = "Europe/London";
+
+  users.users.media = {
+    isNormalUser = true;
+    extraGroups = ["wheel" "multimedia"];
+    openssh.authorizedKeys.keys = keys.c;
+    packages = with pkgs; [
+      tree
+      nixvim
+    ];
+  };
+
+  environment.systemPackages = with pkgs; [
+    wget
+    tree
+  ];
+}

hosts/hermes/containers.nix

@@ -0,0 +1,44 @@
+{
+  virtualisation = {
+    podman.enable = true;
+    podman.dockerCompat = true;
+    oci-containers.backend = "podman";
+    oci-containers.containers = {
+      flaresolverr = {
+        #image = "ghcr.io/flaresolverr/flaresolverr:latest";
+        #image = "ghcr.io/flaresolverr/flaresolverr:pr-1282";
+        image = "docker.io/alexfozor/flaresolverr:pr-1300";
+        autoStart = true;
+        ports = ["127.0.0.1:8191:8191"];
+        environment = {
+          LOG_LEVEL = "debug";
+        };
+      };
+      tdarr = {
+        image = "ghcr.io/haveagitgat/tdarr";
+        autoStart = true;
+        ports = ["0.0.0.0:8265:8265" "127.0.0.1:8266:8266"];
+        volumes = [
+          "/var/lib/tdarr/server:/app/server"
+          "/var/lib/tdarr/configs:/app/configs"
+          "/var/lib/tdarr/logs:/app/logs"
+          "/var/lib/media/library:/media"
+          "/tmp:/temp"
+        ];
+        environment = {
+          serverIP = "0.0.0.0";
+          serverPort = "8266";
+          webUIPort = "8265";
+          internalNode = "true";
+          inContainer = "true";
+          ffmpegVersion = "6";
+          nodeName = "internal";
+          TZ = "Europe/London";
+          PUID = "1000";
+          PGID = "994";
+        };
+        extraOptions = ["--device=/dev/dri:/dev/dri" "--network=bridge"];
+      };
+    };
+  };
+}

hosts/hermes/default.nix

@@ -0,0 +1,15 @@
+{
+  modules = [
+    ./hardware-configuration.nix
+    ./configuration.nix
+    ./fail2ban.nix
+    ./containers.nix
+    ./networking.nix
+    ./ssh.nix
+    ./media.nix
+  ];
+  extraArgs = {};
+  specialArgs = {};
+  system = "x86_64-linux";
+  channelName = "unstable";
+}

hosts/hermes/fail2ban.nix

@@ -0,0 +1,106 @@
+{pkgs, ...}: {
+  services.fail2ban = {
+    enable = true;
+    jails = {
+      sshd.settings = {enabled = false;};
+      radarr.settings = {
+        enabled = true;
+        filter = "arr";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/radarr/.config/Radarr/logs/radarr.txt";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+      sonarr.settings = {
+        enabled = true;
+        filter = "arr";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/sonarr/.config/NzbDrone/logs/sonarr.txt";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+
+      prowlarr.settings = {
+        enabled = true;
+        filter = "arr";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/prowlarr/logs/prowlarr.txt";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+
+      jellyseerr.settings = {
+        enabled = true;
+        filter = "jellyseerr";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/jellyseerr/logs/overseer*.log";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+
+      jellyfin.settings = {
+        enabled = true;
+        filter = "jellyfin";
+        action = ''
+          iptables-allports
+        '';
+        logpath = "/var/lib/jellyfin/log/log*.log";
+        backend = "auto";
+        maxretry = 4;
+        bantime = "52w";
+        findtime = "52w";
+        chain = "FORWARD";
+      };
+    };
+  };
+  environment.etc = {
+    "fail2ban/filter.d/arr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [INCLUDES]
+      before = common.conf
+
+      [Definition]
+      datepattern = ^%%Y-%%m-%%d %%H:%%M:%%S\.%%f\|
+      failregex = ^\s*Warn\|Auth\|Auth-Failure ip <ADDR> username '<F-USER>[^']+</F-USER>'
+      ignoreregex =
+    '');
+
+    "fail2ban/filter.d/jellyseerr.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [INCLUDES]
+      before = common.conf
+
+      [Definition]
+      failregex = ^.*\[warn\]\[API\]: Failed sign-in attempt using invalid Overseerr password {"ip":"<HOST>","email":
+                  ^.*\[warn\]\[Auth\]: Failed login attempt from user with incorrect Jellyfin credentials {"account":{"ip":"<HOST>","email":
+      ignoreregex =
+    '');
+
+    "fail2ban/filter.d/jellyfin.local".text = pkgs.lib.mkDefault (pkgs.lib.mkAfter ''
+      [INCLUDES]
+      before = common.conf
+
+      [Definition]
+      failregex = ^.*Authentication request for .* has been denied \(IP: "<ADDR>"\)\.
+      ignoreregex =
+    '');
+  };
+}

hosts/hermes/hardware-configuration.nix

@@ -0,0 +1,39 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/installer/scan/not-detected.nix")
+  ];
+  boot = {
+    initrd.availableKernelModules = ["xhci_pci" "ahci" "usbhid" "usb_storage" "sd_mod"];
+    initrd.kernelModules = [];
+    kernelModules = ["kvm-intel"];
+    kernelParams = [
+      "i915.enable_guc=2"
+    ];
+    extraModulePackages = [];
+  };
+
+  #boot.kernelPackages = pkgs.linuxPackages_latest;
+
+  fileSystems."/" = {
+    device = "/dev/disk/by-uuid/c2f5061f-7577-4947-ba1d-f1ba12ec3271";
+    fsType = "ext4";
+  };
+
+  fileSystems."/boot" = {
+    device = "/dev/disk/by-uuid/57CE-8609";
+    fsType = "vfat";
+    options = ["fmask=0077" "dmask=0077"];
+  };
+
+  swapDevices = [];
+
+  networking.useDHCP = lib.mkDefault true;
+
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}

hosts/hermes/media.nix

@@ -0,0 +1,148 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}: let
+  mediaDir = "/var/lib/media";
+in {
+  users = {
+    groups.multimedia = {gid = 994;};
+    users."root".extraGroups = ["multimedia"];
+    users."media".extraGroups = ["multimedia"];
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${mediaDir} 0775 - multimedia - -"
+
+    "d ${mediaDir}/torrents 0775 - multimedia -"
+    "d ${mediaDir}/torrents/Downloads 0775 - multimedia -"
+
+    "d ${mediaDir}/usenet 0775 - multimedia -"
+    "d ${mediaDir}/usenet/Downloads 0775 - multimedia -"
+    "d ${mediaDir}/usenet/Done 0775 - multimedia -"
+
+    "d ${mediaDir}/library/Movies 0775 - multimedia - -"
+    "d ${mediaDir}/library/TV 0775 - multimedia - -"
+    "d ${mediaDir}/library/Music 0775 - multimedia - -"
+
+    "d /var/lib/tdarr 0775 - multimedia - "
+    "d /var/lib/tdarr/server 0775 - multimedia - "
+    "d /var/lib/tdarr/configs 0775 - multimedia - "
+    "d /var/lib/tdarr/logs 0775 - multimedia - "
+  ];
+
+  nixpkgs.config.packageOverrides = pkgs: {
+    vaapiIntel = pkgs.vaapiIntel.override {enableHybridCodec = true;};
+  };
+
+  hardware.graphics = {
+    enable = true;
+    extraPackages = with pkgs; [
+      intel-media-driver
+      intel-vaapi-driver # previously vaapiIntel
+      vaapiVdpau
+      libvdpau-va-gl
+      intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
+      vpl-gpu-rt # QSV on 11th gen or newer
+      #intel-media-sdk # QSV up to 11th gen
+    ];
+  };
+
+  services = {
+    caddy = {
+      enable = true;
+      email = "acme@cleslie.uk";
+      virtualHosts = {
+        "media.cleslie.uk".extraConfig = ''
+          redir /radarr /radarr/
+          redir /sonarr /sonarr/
+          redir /lidarr /lidarr/
+          redir /bazarr /bazarr/
+          redir /prowlarr /prowlarr/
+          redir /tdarr /tdarr/
+          redir /deluge /deluge/
+          reverse_proxy /radarr/* 127.0.0.1:7878
+          reverse_proxy /sonarr/* 127.0.0.1:8989
+          reverse_proxy /lidarr/* 127.0.0.1:8686
+          reverse_proxy /bazarr/* 127.0.0.1:6767
+          reverse_proxy /prowlarr/* 127.0.0.1:9696
+          reverse_proxy /tdarr/* http://127.0.0.1:8265  {
+              header_up Host {host}
+              header_up X-Real-IP {remote}
+              header_up X-Forwarded-For {remote}
+          }
+          route /deluge/* {
+          	uri strip_prefix deluge
+          	reverse_proxy 127.0.0.1:8112 {
+          		header_up X-Real-IP {remote}
+          		header_up X-Deluge-Base "/deluge"
+
+          	}
+          }
+        '';
+        "watch.cleslie.uk".extraConfig = ''
+          reverse_proxy http://localhost:8096
+        '';
+        "request.cleslie.uk".extraConfig = ''
+          reverse_proxy http://localhost:5055
+        '';
+      };
+    };
+
+    homepage-dashboard = {
+      enable = false;
+    };
+
+    jellyfin = {
+      enable = true;
+      package = pkgs.jellyfin;
+      group = "multimedia";
+      openFirewall = false;
+    };
+    jellyseerr = {
+      enable = true;
+      openFirewall = false;
+    };
+    sonarr = {
+      enable = true;
+      group = "multimedia";
+      openFirewall = false;
+    };
+    radarr = {
+      enable = true;
+      group = "multimedia";
+      openFirewall = false;
+    };
+    bazarr = {
+      enable = true;
+      group = "multimedia";
+      openFirewall = false;
+    };
+    prowlarr = {
+      enable = true;
+      openFirewall = false;
+    };
+    deluge = {
+      enable = true;
+      group = "multimedia";
+      web.enable = true;
+      web.openFirewall = false;
+      dataDir = "${mediaDir}/torrents";
+      declarative = true;
+      config = {
+        enabled_plugins = ["Label"];
+        outgoing_interface = "wg1";
+        allow_remote = true;
+        openFirewall = false;
+        sequential_download = true;
+      };
+      authFile = pkgs.writeTextFile {
+        name = "deluge-auth";
+        text = ''
+          localclient::10
+        '';
+      };
+    };
+  };
+}

hosts/hermes/networking.nix

@@ -0,0 +1,21 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}: {
+  networking.hostName = "hermes";
+  networking = {
+    enableIPv6 = false;
+    firewall.allowedTCPPorts = [80 443 8265];
+    firewall.checkReversePath = false;
+    iproute2.enable = true;
+    iproute2.rttablesExtraConfig = ''
+      200 vpn
+    '';
+    wg-quick.interfaces.wg1 = {
+      configFile = config.age.secrets.wg-conf.path;
+      table = "vpn";
+    };
+  };
+}

hosts/hermes/ssh.nix

@@ -0,0 +1,15 @@
+{
+  services = {
+    openssh = {
+      enable = true;
+      ports = [62480];
+      settings.PasswordAuthentication = false;
+      settings.PermitRootLogin = "no";
+    };
+    endlessh-go = {
+      enable = true;
+      port = 22;
+      openFirewall = true;
+    };
+  };
+}