{ config, lib, pkgs, ... }:
let
shinobi-port = "7080";
shinobi-od-port = "7082";
state-dir = "/state"; # This must be a string!
in {
boot = {
loader.grub.copyKernels = true;
kernelModules = [ "rpcsec_gss_krb5" ];
};
networking = {
interfaces = {
enp3s0f0.useDHCP = false;
enp3s0f1.useDHCP = false;
enp4s0f0.useDHCP = false;
enp4s0f1.useDHCP = false;
intif0.useDHCP = true;
};
};
# fudo.secrets = {
# host-secrets.lambda = {
# host-keytab = {
# source-file = /state/secrets/kerberos/lambda.keytab;
# target-file = "/etc/krb5.keytab";
# user = "root";
# };
# };
# secret-group = "fudo-secrets";
# secret-users = [ "niten" ];
# secret-paths = [ "/state/secrets" ];
# };
fudo.games.valheim = {
enable = true;
state-directory = "/state/games/valheim";
password = "silkymilky";
};
systemd.tmpfiles.rules = [
"L /root/.gnupg - - - - ${state-dir}/user/root/gnupg"
"L /root/.ssh/id_rsa - - - - ${state-dir}/user/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - ${state-dir}/user/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - ${state-dir}/user/root/ssh/known_hosts"
];
services.openssh.hostKeys = [
{
path = "${state-dir}/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
{
path = "${state-dir}/ssh/ssh_host_ed25519_key";
type = "ed25519";
bits = 4096;
}
];
environment.etc = {
"ssh/ssh_host_rsa_key" = {
source = "${state-dir}/ssh/ssh_host_rsa_key";
user = "root";
group = "root";
mode = "0400";
};
"ssh/ssh_host_rsa_key.pub" = {
source = "${state-dir}/ssh/ssh_host_rsa_key.pub";
user = "root";
group = "root";
mode = "0444";
};
"ssh/ssh_host_ed25519_key" = {
source = "${state-dir}/ssh/ssh_host_ed25519_key";
user = "root";
group = "root";
mode = "0400";
};
"ssh/ssh_host_ed25519_key.pub" = {
source = "${state-dir}/ssh/ssh_host_ed25519_key.pub";
user = "root";
group = "root";
mode = "0444";
};
nixos.source = "/etc/nixos-live";
"host-config.nix".source = "/state/host/host-config.nix";
adjtime.source = "/state/host/adjtime";
NIXOS.source = "/state/host/NIXOS";
};
security.sudo.extraConfig = ''
# Due to rollback, sudo will lecture after every reboot
Defaults lecture = never
'';
virtualisation = {
docker = {
enable = true;
enableOnBoot = true;
autoPrune = { enable = true; };
};
oci-containers = {
containers = {
shinobi = {
image = "shinobisystems/shinobi:latest";
ports = [ "${shinobi-port}:8080" ];
volumes = [
"/state/shinobi/plugins:/home/Shinobi/plugins"
"/state/shinobi/config:/home/Shinobi/config"
"/state/shinobi/videos:/home/Shinobi/videos"
"/state/shinobi/db-data:/var/lib/mysql"
"/etc/localtime:/etc/localtime:ro"
];
};
# shinobi-od = {
# image = "shinobisystems/shinobi-tensorflow:latest";
# volumes =
# [ "/srv/shinobi/od-config:/home/Shinobi/docker-plugins/tensorflow" ];
# ports = [ "${shinobi-od-port}:8082" ];
# environment = {
# PLUGIN_HOST = "panopticon.sea.fudo.org";
# PLUGIN_PORT = shinobi-port;
# PLUGIN_KEY = "30sWllylOxsDcE4vQXEPaXNfe5DiB3";
# };
# };
# photoprism = { image = "photoprism/photoprism"; };
};
};
};
services.nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
virtualHosts = {
"panopticon.sea.fudo.org" = {
locations."/" = {
# localhost defaults to IPv6
proxyPass = "http://127.0.0.1:${shinobi-port}/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-By $server_addr:$server_port;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
# "panopticon-od.sea.fudo.org" = {
# locations."/" = {
# proxyPass = "http://localhost:${shinobi-od-port}";
# extraConfig = ''
# proxy_http_version 1.1;
# proxy_set_header Upgrade $http_upgrade;
# proxy_set_header Connection "Upgrade";
# '';
# };
# };
};
};
}